ÔÚÔĶÁ±¾ÎÄ֮ǰ£¬Èç¹ûÄãÁ¬¶ÑÕ»ÊÇʲô¶à²»ÖªµÀµÄ»°£¬ÇëÏÈÔĶÁÎÄÕºóÃæµÄ»ù´¡ÖªÊ¶¡£
½Ó´¥¹ý±à³ÌµÄÈ˶¼ÖªµÀ£¬¸ß¼¶ÓïÑÔ¶¼ÄÜͨ¹ý±äÁ¿ÃûÀ´·ÃÎÊÄÚ´æÖеÄÊý¾Ý¡£ÄÇôÕâЩ±äÁ¿ÔÚÄÚ´æÖÐÊÇÈçºÎ´æ·ÅµÄÄØ£¿³ÌÐòÓÖÊÇÈçºÎʹÓÃÕâЩ±äÁ¿µÄÄØ£¿ÏÂÃæ¾Í»á¶Ô´Ë½øÐÐÉîÈëµÄÌÖÂÛ¡£ÏÂÎÄÖеÄCÓïÑÔ´úÂëÈçûÓÐÌرðÉùÃ÷£¬Ä¬È϶¼Ê¹ÓÃVC±àÒëµÄrelease°æ¡£
Ê×ÏÈ£¬À´Á˽âһϠC ÓïÑԵıäÁ¿ÊÇÈçºÎÔÚÄÚ´æ·Ö²¿µÄ¡£C ÓïÑÔÓÐÈ«¾Ö±äÁ¿(Global)¡¢±¾µØ±äÁ¿(Local)£¬¾²Ì¬±äÁ¿(Static)¡¢¼Ä´æÆ÷±äÁ¿(Regeister)¡£Ã¿ÖÖ±äÁ¿¶¼Óв»Í¬µÄ·ÖÅ䷽ʽ¡£ÏÈÀ´¿´ÏÂÃæÕâ¶Î´úÂ룺
#include <stdio.h>
int g1=0, g2=0, g3=0;
int main()
{
static int s1=0, s2=0, s3=0;
int v1=0, v2=0, v3=0;
//´òÓ¡³ö¸÷¸ö±äÁ¿µÄÄÚ´æµØÖ·
printf("0x%08x\n",&v1); //´òÓ¡¸÷±¾µØ±äÁ¿µÄÄÚ´æµØÖ·
printf("0x%08x\n",&v2);
printf("0x%08x\n\n",&v3);
printf("0x%08x\n",&g1); //´òÓ¡¸÷È«¾Ö±äÁ¿µÄÄÚ´æµØÖ·
printf("0x%08x\n",&g2);
printf("0x%08x\n\n",&g3);
printf("0x%08x\n",&s1); //´òÓ¡¸÷¾²Ì¬±äÁ¿µÄÄÚ´æµØÖ·
printf("0x%08x\n",&s2);
printf("0x%08x\n\n",&s3);
return 0;
}
±àÒëºóµÄÖ´Ðнá¹ûÊÇ£º
0x0012ff78
0x0012ff7c
0x0012ff80
0x004068d0
0x004068d4
0x004068d8
0x004068dc
0x004068e0
0x004068e4
Êä³öµÄ½á¹û¾ÍÊDZäÁ¿µÄÄÚ´æµØÖ·¡£ÆäÖÐv1,v2,v3ÊDZ¾µØ±äÁ¿£¬g1,g2,g3ÊÇÈ«¾Ö±äÁ¿£¬s1,s2,s3ÊǾ²Ì¬±äÁ¿¡£Äã¿ÉÒÔ¿´µ½ÕâЩ±äÁ¿ÔÚÄÚ´æÊÇÁ¬Ðø·Ö²¼µÄ£¬µ«ÊDZ¾µØ±äÁ¿ºÍÈ«¾Ö±äÁ¿·ÖÅäµÄÄÚ´æµØÖ·²îÁËÊ®Íò°ËǧÀ¶øÈ«¾Ö±äÁ¿ºÍ¾²Ì¬±äÁ¿·ÖÅäµÄÄÚ´æÊÇÁ¬ÐøµÄ¡£ÕâÊÇÒòΪ±¾µØ±äÁ¿ºÍÈ«¾Ö/¾²Ì¬±äÁ¿ÊÇ·ÖÅäÔÚ²»Í¬ÀàÐ͵ÄÄÚ´æÇøÓòÖеĽá¹û¡£¶ÔÓÚÒ»¸ö½ø³ÌµÄÄÚ´æ¿Õ¼ä¶øÑÔ£¬¿ÉÒÔÔÚÂß¼ÉÏ·Ö³É3¸ö²¿·Ý£º´úÂëÇø£¬¾²Ì¬Êý¾ÝÇøºÍ¶¯Ì¬Êý¾ÝÇø¡£¶¯Ì¬Êý¾ÝÇøÒ»°ã¾ÍÊÇ¡°¶ÑÕ»¡±¡£¡°Õ»(stack)¡±ºÍ¡°¶Ñ(heap)¡±ÊÇÁ½ÖÖ²»Í¬µÄ¶¯Ì¬Êý¾ÝÇø£¬Õ»ÊÇÒ»ÖÖÏßÐԽṹ£¬¶ÑÊÇÒ»ÖÖÁ´Ê½½á¹¹¡£½ø³ÌµÄÿ¸öÏ̶߳¼ÓÐ˽Óеġ°Õ»¡±£¬ËùÒÔÿ¸öÏß³ÌËäÈ»´úÂëÒ»Ñù£¬µ«±¾µØ±äÁ¿µÄÊý¾Ý¶¼ÊÇ»¥²»¸ÉÈÅ¡£Ò»¸ö¶ÑÕ»¿ÉÒÔͨ¹ý¡°»ùµØÖ·¡±ºÍ¡°Õ»¶¥¡±µØÖ·À´ÃèÊö¡£È«¾Ö±äÁ¿ºÍ¾²Ì¬±äÁ¿·ÖÅäÔÚ¾²Ì¬Êý¾ÝÇø£¬±¾µØ±äÁ¿·ÖÅäÔÚ¶¯Ì¬Êý¾ÝÇø£¬¼´¶ÑÕ»ÖС£³ÌÐòͨ¹ý¶ÑÕ»µÄ»ùµØÖ·ºÍÆ«ÒÆÁ¿À´·ÃÎʱ¾µØ±äÁ¿¡£
©À¡ª¡ª¡ª¡ª¡ª¡ª¡ª©ÈµÍ¶ËÄÚ´æÇøÓò
©¦ ¡¡ ©¦
©À¡ª¡ª¡ª¡ª¡ª¡ª¡ª©È
©¦ ¶¯Ì¬Êý¾ÝÇø ©¦
©À¡ª¡ª¡ª¡ª¡ª¡ª¡ª©È
©¦ ¡¡ ©¦
©À¡ª¡ª¡ª¡ª¡ª¡ª¡ª©È
©¦ ´úÂëÇø ©¦
©À¡ª¡ª¡ª¡ª¡ª¡ª¡ª©È
©¦ ¾²Ì¬Êý¾ÝÇø ©¦
©À¡ª¡ª¡ª¡ª¡ª¡ª¡ª©È
©¦ ¡¡ ©¦
©À¡ª¡ª¡ª¡ª¡ª¡ª¡ª©È¸ß¶ËÄÚ´æÇøÓò
¶ÑÕ»ÊÇÒ»¸öÏȽøºó³öµÄÊý¾Ý½á¹¹£¬Õ»¶¥µØÖ·×ÜÊÇСÓÚµÈÓÚÕ»µÄ»ùµØÖ·¡£ÎÒÃÇ¿ÉÒÔÏÈÁ˽âһϺ¯Êýµ÷ÓõĹý³Ì£¬ÒÔ±ã¶Ô¶ÑÕ»ÔÚ³ÌÐòÖеÄ×÷ÓÃÓиüÉîÈëµÄÁ˽⡣²»Í¬µÄÓïÑÔÓв»Í¬µÄº¯Êýµ÷Óù涨£¬ÕâЩÒòËØÓвÎÊýµÄѹÈë¹æÔòºÍ¶ÑÕ»µÄƽºâ¡£windows APIµÄµ÷ÓùæÔòºÍANSI CµÄº¯Êýµ÷ÓùæÔòÊDz»Ò»ÑùµÄ£¬Ç°ÕßÓɱ»µ÷º¯Êýµ÷Õû¶ÑÕ»£¬ºóÕßÓɵ÷ÓÃÕßµ÷Õû¶ÑÕ»¡£Á½Õßͨ¹ý¡°__stdcall¡±ºÍ¡°__cdecl¡±Ç°×ºÇø·Ö¡£ÏÈ¿´ÏÂÃæÕâ¶Î´úÂ룺
#include <stdio.h>
void __stdcall func(int param1,int param2,int param3)
{
int var1=param1;
int var2=param2;
int var3=param3;
printf("0x%08x\n",¶m1); //´òÓ¡³ö¸÷¸ö±äÁ¿µÄÄÚ´æµØÖ·
printf("0x%08x\n",¶m2);
printf("0x%08x\n\n",¶m3);
printf("0x%08x\n",&var1);
printf("0x%08x\n",&var2);
printf("0x%08x\n\n",&var3);
return;
}
int main()
{
func(1,2,3);
return 0;
