是一个关于进程间通信的例子
这是post端
------------------------------------------------------------------------------------------------
.386
.model flat,stdcall
option casemap:none
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
include windows.inc
include user32.inc
includelib user32.lib
include kernel32.inc
includelib kernel32.lib
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
.data
hWnd dd ?
szBuffer db 256 dup(?)
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
.const
szCaption db 'SendMessage',0
szStart db 'Press OK to start SendMessage,param:08x!',0
szReturn db 'SendMessage returned',0
szDestClass db 'MyClass',0
szText db 'Text send to other windows',0
szNotFound db 'Receive Message Window not found!',0
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
.code
start:
invoke FindWindow,addr szDestClass,NULL
.if eax
mov hWnd,eax
invoke wsprintf,addr szBuffer,addr szStart,addr szText
invoke MessageBox,NULL,offset szBuffer,offset szCaption,MB_OK
invoke SendMessage,hWnd,WM_SETTEXT,0,addr szText
invoke MessageBox,NULL,offset szReturn,offset szCaption,MB_OK
.else
invoke MessageBox,NULL,offset szNotFound,offset szCaption,MB_OK
.endif
invoke ExitProcess,NULL
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
end start
反汇编后的代码是
--------------------------------------------
00401000 >/$ 6A 00 push 0 ; /Title = NULL
00401002 |. 68 66204000 push 00402066 ; |Class = "MyClass"
00401007 |. E8 7C000000 call <jmp.&user32.FindWindowA> ; \FindWindowA
0040100C |. 0BC0 or eax, eax
0040100E |. 74 58 je short 00401068
00401010 |. A3 00304000 mov dword ptr [403000], eax
00401015 |. 68 6E204000 push 0040206E ; ASCII "Text send to other windows"
0040101A |. 68 28204000 push 00402028 ; /Format = "Press OK to start SendMessage,param:08x!"
0040101F |. 68 04304000 push 00403004 ; |s = postnode.00403004
00401024 |. E8 59000000 call <jmp.&user32.wsprintfA> ; \wsprintfA
00401029 |. 83C4 0C add esp, 0C ; 堆栈使用完毕,释放堆栈
0040102C |. 6A 00 push 0 ; /Style = MB_OK|MB_APPLMODAL
0040102E |. 68 1C204000 push 0040201C ; |Title = "SendMessage"
00401033 |. 68 04304000 push 00403004 ; |Text = ""
00401038 |. 6A 00 push 0 ; |hOwner = NULL
0040103A |. E8 4F000000 call <jmp.&user32.MessageBoxA> ; \MessageBoxA
0040103F |. 68 6E204000 push 0040206E ; /lParam = 40206E
00401044 |. 6A 00 push 0 ; |wParam = 0
00401046 |. 6A 0C push 0C ; |Message = WM_SETTEXT
00401048 |. FF35 00304000 push dword ptr [403000] ; |hWnd = NULL
0040104E |. E8 41000000 call <jmp.&user32.SendMessageA> ; \SendMessageA
00401053 |. 6A 00 push 0 ; /Style = MB_OK|MB_APPLMODAL
00401055 |. 68 1C204000 push 0040201C ; |Title = "SendMessage"
0040105A |. 68 51204000 push 00402051 ; |Text = "SendMessage returned"
0040105F |. 6A 00 push 0 ; |hOwner = NULL
00401061 |. E8 28000000 call <jmp.&user32.MessageBoxA> ; \MessageBoxA
00401066 |. EB 13 jmp short 0040107B
00401068 |> 6A 00 push 0 ; /Style = MB_OK|MB_APPLMODAL
0040106A |. 68 1C204000 push 0040201C ; |Title = "SendMessage"
0040106F |. 68 89204000 push 00402089 ; |Text = "Receive Message Window not found!"
00401074 |. 6A 00 push 0 ; |hOwner = NULL
00401076 |. E8 13000000 call <jmp.&user32.MessageBoxA> ; \MessageBoxA
0040107B |> 6A 00 push 0 ; /ExitCode = 0
0040107D \. E8 18000000 call <jmp.&kernel32.ExitProcess> ; \ExitProcess
00401082 $- FF25 14204000 jmp dword ptr [<&user32.wsprintfA>] ; user32.wsprintfA
00401088 $- FF25 10204000 jmp dword ptr [<&user32.FindWindowA>>; user32.FindWindowA
0040108E $- FF25 0C204000 jmp dword ptr [<&user32.MessageBoxA>>; user32.MessageBoxA
00401094 $- FF25 08204000 jmp dword ptr [<&user32.SendMessageA>; user32.SendMessageA
0040109A .- FF25 00204000 jmp dword ptr [<&kernel32.ExitProces>; kernel32.ExitProcess
请问从401082到40109A的那些jmp有何用处?
[课程]Linux pwn 探索篇!
