#include"stdafx.h"#include"stdlib.h"#include<windows.h>#include<EXCPT.h>#include<tchar.h>intMainintargcChar*argv[]) {BYTE shellcode[ A]="\x66\xb8\x01\x20\x66\xba\x04\x10\x66\xef\xc3"; for(inti =0; I <sizeof(Shellcode); ++i) {printf ("%04d,0x%02x\n", Shellcode[i],shellcode[i]); } //The SEH exception handler is the exception that is caught in the stack, and its limitations are relatively largeBYTE Oldbyte=0; Pbyte paddr=NULL; DWORD Dwprotect=0; _ASM mov ebx,ebx _asm push eax _asm pop eax _asm mov eax,eax _try{_asm mov eax,eax _ASM mov eax,eax _asm mov eax,eax _asm mov eax,eax hmodule hmod= LoadLibrary (_t ("user32.dll")); Paddr= (pbyte) GetProcAddress (Hmod, _t ("MessageBoxA")); VirtualProtect (PADDR,1, Page_execute_readwrite, &dwprotect); Oldbyte= *paddr; printf ("paddr:0x%08x\n", PADDR); printf ("oldbyte:%02d\n", Oldbyte); *PADDR =0XCC; VirtualProtect (PADDR,1, Dwprotect, NULL); MessageBoxA (NULL,"Test","Test", MB_OK); } _except (Exception_execute_handler) {MessageBoxW (NULL, L"Takeover Exception", L"Exception Handling", MB_OK); VirtualProtect (PADDR,1, Page_execute_readwrite, &dwprotect); memset (Paddr, Oldbyte,1); VirtualProtect (PADDR,1, Dwprotect, NULL); MessageBoxA (NULL,"Test","Test", MB_OK); } System ("Pause"); return 0;}
Simple SEH Processing