}
±àÒëºóµÄÖ´Ðнá¹ûÊÇ£º
0x0012ff78
0x0012ff7c
0x0012ff80
0x0012ff68
0x0012ff6c
0x0012ff70
©À¡ª¡ª¡ª¡ª¡ª¡ª¡ª©È<¡ªº¯ÊýÖ´ÐÐʱµÄÕ»¶¥£¨ESP£©¡¢µÍ¶ËÄÚ´æÇøÓò
©¦ ¡¡ ©¦
©À¡ª¡ª¡ª¡ª¡ª¡ª¡ª©È
©¦ var 1 ©¦
©À¡ª¡ª¡ª¡ª¡ª¡ª¡ª©È
©¦ var 2 ©¦
©À¡ª¡ª¡ª¡ª¡ª¡ª¡ª©È
©¦ var 3 ©¦
©À¡ª¡ª¡ª¡ª¡ª¡ª¡ª©È
©¦ RET ©¦
©À¡ª¡ª¡ª¡ª¡ª¡ª¡ª©È<¡ª¡°__cdecl¡±º¯Êý·µ»ØºóµÄÕ»¶¥£¨ESP£©
©¦ parameter 1 ©¦
©À¡ª¡ª¡ª¡ª¡ª¡ª¡ª©È
©¦ parameter 2 ©¦
©À¡ª¡ª¡ª¡ª¡ª¡ª¡ª©È
©¦ parameter 3 ©¦
©À¡ª¡ª¡ª¡ª¡ª¡ª¡ª©È<¡ª¡°__stdcall¡±º¯Êý·µ»ØºóµÄÕ»¶¥£¨ESP£©
©¦ ¡¡ ©¦
©À¡ª¡ª¡ª¡ª¡ª¡ª¡ª©È<¡ªÕ»µ×£¨»ùµØÖ· EBP£©¡¢¸ß¶ËÄÚ´æÇøÓò
ÉÏͼ¾ÍÊǺ¯Êýµ÷Óùý³ÌÖжÑÕ»µÄÑù×ÓÁË¡£Ê×ÏÈ£¬Èý¸ö²ÎÊýÒÔ´ÓÓÖµ½×óµÄ´ÎÐòѹÈë¶ÑÕ»£¬ÏÈѹ¡°param3¡±£¬ÔÙѹ¡°param2¡±£¬×îºóѹÈë¡°param1¡±£»È»ºóѹÈ뺯ÊýµÄ·µ»ØµØÖ·(RET)£¬½Ó×ÅÌøתµ½º¯ÊýµØÖ·½Ó×ÅÖ´ÐУ¨ÕâÀïÒª²¹³äÒ»µã£¬½éÉÜUNIXϵĻº³åÒç³öÔÀíµÄÎÄÕÂÖж¼Ìáµ½ÔÚѹÈëRETºó£¬¼ÌÐøѹÈ뵱ǰEBP£¬È»ºóÓõ±Ç°ESP´úÌæEBP¡£È»¶ø£¬ÓÐһƪ½éÉÜwindowsϺ¯Êýµ÷ÓõÄÎÄÕÂÖÐ˵£¬ÔÚwindowsϵĺ¯Êýµ÷ÓÃÒ²ÓÐÕâÒ»²½Ö裬µ«¸ù¾ÝÎÒµÄʵ¼Êµ÷ÊÔ£¬²¢Î´·¢ÏÖÕâÒ»²½£¬Õ⻹¿ÉÒÔ´Óparam3ºÍvar1Ö®¼äÖ»ÓÐ4×ֽڵļä϶Õâµã¿´³öÀ´£©£»µÚÈý²½£¬½«Õ»¶¥(ESP)¼õÈ¥Ò»¸öÊý£¬Îª±¾µØ±äÁ¿·ÖÅäÄÚ´æ¿Õ¼ä£¬ÉÏÀýÖÐÊǼõÈ¥12×Ö½Ú(ESP=ESP-3*4£¬Ã¿¸öint±äÁ¿Õ¼ÓÃ4¸ö×Ö½Ú)£»½Óמͳõʼ»¯±¾µØ±äÁ¿µÄÄÚ´æ¿Õ¼ä¡£ÓÉÓÚ¡°__stdcall¡±µ÷ÓÃÓɱ»µ÷º¯Êýµ÷Õû¶ÑÕ»£¬ËùÒÔÔÚº¯Êý·µ»ØÇ°Òª»Ö¸´¶ÑÕ»£¬ÏÈ»ØÊÕ±¾µØ±äÁ¿Õ¼ÓõÄÄÚ´æ(ESP=ESP+3*4)£¬È»ºóÈ¡³ö·µ»ØµØÖ·£¬ÌîÈëEIP¼Ä´æÆ÷£¬»ØÊÕÏÈǰѹÈë²ÎÊýÕ¼ÓõÄÄÚ´æ(ESP=ESP+3*4)£¬¼ÌÐøÖ´Ðе÷ÓÃÕߵĴúÂë¡£²Î¼ûÏÂÁлã±à´úÂ룺
