I came across this key logger online and was wondering what the following piece of code actually does. There are 2 lodsd commands in suc开发者_如何转开发cession and that confuses me. And also what is the purpose of the or command there? full code can be found at: http://www.rohitab.com/discuss/topic/21205-asm-keylogger-in-4k-d/
Here is the code excerpt(line 295 onwards):
get_name_of_key: ; no need for large table of pointers to get asciiz
mov esi, [lParam]
lodsd ; skip virtual key code
lodsd ; eax = scancode
shl eax, 16
xchg eax, ecx
lodsd ; extended key info
shl eax, 24
or ecx, eax
push 32
lea edi, [lpCharBuf]
push edi
push ecx
call GetKeyNameTextA ; get the key text
LODSD loads a dword from whatever ESI points to into EAX and then increments ESI by 4 (pointing to the next dword). You're viewing the low level keyboard hook callback, according to MSDN a call to the callback will put a pointer to a KBDLLHOOKSTRUCT in lParam, the MOV ESI,[lParam] puts that pointer in ESI for later use by LODSD.
The structure contains Virtual Keycode, followed by scan code, some flags, a timestamp and pointer to extra info, each one DWORD long. So the first LODSD reads the vkcode into EAX, the next reads the scan code into (and overwriting) EAX. It then shifts the scancode from bits 0-7 to bits 16-23 for later use by GetKeyNameText. EAX and ECX are then swapped. The next LODSD reads the flags associated with the key press, the flag that indicates whether an extended key (Fxx or keys from the numpad, etc) was pressed is at bit 0, it and the other bits are shifted to bit 24 and beyond, filling the lower bits with 0. The OR then does a binary OR of the scancode at bits 16-23 in ECX and the extended key flag at bit 24 in EAX combining all bits into ECX. (Binary OR sets each bit to 1 when either or both source bits are set 1, otherwise 0), that information is then passed to GetKeyNameText to get an text representation of the key pressed, like CAPSLOCK or LEFT SHIFT, in the 32 byte character buffer.
精彩评论