push EAX; block table size
push edx; edx is the offset of the Virus code block table
push esi; buffer address
Combined virus code block and Virus code block table must be less than or equal to the amount of space not used
Inc ECX
push ecx; Save numberofsections+1
SHL ecx, 03h; multiply 8
push ecx; reserved virus block table space
Add ecx, eax
add ecx, edx; offset of the body of the ecx+ file
Sub ecx, (sizeofheaders-@9) [esi]
Not ECX
Inc ECX; ecx for file header size-offset of
operation adds ESP to 8, indicating that the stack growth direction is from high address to low address. 00c93a03 mov dword ptr [Sum], eax # function return value stored in eax in the sum variable # function call field int pushparametersorderapp (INT param1, int param2) {00e41f80 push EBP # Save the previous EBP pointer, esp + = 400e41f81 mov EBP, esp # assign the new ESP to EBP and direct it to 00e41f83 sub ESP at the bottom of the current function stack, 0d8h # reserve 216 (0d8) bytes for the
/**author:davidlin*date:2014-11-11pm*email: [email protected] or [email protected]*world:the City of SZ, in China*ver:000.000.001*history:editor time do1) Linpeng 2014-11-11 created this file!2)*/Linux-0.11 Memory Management module is more difficult to understand in the source code part, now the author's personal understanding publishedFirst hair Linux-0.11 kernel memory management get_free_page () function analysisHave time to write other functions or files:)/** Get Physical Address of first (a
/**author:davidlin*date:2014-11-11pm*email: [email protected] or [email protected]*world:the City of SZ, in China*ver:000.000.001*history:editor time do1) Linpeng 2014-11-11 created this file!2)*/Linux-0.11 Memory Management module is more difficult to understand in the source code part, now the author's personal understanding publishedFirst hair Linux-0.11 kernel memory management get_free_page () function analysisHave time to write other functions or files:)/** Get Physical Address of first (a
It's free. Let's take a look.ODLoad directly as follows:
00414000> $ E8 00000000 call 0041400500414005 $ 5B pop ebx // locate the code00414006.81EB05024000 sub ebx, 00400205 // The code segment length, followed by a variable0041400C. 64: 8B3D 30000000 mov edi, dword ptr fs: [30] // FS [30]-> PEB, locate kernel32.dll00414013. 8B7F 0C mov edi, dword ptr [edi + C] /
EAX register to the memory location specified by value. Use the memory location of the variable address. as follows, multi-memory specifies multiple values in one command:values:. int 10,20,30,40,50,60,70this creates a series of data values that are contiguous in memory (similar to an array of high-level languages). When referencing data in an array, you must use the system to determine which memory location you want to access. The memory location is determined by the following expression:base_
If you returned a struct object, what would the return statement do? Here is the test code
#include using namespace Std;struct BIG{Char buf[100];int i;Long D;}B,B2;Big Bigfun (Big B){b.i=100;return b;}int main (){B2=bigfun (B);return 0;}To set a breakpoint at the beginning and end of main8:int Main ()19: {004012A0 Push EBP004012A1 mov Ebp,esp004012a3 Sub esp,118hPuzzled at first, and analyzed for a long timeThe original (118h-40h) remaining memory block holds two big variablesLow address put bi
Loading and execution of programs (iii)--reading notes 23And then the last time the content said.load_relocate_programthe explanation of the process is not over yet, so create a stack segment descriptor and reposition symbol table.Allocating stack space and creating a stack segment descriptor462 ; Creating a program stack segment descriptor463 movecx,[edi+0x0c]; 4KB magnification464 movEbx0x000fffff465 SubEbx,ecxTo get
accounted for 10 bytes, to 4-byte alignment, so you need to complement two bytes, so two 0xcc, resulting in a 10 byte between the BF and array. The one next to the above array should be two 0xcc to complement the alignment. It was deliberately marked to the back. The purpose of this identification here is to illustrate the principle of checkstackvars this inspection.
OK, clear the memory distribution, then checkstackvars at what time to perform the check, in C + + code can not be displayed to
Everyone knows that to use COM components in a program, you must first call coinitialize. This function is mainly used to initialize the com runtime environment. But does the function scope take the thread as the unit or the process as the unit? Maybe you have figured out the answer through the test program. That's right, it's a thread. Today, we will go into a bit more detail and confirm our ideas by analyzing the specific implementation of coinitialize.
Let's take a look at coinitialize compil
that shellcode will be much larger.
At the summit because Flashsky Daniel refused to disclose source code, so had to do their own, ample clothing. This period of time due to review make-up (last semester accidentally hung 4 #_#), so dragged for so long. In fact, the code was written very early, is not bothered to write this document. This morning finally made up my mind to spend the morning to finish this document, it is inevitable that there are some mistakes, I hope you point out.
Shellcode
is filled, the cmp [Addr] And 0xff will be used to determine whether to check the encryption option for processing. There is Magic JUMP, but the Shell API address has been redirected, and the Patch code needs to be restored.>The code is not optimized, and there is no time to optimize it. There are too many records to analyze the main program.The Patch code is as follows:Code:00B60000 60 pushad00B60001 9C pushfd00B60002 BE 00104000 mov esi, 0x401000 Code segment Addr00B60007 BF 00404000 mov
Lucifer.; #########################################################################. 386. Model flat, stdcall; -bit memory model option Casemap:none; Case sensitive include \masm32\include\kernel32.inc; ------------------------------------ ; Please read the final usage of the text; ------------------------------------ARGCL PROTO:D Word,:D Word. Code; ######################################################################## #ArgCl proc Argnum:dword, ItemBuffer:D Word local cmdline:D word local c
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.