;--------------func º¯ÊýµÄ»ã±à´úÂë-------------------
:00401000 83EC0C sub esp, 0000000C //´´½¨±¾µØ±äÁ¿µÄÄÚ´æ¿Õ¼ä
:00401003 8B442410 mov eax, dword ptr [esp+10]
:00401007 8B4C2414 mov ecx, dword ptr [esp+14]
:0040100B 8B542418 mov edx, dword ptr [esp+18]
:0040100F 89442400 mov dword ptr [esp], eax
:00401013 8D442410 lea eax, dword ptr [esp+10]
:00401017 894C2404 mov dword ptr [esp+04], ecx
¡¡¡¡¡¡¡¡£¨Ê¡ÂÔÈô¸É´úÂ룩
:00401075 83C43C add esp, 0000003C ;»Ö¸´¶ÑÕ»£¬»ØÊÕ±¾µØ±äÁ¿µÄÄÚ´æ¿Õ¼ä
:00401078 C3 ret 000C ;º¯Êý·µ»Ø£¬»Ö¸´²ÎÊýÕ¼ÓõÄÄÚ´æ¿Õ¼ä
;Èç¹ûÊÇ¡°__cdecl¡±µÄ»°£¬ÕâÀïÊÇ¡°ret¡±£¬¶ÑÕ»½«Óɵ÷ÓÃÕ߻ָ´
;-------------------º¯Êý½áÊø-------------------------
;--------------Ö÷³ÌÐòµ÷ÓÃfuncº¯ÊýµÄ´úÂë--------------
:00401080 6A03 push 00000003 //ѹÈë²ÎÊýparam3
:00401082 6A02 push 00000002 //ѹÈë²ÎÊýparam2
:00401084 6A01 push 00000001 //ѹÈë²ÎÊýparam1
:00401086 E875FFFFFF call 00401000 //µ÷ÓÃfuncº¯Êý
;Èç¹ûÊÇ¡°__cdecl¡±µÄ»°£¬½«ÔÚÕâÀï»Ö¸´¶ÑÕ»£¬¡°add esp, 0000000C¡±
´ÏÃ÷µÄ¶ÁÕß¿´µ½ÕâÀ²î²»¶à¾ÍÃ÷°×»º³åÒç³öµÄÔÀíÁË¡£ÏÈÀ´¿´ÏÂÃæµÄ´úÂ룺
#include <stdio.h>
#include <string.h>
void __stdcall func()
{
char lpBuff[8]="\0";
strcat(lpBuff,"AAAAAAAAAAA");
return;
}
int main()
{
func();
return 0;
}
