a(Assemble)
a 命令对指令助记符进行汇编,并将指令代码的结果放入内存。
如果没有指定地址,汇编会从指令指针的当前值所指向的地址开始。要汇编新的指令,可以输入需要的助记符并按下ENTER。要结束汇编,直接按下ENTER
.dvalloc
.dvalloc 命令使得Windows在目标进程中分配附加的内存。
加入附加的printf
以下是原始的测试代码,自己随意写的:
char* g_char = "I am string";
DWORD ThreadProc(LPVOID lp)
{
while(1)
{
// todo
}
return 0;
}
int _tmain(int argc, _TCHAR* argv[])
{
printf("%s\n",g_char);
CreateThread(NULL,0,(LPTHREAD_START_ROUTINE)ThreadProc,0,0,0);
getchar();
return 0;
}
windbg附加:
查看ThreadProc函数
0:000> u 012313c0 L10
test1!ThreadProc [d:\windbg\test1\test1.cpp @ 11]:
012313c0 55 push ebp
012313c1 8bec mov ebp,esp
012313c3 81ecc0000000 sub esp,0C0h
012313c9 53 push ebx
012313ca 56 push esi
012313cb 57 push edi
012313cc 8dbd40ffffff lea edi,[ebp-0C0h]
012313d2 b930000000 mov ecx,30h
012313d7 b8cccccccc mov eax,0CCCCCCCCh
012313dc f3ab rep stos dword ptr es:[edi]
012313de b801000000 mov eax,1
012313e3 85c0 test eax,eax
012313e5 7402 je test1!ThreadProc+0x29 (012313e9)
012313e7 ebf5 jmp test1!ThreadProc+0x1e (012313de)<span style="white-space:pre"> </span>///< 这一句又跳回去了,就在这句下手
012313e9 33c0 xor eax,eax
012313eb 5f pop edi
1.先构造跳转内存,一块存printf的格式化字符串,一块存跳转
0:000> .dvalloc 100
Allocated 1000 bytes starting at 00030000
0:000> .dvalloc 100
Allocated 1000 bytes starting at 000f0000
0:000> eza 000f0000 "sorry i am not exist string"
0:000> da f0000
000f0000 "sorry i am not exist string"
2.写新加的printf函数
0:000> a 00030000
00030000 pushad
pushad
00030001 pushfd
pushfd
00030002 push f0000
push f0000
00030007 call dword ptr [test1!_imp__printf]
call dword ptr [test1!_imp__printf]
0003000d add esp,4
add esp,4
00030010 popfd
popfd
00030011 popad
popad
00030012 jmp test1!ThreadProc+0x1e
jmp test1!ThreadProc+0x1e
00030017
0:000> u 30000 L10
00030000 60 pushad
00030001 9c pushfd
00030002 6800000f00 push 0F0000h
00030007 ff15c4822301 call dword ptr [test1!_imp__printf (012382c4)]
0003000d 83c404 add esp,4
00030010 9d popfd
00030011 61 popad
00030012 e9c7132001 jmp test1!ThreadProc+0x1e (012313de)
00030017 0000 add byte ptr [eax],al
3.把
012313e7 ebf5 jmp test1!ThreadProc+0x1e (012313de)
修改成
0:000> a 012313e7
012313e7 jmp 30000
jmp 30000
012313ec
0:000> u 012313e7
test1!ThreadProc+0x27 [d:\windbg\test1\test1.cpp @ 15]:
运行: