Windows buffer overflow from zero
Author: coolend
OBJECTIVE: To understand the principle of buffer overflow and simply implement tool: VC 1, C language foundation 1.1 C several storage areas. 1. Stack: There is a compiler Automatic allocation release 2. Heap: Generally, the programmer is allocated, if the programmer does not release, the program may be recycled by OS 3. Global district (static area): Storage of global variables and static variables It is placed on a piece of, initialized global variables and static variables in a region, uninited global variables and uninitialized static variables in adjacent to another area. In general: 1. Local automatic variables inside the function, use the processes or threads of the stack space. 2. Dynamic memory allocation uses a heap space. Different operating systems have different management methods for stacks. 3. Initialization global variables, place in data segments, DATA segments. The global variables that were not initialized were placed in an uninitialized data segment, typically a BSS segment.
Enter a Win32 Console Application in VC 6.0, enter the following.
#include
Output:
0x00406910 0x00406ACC 0x0012FF7C 0x0012FF70 0x0012FF68 0x0012FF6C 0x00406914 0x00410510 0x00410510
Description:
Pile: * Ppoint1, * Ppoint 2 Stack: Mvar1, Mvar2, Ppoint1, Ppoint2 DATA: GGLOBAL, MCONST BSS Segment: GPPOINT
1.2C Language Function Call Mechanism VC 6.0 built a Win32 Console Application, enter the following.
//example.c Int Add (int result = 0; result = number1 number2; return result;} int Main (int Argc, char * argv [], b, res = 0; a = 0x100; b = 0x200; res = add (a, b); return 0;} At RES = Add (A, B); set breakpoint, f5, then Alt 8, see the following assembly Code. Compilation code for main function:
main: 00401060 55 push ebp 00401061 8B EC mov ebp, esp 00401063 83 EC 4C sub esp, 4Ch 00401066 53 push ebx 00401067 56 push esi 00401068 57 push edi 00401069 8D 7D B4 lea edi, [ebp-4Ch] 0040106C B9 13 00 00 00 mov ecx, 13h 00401071 B8 CC CC CC CC mov eax, 0CCCCCCCCh 00401076 F3 AB rep stos dword ptr [edi] 00401078 C7 45 F4 00 00 00 00 mov dword ptr [ebp-0Ch], 0 0040107F C7 45 FC 00 01 00 00 MOV DWORD PTR [EBP-4], 100H 00401086 C7 45 F8 00 02 00 00 MOV DWORD PTR [EBP-8], 200H 0040108D 8B 45 F8 MOV EAX, DWORD PTR [EBP-8] 00401090 50 PUSH EAX 00401091 8B 4D FC MOV ECX, DWORD PTR [EBP-4] 00401094 51 PUSH ECX 00401095 E8 6B FF FF Call @ ilt 0 (add) (00401005) 0040109A 83 C4 08 Add ESP, 8 0040109D 89 45 F4 MOV DWORD PTR [EBP- 0Ch], eax 004010A0 33 C0 xor eax, eax 004010A2 5F pop edi 004010A3 5E pop esi 004010A4 5B pop ebx 004010A5 83 C4 4C add esp, 4Ch 004010A8 3B EC cmp ebp, esp 004010AA E8 21 00 00 00 call __chkesp (004010d0) 004010AF 8B E5 MOV ESP, EBP 004010B1 5D POP EBP 004010B2 C3 RET
Compilation code for the Add function:
add: 00401020 55 push ebp 00401021 8B EC mov ebp, esp 00401023 83 EC 44 sub esp, 44h 00401026 53 push ebx 00401027 56 push esi 00401028 57 push edi 00401029 8D 7D BC lea edi, [ebp-44h] 0040102C B9 11 00 00 00 MOV ECX, 11H 00401031 B8 CC CC CC MOV EAX, 0ccccccccch 00401036 F3 AB Rep Stos DWORD PTR [EDI] 00401038 C7 45 FC 00 00 00 00 MOV DWORD PT [EBP-4], 0 0040103F 8B 45 08 MOV EAX, DWORD PTR [EBP 8] 00401042 03 45 0C Add EAX, DWORD PTR [EBP 0CH] 00401045 89 45 FC MOV DWORD PTR [EBP-4], EAX 00401048 8B 45 FC MOV EAX, DWORD PTR [EBP-4] 0040104B 5E POP EDI 0040104C 5E POP ESI 0040104D 5B POP EBX 0040104E 8B E5 MOV ESP, EBP 00401050 5D POP EBP 00401051 C3 RET and
@ Ilt 0 (? Add @@ yahhh @ z): 00401005 E9 16 00 00 JMP add (00401020) @ ilt 5 (_MAIN): 0040100A E9 51 00 00 jmp main (00401060)
Just press F5, the program stops at 0040108D 8B 45 F8 MOV EAX, DWORD PTR [EBP-8], then press F10 to 00401095 E8 6B FF FF CALL @ ilt 0 (00401005), then press F11, see [ESP] is not displayed 9A 10 40 00 00, this shows that call ***** is equivalent to the address of one instruction below Push Call, then jmp ******