±àÒëºóÖ´ÐÐһϻØÔõôÑù£¿¹þ£¬¡°"0x00414141"Ö¸ÁîÒýÓõÄ"0x00000000"ÄÚ´æ¡£¸ÃÄÚ´æ²»ÄÜΪ"read"¡£¡±£¬¡°·Ç·¨²Ù×÷¡±à¶£¡"41"¾ÍÊÇ"A"µÄ16½øÖƵÄASCIIÂëÁË£¬ÄÇÃ÷ÏÔ¾ÍÊÇstrcatÕâ¾ä³öµÄÎÊÌâÁË¡£"lpBuff"µÄ´óСֻÓÐ8×Ö½Ú£¬Ëã½ø½áβµÄ\0£¬ÄÇstrcat×î¶àÖ»ÄÜдÈë7¸ö"A"£¬µ«³ÌÐòʵ¼ÊдÈëÁË11¸ö"A"Íâ¼Ó1¸ö\0¡£ÔÙÀ´¿´¿´ÉÏÃæÄÇ·ùͼ£¬¶à³öÀ´µÄ4¸ö×Ö½ÚÕýºÃ¸²¸ÇÁËRETµÄËùÔÚµÄÄÚ´æ¿Õ¼ä£¬µ¼Öº¯Êý·µ»Øµ½Ò»¸ö´íÎóµÄÄÚ´æµØÖ·£¬Ö´ÐÐÁË´íÎóµÄÖ¸Áî¡£Èç¹ûÄܾ«ÐĹ¹ÔìÕâ¸ö×Ö·û´®£¬Ê¹Ëü·Ö³ÉÈý²¿·Ö£¬Ç°Ò»²¿·Ý½ö½öÊÇÌî³äµÄÎÞÒâÒåÊý¾ÝÒÔ´ïµ½Òç³öµÄÄ¿µÄ£¬½Ó×ÅÊÇÒ»¸ö¸²¸ÇRETµÄÊý¾Ý£¬½ô½Ó×ÅÊÇÒ»¶Îshellcode£¬ÄÇֻҪןöRETµØÖ·ÄÜÖ¸ÏòÕâ¶ÎshellcodeµÄµÚÒ»¸öÖ¸ÁÄǺ¯Êý·µ»Øʱ¾ÍÄÜÖ´ÐÐshellcodeÁË¡£µ«ÊÇÈí¼þµÄ²»Í¬°æ±¾ºÍ²»Í¬µÄÔËÐл·¾³¶¼¿ÉÄÜÓ°ÏìÕâ¶ÎshellcodeÔÚÄÚ´æÖеÄλÖã¬ÄÇôҪ¹¹ÔìÕâ¸öRETÊÇÊ®·ÖÀ§Äѵġ£Ò»°ã¶¼ÔÚRETºÍshellcodeÖ®¼äÌî³ä´óÁ¿µÄNOPÖ¸ÁʹµÃexploitÓиüÇ¿µÄͨÓÃÐÔ¡£
©À¡ª¡ª¡ª¡ª¡ª¡ª¡ª©È<¡ªµÍ¶ËÄÚ´æÇøÓò
©¦ ¡¡ ©¦
©À¡ª¡ª¡ª¡ª¡ª¡ª¡ª©È<¡ªÓÉexploitÌîÈëÊý¾ÝµÄ¿ªÊ¼
©¦ ©¦
©¦ buffer ©¦<¡ªÌîÈëÎÞÓõÄÊý¾Ý
©¦ ©¦
©À¡ª¡ª¡ª¡ª¡ª¡ª¡ª©È
©¦ RET ©¦<¡ªÖ¸Ïòshellcode£¬»òNOPÖ¸ÁîµÄ·¶Î§
©À¡ª¡ª¡ª¡ª¡ª¡ª¡ª©È
©¦ NOP ©¦
©¦ ¡¡ ©¦<¡ªÌîÈëµÄNOPÖ¸ÁÊÇRET¿ÉÖ¸ÏòµÄ·¶Î§
©¦ NOP ©¦
©À¡ª¡ª¡ª¡ª¡ª¡ª¡ª©È
©¦ ©¦
©¦ shellcode ©¦
©¦ ©¦
©À¡ª¡ª¡ª¡ª¡ª¡ª¡ª©È<¡ªÓÉexploitÌîÈëÊý¾ÝµÄ½áÊø
©¦ ¡¡ ©¦
©À¡ª¡ª¡ª¡ª¡ª¡ª¡ª©È<¡ª¸ß¶ËÄÚ´æÇøÓò
windowsϵĶ¯Ì¬Êý¾Ý³ýÁË¿É´æ·ÅÔÚÕ»ÖУ¬»¹¿ÉÒÔ´æ·ÅÔÚ¶ÑÖС£Á˽âC++µÄÅóÓѶ¼ÖªµÀ£¬C++¿ÉÒÔʹÓÃnew¹Ø¼ü×ÖÀ´¶¯Ì¬·ÖÅäÄÚ´æ¡£À´¿´ÏÂÃæµÄC++´úÂ룺
#include <stdio.h>
#include <iostream.h>
#include <windows.h>
void func()
{
char *buffer=new char[128];
char bufflocal[128];
static char buffstatic[128];
printf("0x%08x\n",buffer); //´òÓ¡¶ÑÖбäÁ¿µÄÄÚ´æµØÖ·
