看代码,是连续执行两个同样的CALL
-----------------------------------------------------------
05854DE0 |> \8B8E A4000000 mov ecx,dword ptr ds:[esi+0xA4]
05854DE6 |. 6A 00 push 0x0
05854DE8 |. 6A 05 push 0x5
05854DEA |. E8 11450000 call AVModule.05859300
05854DEF |. 8B8E A4000000 mov ecx,dword ptr ds:[esi+0xA4]
05854DF5 |. 6A 00 push 0x0
05854DF7 |. 6A 0B push 0xB
05854DF9 |. E8 02450000 call AVModule.05859300
05854DFE |. 5F pop edi
05854DFF |. B8 01000000 mov eax,0x1
05854E04 |. 5E pop esi
05854E05 |. C2 0C00 retn 0xC
--------------------------------------------------------------------------------
call AVModule.05859300 里面的内容
-----------------------------------------------------
05859300 /$ 8B91 CC000000 mov edx,dword ptr ds:[ecx+0xCC]
05859306 |. 53 push ebx
05859307 |. 33C0 xor eax,eax
05859309 |. 56 push esi
0585930A |. 57 push edi
0585930B |. 85D2 test edx,edx ; ntdll.KiFastSystemCallRet
0585930D |. 7E 2F jle short AVModule.0585933E
0585930F |. 8BB1 C8000000 mov esi,dword ptr ds:[ecx+0xC8]
05859315 |. 8B7C24 10 mov edi,dword ptr ss:[esp+0x10] ; AVModule.05852C25
05859319 |. 8BCE mov ecx,esi
0585931B |> 8B19 /mov ebx,dword ptr ds:[ecx] ; AVModule.0585DB04
0585931D |. 393B |cmp dword ptr ds:[ebx],edi
0585931F |. 74 0E |je short AVModule.0585932F
05859321 |. 40 |inc eax
05859322 |. 83C1 04 |add ecx,0x4
05859325 |. 3BC2 |cmp eax,edx ; ntdll.KiFastSystemCallRet
05859327 |.^ 7C F2 \jl short AVModule.0585931B
05859329 |. 5F pop edi
0585932A |. 5E pop esi
0585932B |. 5B pop ebx
0585932C |. C2 0800 retn 0x8
0585932F |> 8B0486 mov eax,dword ptr ds:[esi+eax*4] ; AVModule.??_7CAVOutput@@6B@
05859332 |. 8A4C24 14 mov cl,byte ptr ss:[esp+0x14]
05859336 |. 3848 14 cmp byte ptr ds:[eax+0x14],cl
05859339 |. 74 03 je short AVModule.0585933E
0585933B |. 8848 14 mov byte ptr ds:[eax+0x14],cl
0585933E |> 5F pop edi
0585933F |. 5E pop esi
05859340 |. 5B pop ebx
05859341 \. C2 0800 retn 0x8
-----------------------------------------------------------------------------------------
中断时寄存器的值:
---------------------------------------------------
EAX 00000000
ECX 0373CBB8
EDX 76F064F4 ntdll.KiFastSystemCallRet
EBX 00000008
ESP 00128EB4
EBP 00128F70
ESI 01E29750
EDI 01E29750
EIP 05854DEA AVModule.05854DEA
C 0 ES 0023 32位 0(FFFFFFFF)
P 1 CS 001B 32位 0(FFFFFFFF)
A 0 SS 0023 32位 0(FFFFFFFF)
Z 1 DS 0023 32位 0(FFFFFFFF)
S 0 FS 003B 32位 7FFDF000(14000)
T 0 GS 0000 NULL
D 0
O 0 LastErr ERROR_SUCCESS (00000000)
EFL 00000246 (NO,NB,E,BE,NS,PE,GE,LE)
ST0 empty 0.0
ST1 empty 0.0
ST2 empty 0.0
ST3 empty 269.99999396502968320
ST4 empty 59.999998658895482880
ST5 empty 0.0
ST6 empty 0.0
ST7 empty 1.0000000000000000000
3 2 1 0 E S P U O Z D I
FST 0120 Cond 0 0 0 1 Err 0 0 1 0 0 0 0 0 (LT)
FCW 027F Prec NEAR,53 掩码 1 1 1 1 1 1
-------------------------------------------------------------------------
我写的注入代码:
-----------------------
mov esi,01E29750
mov ecx,dword ptr ds:[esi+0xA4]
push 0x0
push 0x5
mov edx,76F064F4
call 05859300
mov ecx,dword ptr ds:[esi+0xA4]
push 0x0
push 0xB
call 05859300
---------------------------------------
代码注入没反应。
请指教有哪个参数没传到,或哪里错误的地方,谢谢!
[课程]Linux pwn 探索篇!