Reprinted: Q version hacker overflow tutorial
I am writing this article, hoping to give some help to cainiao who want to learn about Buffer Overflow just like me, because no such articles have been found yet. First, we will introduce two methods of using Stack Overflow-jmp esp and jmp ebx. Next, we will explain the simple method of conversion. Finally, we will give two practical examples, write isno. printe
//////////////////////////////////////// /////////////// Get jmp esp/jmp ebx/call EBX address in a process// By isno// It must be compiled in debug mode in VC.//////////////////////////////////////// /////////////# Include # Include # Include
# Define fnendlong 0x08# Define nopcode 0x90# Define noplong 0x0# Define buffsize 0x20000
# Define shellbuffsize 0x800# Define shellfnnums 9 // Number of API function
Yi Wei public platform interface dummies tutorial, Yi Wei micro dummies. Yi Wei public platform interface dummies tutorial, Yi Wei micro dummies Yi Wei public platform interface dummies tutorial part of content: Interface 9 hyperlink. rmvb interface 8 music information. rmvb
// Hookapi. CPP: defines the entry point for the console application. //// conclusion: add an assembly 0xe9 unconditional jump value to the front of the original API function pointer, and jump the API function called by the system to the custom function to execute # include "stdafx. H "# include
//////////////////////////////////////// //////////////////////////////////////// //////////////
JMP command
Explanation:
N
a testing tool is introduced that is not supported by people. People should see the need to improve a specific process, and be aware that the introduction of a specific test tool may ultimately help to accomplish their work more efficiently. If an organization does not sort these three points in order, the sentence "with the test tool, dummies are still dummies" will come true. Or in other words, an organi
introduced that is not supported by people. People should see the need to improve a specific process, and be aware that the introduction of a specific test tool may ultimately help to accomplish their work more efficiently. If an organization does not sort these three points in order, the sentence "with the test tool, dummies are still dummies" will come true. Or in other words, an organization that only i
C-language dummies (1): nested loops-program structure, dummies
Loop statement nesting a loop structure can contain another loop, called loop nesting, or multiple loops. The nested loop is a double loop. The outer loop is called an external loop, and the inner loop is called an internal loop. --------- I don't know where the basic concepts come from
This is the first blog of the baby. I will not ask fo
For JMP commands:
(1) JMP short labelEquivalent to (IP) = (IP) + 8-bit displacement jump range is [-128,127](2) JMP near PTR labelsEquivalent to (IP) = (IP) + 16-bit displacement jump range is [-32768,32767](3) JMP far PTR labelsEquivalent to (CS) = the segment address of the label, (IP) = the offset address of the la
Source: bkbll@cnhonker.net evil baboons
1. preface.In Buffer overflow in Linux, there are many shellcodes used to jump to the stack. in windows, there are many jumps using jmp esp. There is no new technology in this article, but it is just a whim, just change my methods.2. comparison.The frequently used shellcode method to jump to the stack has a good side. For example, you can put shellcode in ENV to avoid the length limit. the disadvantage is that
The above question is: Why does JMP 12345678 of the same assembly command correspond to different machine codes? First, the machine code E9 indicates that this is a near jump (near JMP). Here we need to add the relevant knowledge: JMP is divided into three types: ① short jump (short JMP, only jump to the range of 256 b
Calculation of jmp distance of E9: distance = destination address-(current address + 5) (plus 5 is because the JMP command occupies a total of 5 words, actually the destination address minus the end address of the JMP command, that is, the current address + 5If the target address is f1e0b63eThe current address is 8093c6d8.Distance = f1e0b63e-8093c6d8-5 = 714cef61
This is the main hand to understand the writing shellcode is not easy. Really not easy, look at the author's code, all feel that they have nowhere to start. The need for the underlying principle of knowledge is also very much need to add up.Intend to gradually add later. At this stage, jmp ESP is understood. The subsequent dynamic fetch API was faulted on the host. The problem is similar to searching for the JMP
Jump instructions are divided into three categories:First, unconditional jump: JMP;Second, according to the value of CX, ECX Register jump: JCXZ (CX is 0 jump), JECXZ (ECX for 0 jump);Three, according to the EFLAGS register flag bit jump, this too many.JMP Unconditional Transfer Instructions1, the direct short transfer within the paragraph 2, a direct near-transfer within the paragraph 3, within the paragraph near the transfer of 4, the direct transfe
1. The difference between JMP is that one is intra-segment call and the other is inter-segment call.
2. The call is very different, because the call will have an impact on the stack:(1) The call's near call will not change the stack used, but the stack content has changed: the next command is pushed into the stack; if there is a parameter, the parameter is pushed into the stack.(2) The Remote Call of call changes the stack used. Because the stack use
In assembly, $ is used to obtain the address where $ is located. Therefore, JMP $ is an endless loop. Unless
Interrupted, and the interrupted service program will be executed again. However, it should be noted that the returned address is still JMP $, rather than its
The next statement.
In JMP $ execution, the address of the
① JMP is not responsible for scheduling. It does not save any information, and it does not consider turning back. Skip this step.② Call, save EIP, and so on, so that the program can jump back. RET is the inverse process of call and the process of turning back. This is an inherent CPU command, so we do not need to save the information. Run the command directly.③ Privilege-level transfer within the same task, which is similar to ②, but you need to prepa
Tag: instruction equals Win32 html WWW htm greater than lag strongJump instructions are divided into three categories:First, unconditional jump: JMP;Second, according to the value of CX, ECX Register jump: JCXZ (CX is 0 jump), JECXZ (ECX for 0 jump);Three, according to the EFLAGS register flag bit jump, this too many.Instructions to jump according to the flag bit:JE or equal to the jumpJNE ; not equal to the jumpJZ ; for 0 then Jumpjnz ; not 0 jumps
Jmp selector: offset. The selector may indicate a segment descriptor or a gate descriptor. The cpu executes this command as follows:
The above is my understanding of the jmp selector: offset execution process. In fact, the call selector: offset is similar, but the stack of cs and eip is added at the beginning and end, And the stack is output.
(The arrow shown in the figure is a bit eye-catching. I can
Virus name: Trojan-PSW.Win32.QQPass.ajo (Kaspersky)Virus alias: worm. win32.pabug. CF (rising star), win32.troj. qqpasst. ah.110771 (drug overlord)Virus size: 32,948 bytesShelling method: UPXSample MD5: 772f4dfc995f7c1ad6d1978691190cdeSample sha1: e9d2bcc5666a3433d5ef8cc836c4579f03f8b6ccAssociated Virus:Transmission Mode: Spread through malicious web pages, other trojan downloads, USB flash drives, and mobile hard drives
Technical Analysis============
After the trojan is run, copy itself:Cod
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.