printf("0x%08x\n",bufflocal); //´òÓ¡±¾µØ±äÁ¿µÄÄÚ´æµØÖ·
printf("0x%08x\n",buffstatic); //´òÓ¡¾²Ì¬±äÁ¿µÄÄÚ´æµØÖ·
}
void main()
{
func();
return;
}
³ÌÐòÖ´Ðнá¹ûΪ£º
0x004107d0
0x0012ff04
0x004068c0
¿ÉÒÔ·¢ÏÖÓÃnew¹Ø¼ü×Ö·ÖÅäµÄÄÚ´æ¼´²»ÔÚÕ»ÖУ¬Ò²²»ÔÚ¾²Ì¬Êý¾ÝÇø¡£VC±àÒëÆ÷ÊÇͨ¹ýwindowsϵġ°¶Ñ(heap)¡±À´ÊµÏÖnew¹Ø¼ü×ÖµÄÄڴ涯̬·ÖÅä¡£ÔÚ½²¡°¶Ñ¡±Ö®Ç°£¬ÏÈÀ´Á˽âһϺ͡°¶Ñ¡±Óйصļ¸¸öAPIº¯Êý£º
HeapAlloc ÔÚ¶ÑÖÐÉêÇëÄÚ´æ¿Õ¼ä
HeapCreate ´´½¨Ò»¸öеĶѶÔÏó
HeapDestroy Ïú»ÙÒ»¸ö¶Ñ¶ÔÏó
HeapFree ÊÍ·ÅÉêÇëµÄÄÚ´æ
HeapWalk ö¾Ù¶Ñ¶ÔÏóµÄËùÓÐÄÚ´æ¿é
GetProcessHeap È¡µÃ½ø³ÌµÄĬÈ϶ѶÔÏó
GetProcessHeaps È¡µÃ½ø³ÌËùÓеĶѶÔÏó
LocalAlloc
GlobalAlloc
µ±½ø³Ì³õʼ»¯Ê±£¬ÏµÍ³»á×Ô¶¯Îª½ø³Ì´´½¨Ò»¸öĬÈ϶ѣ¬Õâ¸ö¶ÑĬÈÏËùÕ¼ÄÚ´æµÄ´óСΪ1M¡£¶Ñ¶ÔÏóÓÉϵͳ½øÐйÜÀí£¬ËüÔÚÄÚ´æÖÐÒÔÁ´Ê½½á¹¹´æÔÚ¡£Í¨¹ýÏÂÃæµÄ´úÂë¿ÉÒÔͨ¹ý¶Ñ¶¯Ì¬ÉêÇëÄÚ´æ¿Õ¼ä£º
HANDLE hHeap=GetProcessHeap();
char *buff=HeapAlloc(hHeap,0,8);
ÆäÖÐhHeapÊǶѶÔÏóµÄ¾ä±ú£¬buffÊÇÖ¸ÏòÉêÇëµÄÄÚ´æ¿Õ¼äµÄµØÖ·¡£ÄÇÕâ¸öhHeap¾¿¾¹ÊÇʲôÄØ£¿ËüµÄÖµÓÐʲôÒâÒåÂ𣿿´¿´ÏÂÃæÕâ¶Î´úÂë°É£º
#pragma comment(linker,"/entry:main") //¶¨Òå³ÌÐòµÄÈë¿Ú
#include <windows.h>
_CRTIMP int (__cdecl *printf)(const char *, ...); //¶¨ÒåSTLº¯Êýprintf
/*---------------------------------------------------------------------------
дµ½ÕâÀÎÒÃÇ˳±ãÀ´¸´Ï°Ò»ÏÂÇ°ÃæËù½²µÄ֪ʶ£º
(*×¢)printfº¯ÊýÊÇCÓïÑԵıê×¼º¯Êý¿âÖк¯Êý£¬VCµÄ±ê×¼º¯Êý¿âÓÉmsvcrt.dllÄ£¿éʵÏÖ¡£
