-
-
[求助]在什么情况下会将Call的返回地址抹除?
-
发表于:
2009-7-31 10:49
4156
-
写了一个Hook
void startHook(DWORD threadID,char* fileStr)//打开钩子函数
{
pinstance = LoadLibrary((LPCTSTR)fileStr);
startClientHook=(startClientHook_PROC)GetProcAddress(pinstance,"startClientHook");
startClientHook(threadID);
}
反汇编如下
100010A0 >/$ 64:A1 0000000>mov eax, dword ptr fs:[0]
100010A6 |. 6A FF push -1
100010A8 |. 68 58DB0010 push 1000DB58
100010AD |. 50 push eax
100010AE |. 64:8925 00000>mov dword ptr fs:[0], esp
100010B5 |. 8B4424 14 mov eax, dword ptr ss:[esp+14]
100010B9 |. C74424 08 000>mov dword ptr ss:[esp+8], 0
100010C1 |. 50 push eax ; /FileName
100010C2 |. FF15 C0E10010 call dword ptr ds:[<&KERNEL32.LoadLib>; \LoadLibraryA
100010C8 |. 68 A0200110 push 100120A0 ; /ProcNameOrOrdinal = "startClientHook"
100010CD |. 50 push eax ; |hModule
100010CE |. A3 04800110 mov dword ptr ds:[10018004], eax ; |
100010D3 |. FF15 44E10010 call dword ptr ds:[<&KERNEL32.GetProc>; \GetProcAddress
100010D9 |. 8B4C24 10 mov ecx, dword ptr ss:[esp+10]
100010DD |. A3 34500110 mov dword ptr ds:[10015034], eax
100010E2 |. 51 push ecx
100010E3 |. FFD0 call eax
100010E5 |. 83C4 04 add esp, 4 ; .....
100010E8 |. 8D4C24 14 lea ecx, dword ptr ss:[esp+14]
100010EC |. C74424 08 FFF>mov dword ptr ss:[esp+8], -1 ; *
100010F4 |. E8 32760000 call 1000872B
100010F9 |. 8B4C24 00 mov ecx, dword ptr ss:[esp]
100010FD |. 64:890D 00000>mov dword ptr fs:[0], ecx
10001104 |. 83C4 0C add esp, 0C
10001107 \. C3 retn
100010EC |. C74424 08 FFF>mov dword ptr ss:[esp+8], -1 ; *
这里不明白,[esp+8]的值原本是存放执行完后返回的地址,为什么这里却修改成了-1?
代码中也没有提现啊。在什么情况下会出现这种情况呢?
[课程]Android-CTF解题方法汇总!
