Reprinted: Q version hacker overflow tutorial
I am writing this article, hoping to give some help to cainiao who want to learn about Buffer Overflow just like me, because no such articles have been found yet. First, we will introduce two methods of using Stack Overflow-jmp esp and jmp ebx. Next, we will explain the simple method of conversion. Finally, we will give two practical examples, write isno. printe
//////////////////////////////////////// /////////////// Get jmp esp/jmp ebx/call EBX address in a process// By isno// It must be compiled in debug mode in VC.//////////////////////////////////////// /////////////# Include # Include # Include
# Define fnendlong 0x08# Define nopcode 0x90# Define noplong 0x0# Define buffsize 0x20000
# Define shellbuffsize 0x800# Define shellfnnums 9 // Number of API function
// Hookapi. CPP: defines the entry point for the console application. //// conclusion: add an assembly 0xe9 unconditional jump value to the front of the original API function pointer, and jump the API function called by the system to the custom function to execute # include "stdafx. H "# include
//////////////////////////////////////// //////////////////////////////////////// //////////////
JMP command
Explanation:
N
Source: bkbll@cnhonker.net evil baboons
1. preface.In Buffer overflow in Linux, there are many shellcodes used to jump to the stack. in windows, there are many jumps using jmp esp. There is no new technology in this article, but it is just a whim, just change my methods.2. comparison.The frequently used shellcode method to jump to the stack has a good side. For example, you can put shellcode in ENV to avoi
For JMP commands:
(1) JMP short labelEquivalent to (IP) = (IP) + 8-bit displacement jump range is [-128,127](2) JMP near PTR labelsEquivalent to (IP) = (IP) + 16-bit displacement jump range is [-32768,32767](3) JMP far PTR labelsEquivalent to (CS) = the segment address of the label, (IP) = the offset address of the la
The above question is: Why does JMP 12345678 of the same assembly command correspond to different machine codes? First, the machine code E9 indicates that this is a near jump (near JMP). Here we need to add the relevant knowledge: JMP is divided into three types: ① short jump (short JMP, only jump to the range of 256 b
This is the main hand to understand the writing shellcode is not easy. Really not easy, look at the author's code, all feel that they have nowhere to start. The need for the underlying principle of knowledge is also very much need to add up.Intend to gradually add later. At this stage, jmp ESP is understood. The subsequent dynamic fetch API was faulted on the host. The problem is similar to searching for the JMP
Jump instructions are divided into three categories:First, unconditional jump: JMP;Second, according to the value of CX, ECX Register jump: JCXZ (CX is 0 jump), JECXZ (ECX for 0 jump);Three, according to the EFLAGS register flag bit jump, this too many.JMP Unconditional Transfer Instructions1, the direct short transfer within the paragraph 2, a direct near-transfer within the paragraph 3, within the paragraph near the transfer of 4, the direct transfe
Calculation of jmp distance of E9: distance = destination address-(current address + 5) (plus 5 is because the JMP command occupies a total of 5 words, actually the destination address minus the end address of the JMP command, that is, the current address + 5If the target address is f1e0b63eThe current address is 8093c6d8.Distance = f1e0b63e-8093c6d8-5 = 714cef61
In assembly, $ is used to obtain the address where $ is located. Therefore, JMP $ is an endless loop. Unless
Interrupted, and the interrupted service program will be executed again. However, it should be noted that the returned address is still JMP $, rather than its
The next statement.
In JMP $ execution, the address of the
① JMP is not responsible for scheduling. It does not save any information, and it does not consider turning back. Skip this step.② Call, save EIP, and so on, so that the program can jump back. RET is the inverse process of call and the process of turning back. This is an inherent CPU command, so we do not need to save the information. Run the command directly.③ Privilege-level transfer within the same task, which is similar to ②, but you need to prepa
1. The difference between JMP is that one is intra-segment call and the other is inter-segment call.
2. The call is very different, because the call will have an impact on the stack:(1) The call's near call will not change the stack used, but the stack content has changed: the next command is pushed into the stack; if there is a parameter, the parameter is pushed into the stack.(2) The Remote Call of call changes the stack used. Because the stack use
Tag: instruction equals Win32 html WWW htm greater than lag strongJump instructions are divided into three categories:First, unconditional jump: JMP;Second, according to the value of CX, ECX Register jump: JCXZ (CX is 0 jump), JECXZ (ECX for 0 jump);Three, according to the EFLAGS register flag bit jump, this too many.Instructions to jump according to the flag bit:JE or equal to the jumpJNE ; not equal to the jumpJZ ; for 0 then Jumpjnz ; not 0 jumps
Jmp selector: offset. The selector may indicate a segment descriptor or a gate descriptor. The cpu executes this command as follows:
The above is my understanding of the jmp selector: offset execution process. In fact, the call selector: offset is similar, but the stack of cs and eip is added at the beginning and end, And the stack is output.
(The arrow shown in the figure is a bit eye-catching. I can
Virus name: Trojan-PSW.Win32.QQPass.ajo (Kaspersky)Virus alias: worm. win32.pabug. CF (rising star), win32.troj. qqpasst. ah.110771 (drug overlord)Virus size: 32,948 bytesShelling method: UPXSample MD5: 772f4dfc995f7c1ad6d1978691190cdeSample sha1: e9d2bcc5666a3433d5ef8cc836c4579f03f8b6ccAssociated Virus:Transmission Mode: Spread through malicious web pages, other trojan downloads, USB flash drives, and mobile hard drives
Technical Analysis============
After the trojan is run, copy itself:Cod
YourselfProgramTo share with you. It's dangerous to remember sprintf!
VC ++ 2008 in debug mode
# Include
This program gets stuck when it is executed to free, and F11 is used for debugging until it reaches the assembly language.
JMP _ vec_memzero; Use fast zero sse2 implementation
The system stops and displays "No information available for the current location ".Source code".
Cause:
Invalid Memory Access, subscript out of bounds.
in Linux we can use the GDB debugger can also use objdump this tool, of course, there are other tools, but here I will not say, and then open the file in hexadecimal we can use XXD, We make a hex-mode change to the file by calling Xxd inside the vim, and of course there are other hex editors, and I'm not going to say it, because I'm also playing, after all, I'm still learning Win32 API (my real egg hurts), so let's start with a simple program.Let's l
Research on viruses in Linux-general Linux technology-Linux programming and kernel information. The following is a detailed description. 1. Introduction
This article discusses how to modify an ELF file to implement redirection of shared library calls. Modifying the program connection Table of an executable file allows an infected file to call external functions.
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.