00401000 . 6A 00 push 0
00401002 . E8 C50A0000 call 00401ACC ; jmp to kernel32.GetModuleHandleA
00401007 . A3 0C354000 mov dword ptr ds:[40350C],eax
0040100C . E8 B50A0000 call 00401AC6///被加密了。
00401011 . A3 10354000 mov dword ptr ds:[403510],eax
00401016 . 6A 0A push 0A ; /Arg4 = 0000000A
00401018 . FF35 10354000 push dword ptr ds:[403510] ; |Arg3 = 00000000
0040101E . 6A 00 push 0 ; |Arg2 = 00000000
00401020 . FF35 0C354000 push dword ptr ds:[40350C] ; |Arg1 = 00000000
跳转表成了:
00401AAF .- E9 D5100200 jmp 00422B89 ; 00422B89
00401AB4 $- FF25 24204000 jmp near dword ptr ds:[402024] ; kernel32.ContinueDebugEvent
00401ABA $ 90 nop
00401ABB .- E9 D2100200 jmp 00422B92 ; 00422B92
00401AC0 $- FF25 40204000 jmp near dword ptr ds:[402040] ; kernel32.ExitProcess
00401AC6 $ 90 nop
00401AC7 .- E9 CF100200 jmp 00422B9B ; 00422B9B
00401ACC $- FF25 1C204000 jmp near dword ptr ds:[40201C] ; kernel32.GetModuleHandleA
00401AD2 $ 90 nop
00401AD3 .- E9 CC100200 jmp 00422BA4 ; 00422BA4
00401AD8 $- FF25 48204000 jmp near dword ptr ds:[402048] ; kernel32.GetStartupInfoA
00401ADE $ 90 nop
00401ADF .- E9 C9100200 jmp 00422BAD ; 00422BAD
正确的应该是:
00401AAE $- FF25 44204000 jmp near dword ptr ds:[402044] ; kernel32.CloseHandle
00401AB4 $- FF25 24204000 jmp near dword ptr ds:[402024] ; kernel32.ContinueDebugEvent
00401ABA $- FF25 18204000 jmp near dword ptr ds:[402018] ; kernel32.CreateProcessA
00401AC0 .- FF25 40204000 jmp near dword ptr ds:[402040] ; kernel32.ExitProcess
00401AC6 $- FF25 4C204000 jmp near dword ptr ds:[40204C] ; kernel32.GetCommandLineA
00401ACC $- FF25 1C204000 jmp near dword ptr ds:[40201C] ; kernel32.GetModuleHandleA
00401AD2 $- FF25 20204000 jmp near dword ptr ds:[402020] ; kernel32.GetProcAddress
00401AD8 $- FF25 48204000 jmp near dword ptr ds:[402048] ; kernel32.GetStartupInfoA
00401ADE $- FF25 3C204000 jmp near dword ptr ds:[40203C] ; kernel32.GetThreadContext
00401AE4 $- FF25 38204000 jmp near dword ptr ds:[402038] ; kernel32.ReadProcessMemory
00401AEA $- FF25 34204000 jmp near dword ptr ds:[402034] ; kernel32.SetThreadContext
这类IAT表如何恢复?程序见附件。
[课程]Linux pwn 探索篇!