.
.
源码如下:
#include "stdafx.h"
#include <windows.h>
#include <iostream>
#pragma comment(lib,"bufferoverflowU.lib")
using namespace std;
typedef int (WINAPI *pMessageBoxDef)(HWND hWnd, LPCWSTR lpText, LPCWSTR lpCaption, UINT uType);
char szOldMessageBox[5] = {0};
char szJmpMyMessageBox[5] = {(char)0xe9};
pMessageBoxDef pMessageBox = NULL;
int WINAPI MyMessageBox(HWND hWnd, LPCWSTR lpText, LPCWSTR lpCaption, UINT uType)
{
wcout<<L"hWnd:"<<(int)hWnd<<endl;
wcout<<L"lpText:"<<lpText<<endl;
wcout<<L"lpCaption:"<<lpCaption<<endl;
wcout<<L"uType:"<<uType<<endl<<endl;
WriteProcessMemory((void*)-1, pMessageBox, szOldMessageBox, 5, NULL);
MessageBoxW(hWnd, lpText, lpCaption, uType);
WriteProcessMemory((void*)-1, pMessageBox, szJmpMyMessageBox, 5, NULL);
return 0;
}
int main()
{
DWORD dwJmpAddr = 0;
HMODULE hModule = LoadLibrary("User32.Dll");
pMessageBox = (pMessageBoxDef)GetProcAddress(hModule, "MessageBoxW");
dwJmpAddr = (DWORD)MyMessageBox - (DWORD)pMessageBox - 5;
memcpy(szJmpMyMessageBox + 1, &dwJmpAddr, 4);
FreeLibrary(hModule);
ReadProcessMemory((void*)-1, pMessageBox, szOldMessageBox, 5, NULL);//读出原来的前5个字节
WriteProcessMemory((void*)-1, pMessageBox, szJmpMyMessageBox, 5, NULL);//写入我们处理后的5个字节
pMessageBox(GetForegroundWindow(), L"Inline Hook:MessageBox", L"HOOK API", MB_OK);
pMessageBox(GetForegroundWindow(), L"Hello World", L"Win32", MB_OK);
return 0;
}
看不懂的代码:
dwJmpAddr = (DWORD)MyMessageBox - (DWORD)pMessageBox - 5; //只有这句不明白
memcpy(szJmpMyMessageBox + 1, &dwJmpAddr, 4);
以下是我的理解,不知道对不对:
szJmpMyMessageBox 我理解是shellCode 作用就是跳转到我们的函数(
MyMessageBox )
但是它跳转的地址为什么不是我们的函数(
MyMessageBox)地址,而是
dwJmpAddr 呢?
MyMessageBox函数地址不是
&MyMessageBox 么,为什么是
dwJmpAddr;
[课程]Android-CTF解题方法汇总!