Óɺ¯Êý¶¨Òå¿É¼û£¬printfµÄ²ÎÊý¸öÊýÊǿɱäµÄ£¬º¯ÊýÄÚ²¿ÎÞ·¨Ô¤ÏÈÖªµÀµ÷ÓÃÕßѹÈëµÄ²ÎÊý¸öÊý£¬º¯ÊýÖ»ÄÜͨ¹ý·ÖÎöµÚÒ»¸ö²ÎÊý×Ö·û´®µÄ¸ñʽÀ´»ñµÃѹÈë²ÎÊýµÄÐÅÏ¢£¬ÓÉÓÚÕâÀï²ÎÊýµÄ¸öÊýÊǶ¯Ì¬µÄ£¬ËùÒÔ±ØÐëÓɵ÷ÓÃÕßÀ´Æ½ºâ¶ÑÕ»£¬ÕâÀï±ãʹÓÃÁË__cdeclµ÷ÓùæÔò¡£BTW£¬WindowsϵͳµÄAPIº¯Êý»ù±¾ÉÏÊÇ__stdcallµ÷ÓÃÐÎʽ£¬Ö»ÓÐÒ»¸öAPIÀýÍ⣬ÄǾÍÊÇwsprintf£¬ËüʹÓÃ__cdeclµ÷ÓùæÔò£¬Í¬printfº¯ÊýÒ»Ñù£¬ÕâÊÇÓÉÓÚËüµÄ²ÎÊý¸öÊýÊǿɱäµÄÔµ¹Ê¡£
---------------------------------------------------------------------------*/
void main()
{
HANDLE hHeap=GetProcessHeap();
char *buff=HeapAlloc(hHeap,0,0x10);
char *buff2=HeapAlloc(hHeap,0,0x10);
HMODULE hMsvcrt=LoadLibrary("msvcrt.dll");
printf=(void *)GetProcAddress(hMsvcrt,"printf");
printf("0x%08x\n",hHeap);
printf("0x%08x\n",buff);
printf("0x%08x\n\n",buff2);
}
Ö´Ðнá¹ûΪ£º
0x00130000
0x00133100
0x00133118
hHeapµÄÖµÔõôºÍÄǸöbuffµÄÖµÄÇô½Ó½üÄØ£¿ÆäʵhHeapÕâ¸ö¾ä±ú¾ÍÊÇÖ¸ÏòHEAPÊײ¿µÄµØÖ·¡£ÔÚ½ø³ÌµÄÓû§Çø´æ×ÅÒ»¸ö½ÐPEB(½ø³Ì»·¾³¿é)µÄ½á¹¹£¬Õâ¸ö½á¹¹Öдæ·Å×ÅһЩÓйؽø³ÌµÄÖØÒªÐÅÏ¢£¬ÆäÖÐÔÚPEBÊ×µØÖ·Æ«ÒÆ0x18´¦´æ·ÅµÄProcessHeap¾ÍÊǽø³ÌĬÈ϶ѵĵØÖ·£¬¶øÆ«ÒÆ0x90´¦´æ·ÅÁËÖ¸Ïò½ø³ÌËùÓжѵĵØÖ·ÁбíµÄÖ¸Õë¡£windowsÓкܶàAPI¶¼Ê¹Óýø³ÌµÄĬÈ϶ÑÀ´´æ·Å¶¯Ì¬Êý¾Ý£¬Èçwindows 2000ϵÄËùÓÐANSI°æ±¾µÄº¯Êý¶¼ÊÇÔÚĬÈ϶ÑÖÐÉêÇëÄÚ´æÀ´×ª»»ANSI×Ö·û´®µ½Unicode×Ö·û´®µÄ¡£¶ÔÒ»¸ö¶ÑµÄ·ÃÎÊÊÇ˳Ðò½øÐеģ¬Í¬Ò»Ê±¿ÌÖ»ÄÜÓÐÒ»¸öÏ̷߳ÃÎʶÑÖеÄÊý¾Ý£¬µ±¶à¸öÏß³ÌͬʱÓзÃÎÊÒªÇóʱ£¬Ö»ÄÜÅŶӵȴý£¬ÕâÑù±ãÔì³É³ÌÐòÖ´ÐÐЧÂÊϽµ¡£
