Shellcode call method

xiaoxiao2021-03-19  206

Editer: ASM_C

Give rookie, master and love, gossip, don't look _ :)

I have been watching the shellcode written by others, and I am exemplified by the probably procedure;

Char sc [] =

"/ X99 / X52 / X58 / X52 / XBF / XB7 / X97 / X39 / X34 / X01 / XFF / X57 / XBF / X97 / X17 / XB1"

"/ X34 / X01 / X89 / XE3 / X52 / X53 / X89 / XE1 / XB0 / X63 / X2C / X58 / X81"

"/ XEF / X62 / XAE / X61 / X69 / X57 / XFF / XD4";

int main ()

{

INT (* f) () = (int (*)) SC;

f ();

}

The statement is not what I wrote. I can't write such something. This is a 40-byte shellcode written by Russian security. I want to say: here:

INT (* f) () = (int (*)) sc; I originally saw it, I can't understand, it is actually very simple:

excerpt:

The function stores in the memory code area, they also have addresses, how can we get the address of the function?

If we have a function of int Test (int A), then its address is the name of the function, just like an array, the name of the array is the start address of the array.

Define a pointer to a functionality to use the following TEST () as an example:

INT (* fp) (INT A); // This defines a pointer to function

Function pointers cannot be definitely not pointing different types, or with different ginseng functions, we can easily make the following errors when defining a function pointer.

INT * FP (INT A); / / This is an error, because it is a first and () combined according to the conjunction and priority, then it turns into a function of returning the shaping pointer, not a function pointer, this Especially need to pay attention!

Let's take a concrete example:

#include

#include

Using namespace std;

INT TEST (INT A);

Void main (int Argc, char * argv [])

{

COUT << Test << Endl; // Display Function Address

INT (* fp) (INT A);

FP = TEST; / / 将 地址函 地址 地址 地址 的 给 f

Cout << fp (5) << "| << (* fp) (10) << endl;

/ / The output FP (5) above is the standard C write, (* fp) (10) This is a standard write method compatible with C language, two consent, but pay attention to distinguish, avoid writing procedures to generate a transplantability!

cin.get ();

}

Int Test (INT A)

{

Return A;

}

Typedef definitions can simplify the definition of function pointers, can't feel when they define one, but they know more, the above code is rewritten into the following form:

#include

#include

Using namespace std;

INT TEST (INT A);

Void main (int Argc, char * argv [])

{

COUT << Test << Endl;

TypedEf int (* fp) (INT A); // Note, here is not a life function pointer, but define a type of function pointer, this type is the type defined, the type name is FP

FP FPI; // Use your own defined type name FP defines a FPI function pointer!

FPI = TEST;

COUT << FPI (5) << "| << (* fpi) (10) << endl; cin.get ();

}

Int Test (INT A)

{

Return A;

}

The function pointer can also be passed to the function as a parameter. Here we look at an example. Read it carefully. You will find it, a slight reasoning can be very convenient for us to conduct some complex programming.

// ------------------- This example is the basis for a little modification ------------------ -----------

#include

#include

Using namespace std;

INT TEST (INT);

INT TEST2 (INT), INT)

Void main (int Argc, char * argv [])

{

COUT << Test << Endl;

TYPEDEF INT (INT);

FP FPI;

FPI = TEST; / / FPI gives the memory address of the TEST function

COUT << Test2 (FPI, 1) << Endl; // When you call the Test2 function, here the function address (TEST's function addresses) stored (TEST's function addresses)

cin.get ();

}

Int Test (INT A)

{

Return A-1;

}

INT TEST2 (INT), INT B) // defines a function pointer that names RA is defined here.

{

INT C = ra (10) b; // After the call, the RA already points to the function address poised by the FPI, the Test function.

Return C;

}

Using the function pointer, we can constitute an array of pointers, more clearly, is a pointer array that constitutes a function of the function, which may be easier to understand.

#include

#include

Using namespace std;

Void T1 () {cout << "test1";

Void T2 () {cout << "test2";

Void T3 () {cout << "test3";

Void main (int Argc, char * argv [])

{

Void * a [] = {T1, T2, T3};

Cout << "Compare the address of the memory address of T1 () and the address stored by the array a [0] consistent" << T1 << "| << a [0] << endl;

Cout << a [0] (); // Error! Pointer array is not available to the array subscript operation call function

TypeDef void (* fp) (); // Customize a function pointer type

FP B [] = {T1, T2, T3}; // Using Customized Type FP Pointer Array Pointer Pointer

B [0] (); // Now use the pointer array of the point to the function to perform the indirect call of the function.

cin.get ();

}

Take a closer look, you may not need me to say that everyone will know how to think about it, and finally we do a key summary, just remember this, it is easy to use the function pointer to make an array of functions.

Void * a [] = {T1, T2, T3};

Cout << "Compare the address of the memory address of T1 () and the address stored by the array a [0] consistent" << T1 << "| << a [0] << endl;

Cout << a [0] (); // Error! Pointer array is not available to the array subscript operation call function

Why can't you call this in this small paragraph?

The previous tutorial we have said it is very clear, but we still review the concept, the pointer array element is only a memory address, since it is just a memory address, it is impossible to perform A [0] () such an address band. The operation of parenthesis, and the function pointer is different, the function pointer is only so called it because it is a pointer to the function pointing to the memory, which is awarded to () the right to allow () the right to operate, indirect Function call, since the function pointer allows such operations, then the array of defined function pointers must be the same operation. Seeing that the rookie is a lot of friends, you can test a lot, you can test shellcode yourself ...

转载请注明原文地址:https://www.9cbs.com/read-130039.html

New Post(0)