#include "stdafx.h" #include "stdlib.h" #include <windows.h> #include <EXCPT.h> #include <tchar.h> int main(int argc, char* argv[]) { BYTE shellcode[12]="x66xB8x01x20x66xBAx04x10x66xEFxC3"; for (int i = 0; i < sizeof(shellcode); ++i){ printf("%04d,0x%02X ", shellcode[i],shellcode[i]); } // SEH异常处理程序是在栈中捕获异常,其局限性比较大 BYTE oldByte = 0; PBYTE pAddr = NULL; DWORD dwProtect = 0; _asm mov ebx,ebx _asm push eax _asm pop eax _asm mov eax,eax _try{ _asm mov EAX,EAX _asm mov eax,eax _asm mov eax,eax _asm mov eax,eax HMODULE hMod = LoadLibrary(_T("user32.dll")); pAddr = (PBYTE)GetProcAddress(hMod, _T("MessageBoxA")); VirtualProtect(pAddr, 1, PAGE_EXECUTE_READWRITE, &dwProtect); oldByte = *pAddr; printf("pAddr:0x%08X ", pAddr); printf("oldByte:%02d ", oldByte); *pAddr = 0XCC; VirtualProtect(pAddr, 1, dwProtect, NULL); MessageBoxA(NULL, "Test","Test",MB_OK); } _except(EXCEPTION_EXECUTE_HANDLER){ MessageBoxW(NULL, L"接管异常", L"异常处理",MB_OK); VirtualProtect(pAddr, 1, PAGE_EXECUTE_READWRITE, &dwProtect); memset(pAddr, oldByte, 1); VirtualProtect(pAddr, 1, dwProtect, NULL); MessageBoxA(NULL, "Test","Test",MB_OK); } system("pause"); return 0; }