×îºóÀ´ËµËµÄÚ´æÖеÄÊý¾Ý¶ÔÆë¡£ËùλÊý¾Ý¶ÔÆ룬ÊÇÖ¸Êý¾ÝËùÔÚµÄÄÚ´æµØÖ·±ØÐëÊǸÃÊý¾Ý³¤¶ÈµÄÕûÊý±¶£¬DWORDÊý¾ÝµÄÄÚ´æÆðʼµØÖ·Äܱ»4³ý¾¡£¬WORDÊý¾ÝµÄÄÚ´æÆðʼµØÖ·Äܱ»2³ý¾¡£¬x86 CPUÄÜÖ±½Ó·ÃÎʶÔÆëµÄÊý¾Ý£¬µ±ËûÊÔͼ·ÃÎÊÒ»¸öδ¶ÔÆëµÄÊý¾Ýʱ£¬»áÔÚÄÚ²¿½øÐÐһϵÁеĵ÷Õû£¬ÕâЩµ÷Õû¶ÔÓÚ³ÌÐòÀ´ËµÊÇ͸Ã÷µÄ£¬µ«ÊǻήµÍÔËÐÐËٶȣ¬ËùÒÔ±àÒëÆ÷ÔÚ±àÒë³ÌÐòʱ»á¾¡Á¿±£Ö¤Êý¾Ý¶ÔÆ롣ͬÑùÒ»¶Î´úÂ룬ÎÒÃÇÀ´¿´¿´ÓÃVC¡¢Dev-C++ºÍlccÈý¸ö²»Í¬±àÒëÆ÷±àÒë³öÀ´µÄ³ÌÐòµÄÖ´Ðнá¹û£º
#include <stdio.h>
int main()
{
int a;
char b;
int c;
printf("0x%08x\n",&a);
printf("0x%08x\n",&b);
printf("0x%08x\n",&c);
return 0;
}
ÕâÊÇÓÃVC±àÒëºóµÄÖ´Ðнá¹û£º
0x0012ff7c
0x0012ff7b
0x0012ff80
±äÁ¿ÔÚÄÚ´æÖеÄ˳Ðò£ºb(1×Ö½Ú)-a(4×Ö½Ú)-c(4×Ö½Ú)¡£
ÕâÊÇÓÃDev-C++±àÒëºóµÄÖ´Ðнá¹û£º
0x0022ff7c
0x0022ff7b
0x0022ff74
±äÁ¿ÔÚÄÚ´æÖеÄ˳Ðò£ºc(4×Ö½Ú)-ÖмäÏà¸ô3×Ö½Ú-b(Õ¼1×Ö½Ú)-a(4×Ö½Ú)¡£
ÕâÊÇÓÃlcc±àÒëºóµÄÖ´Ðнá¹û£º
0x0012ff6c
0x0012ff6b
0x0012ff64
±äÁ¿ÔÚÄÚ´æÖеÄ˳Ðò£ºÍ¬ÉÏ¡£
Èý¸ö±àÒëÆ÷¶¼×öµ½ÁËÊý¾Ý¶ÔÆ룬µ«ÊǺóÁ½¸ö±àÒëÆ÷ÏÔȻûVC¡°´ÏÃ÷¡±£¬ÈÃÒ»¸öcharÕ¼ÁË4×Ö½Ú£¬ÀË·ÑÄÚ´æŶ¡£
»ù´¡ÖªÊ¶£º
¶ÑÕ»ÊÇÒ»ÖÖ¼òµ¥µÄÊý¾Ý½á¹¹£¬ÊÇÒ»ÖÖÖ»ÔÊÐíÔÚÆäÒ»¶Ë½øÐвåÈë»òɾ³ýµÄÏßÐÔ±í¡£ÔÊÐí²åÈë»òɾ³ý²Ù×÷µÄÒ»¶Ë³ÆΪջ¶¥£¬ÁíÒ»¶Ë³ÆΪջµ×£¬¶Ô¶ÑÕ»µÄ²åÈëºÍɾ³ý²Ù×÷±»³ÆΪÈëÕ»ºÍ³öÕ»¡£ÓÐÒ»×éCPUÖ¸Áî¿ÉÒÔʵÏÖ¶Ô½ø³ÌµÄÄÚ´æʵÏÖ¶ÑÕ»·ÃÎÊ¡£ÆäÖУ¬POPÖ¸ÁîʵÏÖ³öÕ»²Ù×÷£¬PUSHÖ¸ÁîʵÏÖÈëÕ»²Ù×÷¡£CPUµÄESP¼Ä´æÆ÷´æ·Åµ±Ç°Ï̵߳ÄÕ»¶¥Ö¸Õ룬EBP¼Ä´æÆ÷Öб£´æµ±Ç°Ï̵߳ÄÕ»µ×Ö¸Õë¡£CPUµÄEIP¼Ä´æÆ÷´æ·ÅÏÂÒ»¸öCPUÖ¸Áî´æ·ÅµÄÄÚ´æµØÖ·£¬µ±CPUÖ´ÐÐÍ굱ǰµÄÖ¸Áîºó£¬´ÓEIP¼Ä´æÆ÷ÖжÁÈ¡ÏÂÒ»ÌõÖ¸ÁîµÄÄÚ´æµØÖ·£¬È»ºó¼ÌÐøÖ´ÐС£
²Î¿¼£º¡¶WindowsϵÄHEAPÒç³ö¼°ÆäÀûÓá·by: isno
¡¶windowsºËÐıà³Ì¡·by: Jeffrey Richter
|
