沉思录：垫脚石

沉思录：垫脚石

荣耀 2003

新技术往往以老技术为“垫脚石”。.NET之于COM，就是如此。

假如你已安装.NET Framework，系统目录中（可能是C:\Winnt\System32）会有一个mscoree.dll，它就是微软.NET运行时执行引擎（.NET Runtime Execution Engine），其重要性不言而喻—“Sharpei”病毒就是通过查找它来确定计算机是否安装了.NET。

让我们来观察观察这个dll到底都导出了些啥：

C:\WINNT\system32>dumpbin /exports mscoree.dll

Dump of file mscoree.dll

File Type: DLL

Section contains the following exports for mscoree.dll

00000000 characteristics

3C368FBE time date stamp Sat Jan 05 13:31:42 2002

0.00 version

17 ordinal base

100 number of functions

94 number of names

ordinal hint RVA name

36 0 0001161E CallFunctionShim

21 1 000108E2 CloseCtrs

37 2 0000B998 ClrCreateManagedInstance

38 3 00011163 CoEEShutDownCOM

39 4 0000B7C7 CoInitializeCor

40 5 00010CA1 CoInitializeEE

24 6 00011372 CoLogCurrentStack

41 7 00010D41 CoUninitializeCor

42 8 00010CF3 CoUninitializeEE

25 9 000108D8 CollectCtrs

43 A 0000A8B0 CorBindToCurrentRuntime

44 B 000118A9 CorBindToRuntime

45 C 000108FF CorBindToRuntimeByCfg

46 D 0000FA0E CorBindToRuntimeByPath

47 E 00011826 CorBindToRuntimeEx

48 F 0000B9F9 CorBindToRuntimeHost

49 10 0000B25B CorExitProcess

50 11 00011320 CorMarkThreadInThreadPool

51 12 00008C2E CreateConfigStream

52 13 0000B2AB DllCanUnloadNow

53 14 00007F2A DllGetClassObject

54 15 00011678 DllRegisterServer

55 16 00010BE9 DllUnregisterServer

26 17 0000FA42 EEDllGetClassObjectFromClass

56 18 0001156A EEDllRegisterServer

57 19 000115C0 EEDllUnregisterServer

58 1A 000023AC GetAssemblyMDImport

59 1B 0000B2F4 GetCORRequiredVersion

60 1C 00002290 GetCORSystemDirectory

61 1D 000092A1 GetCORVersion

62 1E 0001111A GetCompileInfo

27 1F 00011513 GetGlobalContextsPerfCounters

63 20 00010054 GetHashFromAssemblyFile

64 21 000100BC GetHashFromAssemblyFileW

65 22 00010246 GetHashFromBlob

66 23 00010125 GetHashFromFile

67 24 00010184 GetHashFromFileW

68 25 000101E5 GetHashFromHandle

69 26 0000B818 GetHostConfigurationFile

70 27 00010E6B GetMetaDataInternalInterface

71 28 00010DFB GetMetaDataInternalInterfaceFromPublic

72 29 00010D8A GetMetaDataPublicInterfaceFromInternal

73 2A 000110B0 GetPermissionRequests

28 2B 000114BA GetPrivateContextsPerfCounters

74 2C 0001099D GetRealProcAddress

29 2D 0000B7C1 GetStartupFlags

75 2E 000122CE GetXMLElement

76 2F 000122D6 GetXMLElementAttribute

77 30 00005BE8 GetXMLObject

78 31 0000B8CC LoadLibraryShim

79 32 00011848 LoadLibraryWithPolicyShim

30 33 000113C6 LogHelp_LogAssert

31 34 0001141A LogHelp_NoGuiOnAssert

32 35 0001146A LogHelp_TerminateOnAssert

80 36 00010C44 MetaDataGetDispenser

81 37 0000FB96 ND_CopyObjDst

82 38 0000FB6E ND_CopyObjSrc

83 39 0000B977 ND_RI2

84 3A 0000B988 ND_RI4

85 3B 0000FB18 ND_RI8

86 3C 0000B8A8 ND_RU1

87 3D 0000FB2C ND_WI2

88 3E 0000FB41 ND_WI4

89 3F 0000FB54 ND_WI8

90 40 0000B8B9 ND_WU1

33 41 0001077E OpenCtrs

34 42 0000FA4A ReleaseFusionInterfaces

91 43 000109DE RunDll32ShimW

35 44 00011269 RuntimeImageType

92 45 000112C1 RuntimeOSHandle

93 46 000111A8 RuntimeOpenImage

94 47 00011209 RuntimeReleaseHandle

95 48 0000FF3D StrongNameCompareAssemblies

96 49 0000B3C0 StrongNameErrorInfo

97 4A 0000220F StrongNameFreeBuffer

98 4B 0000FCC8 StrongNameGetPublicKey

99 4C 0000FFA0 StrongNameHashSize

100 4D 0000FC75 StrongNameKeyDelete

101 4E 0000FBBE StrongNameKeyGen

102 4F 0000FC19 StrongNameKeyInstall

103 50 0000FD2B StrongNameSignatureGeneration

104 51 0000FFF7 StrongNameSignatureSize

105 52 0000B35B StrongNameSignatureVerification

106 53 0000FE62 StrongNameSignatureVerificationEx

107 54 0000FECA StrongNameSignatureVerificationFromImage

108 55 0000FD96 StrongNameTokenFromAssembly

109 56 0000FDF8 StrongNameTokenFromAssemblyEx

110 57 00002175 StrongNameTokenFromPublicKey

111 58 00011041 TranslateSecurityAttributes

112 59 00002064 _CorDllMain

114 5A 0000B865 _CorExeMain

113 5B 000116EE _CorExeMain2

115 5C 0001077B _CorImageUnloading

116 5D 00011739 _CorValidateImage

17 00010ED5 [NONAME]

18 00010F0C [NONAME]

19 00010F4E [NONAME]

20 00010F84 [NONAME]

22 00010FB6 [NONAME]

23 00010FFD [NONAME]

Summary

3000 .data

2000 .reloc

1000 .rsrc

1A000 .text

你注意到那些蓝颜色文字了吗？.NET运行时执行引擎是一个COM组件。

执行下面命令试试，可以进一步证实这个事实：

regsvr32 C:\WINNT\system32\mscoree.dll

假如你来了兴趣，不妨探究探究另外一些.NET dll的庐山真面目（我并没有暗示它们都是COM组件）。

仅为说明一个简单道理，是犯不着列出一大滩dump信息的，我还想顺带例证一个道理：学问来自于认真细心。

“Be careful”。

－完－

• 未来我们可以和性爱机器人结婚吗？
  探索
• 什么是脂肪粒？如何消除脸部脂肪粒？
  女性
• 五个症状提醒你免疫力在下降了
  健康
• 韩式辣椒酱爆伍丁(图)－西餐菜谱
  美食
• 国庆节搞笑祝福短信
  干货
• 女子体内爬出大量瓜子状活虫
  百态

• ·由实例计数器引出（C#）
• ·MySQL索引分析和优化
• ·在Java2环境中应用IP地址封装对象
• ·C99风格Hello,World演示
• ·openssl之BIO系列之20---缓冲（b
• ·利用BCB编写具有"磁性"
• ·实现网络蚂蚁的实时监视剪贴板功能
• ·帮你免于失业的十大软件技术
• ·Write Your Own Operatin
• ·Write Your Own Operatin