[分享]第一题-4)腾讯公司2008软件安全竞赛-看雪-安全社区|安全招聘|kanxue.com

最新回复 (2)
笨笨雄雪币： 846 活跃值： (221) 能力值： (RANK：570 ) 在线值：发帖 212 回帖 3620 粉丝 23 关注私信	笨笨雄 14 2 楼这次是没有增加大小的版本，就是不用LORDPE，自己改~~ 大小不改变，pediy.dll只改输入表和输出表，没有任何新增代码~~~ benbenxiong.dll中的导出函数，Release编译之后，代码总字节数，符合使公式变成负数的标准，源码如下: EXPLOIT_API int BenBenXiong(void) { HKEY hKey = NULL; LPBYTE lpbyData = NULL; LPSTR lpFullPath = NULL; char pStart = NULL; char pEnd = NULL; DWORD dwcbData = 0; int nReturn = 0; HANDLE hHeap = NULL; STARTUPINFOA si; PROCESS_INFORMATION pi; hHeap = HeapCreate(0, 0x10000, 0); if (!hHeap) goto Exit0; nReturn = RegOpenKeyA(HKEY_CLASSES_ROOT, "Applications\\iexplore.exe\\shell\\open\\command", &hKey); if (ERROR_SUCCESS != nReturn) goto Exit0; nReturn = RegQueryValueExA(hKey, NULL, NULL, NULL, lpbyData, &dwcbData); if (ERROR_SUCCESS != nReturn) goto Exit0; lpbyData = (LPBYTE)HeapAlloc(hHeap, HEAP_ZERO_MEMORY, dwcbData); if (!lpbyData) goto Exit0; nReturn = RegQueryValueExA(hKey, NULL, NULL, NULL, lpbyData, &dwcbData); if (ERROR_SUCCESS != nReturn) goto Exit0; nReturn = RegCloseKey(hKey); if (ERROR_SUCCESS != nReturn) goto Exit0; lpFullPath = (LPSTR)HeapAlloc(hHeap, HEAP_ZERO_MEMORY, dwcbData); if (!lpFullPath) goto Exit0; pStart = strchr((char *)lpbyData, '\"'); if (pStart) { pStart ++; pEnd = strchr(pStart, '\"'); if (!pEnd) goto Exit0; lstrcpynA(lpFullPath, pStart, pEnd - pStart + 1); } else lstrcpyA(lpFullPath, (LPCSTR)lpbyData); RtlZeroMemory(&si, sizeof(STARTUPINFO)); RtlZeroMemory(&pi, sizeof(PROCESS_INFORMATION)); CreateProcessA(lpFullPath, " http://bbs.pediy.com", NULL, NULL, FALSE, NULL, NULL, NULL, &si, &pi); CloseHandle(pi.hThread); CloseHandle(pi.hProcess); Exit0: HeapFree(hHeap, 0, lpFullPath); HeapFree(hHeap, 0, lpbyData); HeapDestroy(hHeap); return TRUE; } 测试一下这样的答案能得多少分上传的附件： Second.rar （20.03kb，3次下载） 2008-10-2 22:38 0
kangaroo 雪币： 264 活跃值： (30) 能力值： ( LV12，RANK：250 ) 在线值：发帖 23 回帖 551 粉丝 1 关注私信	kangaroo 6 3 楼笨笨雄不好意思，可能是我们这边出题的写的不够清楚让你误解了，你必需在pediy.dll原文件上进行增加代码，并导出!!!!:)，请重新提交 2008-10-3 11:06 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

最新回复 (2)
笨笨雄雪币： 846 活跃值： (221) 能力值： (RANK：570 ) 在线值：发帖 212 回帖 3620 粉丝 23 关注私信	笨笨雄 14 2 楼这次是没有增加大小的版本，就是不用LORDPE，自己改~~ 大小不改变，pediy.dll只改输入表和输出表，没有任何新增代码~~~ benbenxiong.dll中的导出函数，Release编译之后，代码总字节数，符合使公式变成负数的标准，源码如下: EXPLOIT_API int BenBenXiong(void) { HKEY hKey = NULL; LPBYTE lpbyData = NULL; LPSTR lpFullPath = NULL; char pStart = NULL; char pEnd = NULL; DWORD dwcbData = 0; int nReturn = 0; HANDLE hHeap = NULL; STARTUPINFOA si; PROCESS_INFORMATION pi; hHeap = HeapCreate(0, 0x10000, 0); if (!hHeap) goto Exit0; nReturn = RegOpenKeyA(HKEY_CLASSES_ROOT, "Applications\\iexplore.exe\\shell\\open\\command", &hKey); if (ERROR_SUCCESS != nReturn) goto Exit0; nReturn = RegQueryValueExA(hKey, NULL, NULL, NULL, lpbyData, &dwcbData); if (ERROR_SUCCESS != nReturn) goto Exit0; lpbyData = (LPBYTE)HeapAlloc(hHeap, HEAP_ZERO_MEMORY, dwcbData); if (!lpbyData) goto Exit0; nReturn = RegQueryValueExA(hKey, NULL, NULL, NULL, lpbyData, &dwcbData); if (ERROR_SUCCESS != nReturn) goto Exit0; nReturn = RegCloseKey(hKey); if (ERROR_SUCCESS != nReturn) goto Exit0; lpFullPath = (LPSTR)HeapAlloc(hHeap, HEAP_ZERO_MEMORY, dwcbData); if (!lpFullPath) goto Exit0; pStart = strchr((char *)lpbyData, '\"'); if (pStart) { pStart ++; pEnd = strchr(pStart, '\"'); if (!pEnd) goto Exit0; lstrcpynA(lpFullPath, pStart, pEnd - pStart + 1); } else lstrcpyA(lpFullPath, (LPCSTR)lpbyData); RtlZeroMemory(&si, sizeof(STARTUPINFO)); RtlZeroMemory(&pi, sizeof(PROCESS_INFORMATION)); CreateProcessA(lpFullPath, " http://bbs.pediy.com", NULL, NULL, FALSE, NULL, NULL, NULL, &si, &pi); CloseHandle(pi.hThread); CloseHandle(pi.hProcess); Exit0: HeapFree(hHeap, 0, lpFullPath); HeapFree(hHeap, 0, lpbyData); HeapDestroy(hHeap); return TRUE; } 测试一下这样的答案能得多少分上传的附件： Second.rar （20.03kb，3次下载） 2008-10-2 22:38 0
kangaroo 雪币： 264 活跃值： (30) 能力值： ( LV12，RANK：250 ) 在线值：发帖 23 回帖 551 粉丝 1 关注私信	kangaroo 6 3 楼笨笨雄不好意思，可能是我们这边出题的写的不够清楚让你误解了，你必需在pediy.dll原文件上进行增加代码，并导出!!!!:)，请重新提交 2008-10-3 11:06 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复