在VC中调试运行程序,比如输出一个字符串,看到反汇编以及机器码如下:
9: printf("str的地址:0X%p\n",str); //0X00414420 00401368 8B F4 mov esi,esp 0040136A 68 20 44 41 00 push offset str (00414420) 0040136F 68 1C 30 41 00 push offset string "str\xb5\xc4\xb5\xd8\xd6\xb7:0X%p\n" (0041301c) 00401374 FF 15 A4 50 41 00 call dword ptr [__imp__printf (004150a4)] 0040137A 83 C4 08 add esp,8 0040137D 3B F4 cmp esi,esp 0040137F E8 78 FD FF FF call _chkesp (004010fc)
开始编写:
#include <stdio.h> char str[] = "这是shellcode的实例:\n"; void main( void ) { printf("str的地址:0X%p\n",str); //0X00414410 char shell_code[]= { 0X8B , 0XF4 , 0X68 , 0X10 , 0X44 , 0X41 , 0X00 ,//0X68 , 0X1c , 0X30 , 0X41 , 0X00 , 0XFF , 0X15 , 0XAC , 0X50 , 0X41 , 0X00 , // 0X83 , 0XC4 , 0X04 , // 0X3B , 0XF4 , // 0XE8 , 0X05 , 0X01 , 0X00 , 0X00, // 0XEB , 0X70, 0X10, 0X40, 0X00 ,//0X00401070是HERE的地址 0X6A , 0X01 , //push 1 0XFF , 0X15 , 0XBC , 0X50 , 0X41 , 0X00 //call dword ptr [__imp__exit (004150bc)] }; ((void(_stdcall*)())&shell_code[0])(); //goto HERE; HERE: getchar(); //exit(1); //system("pause"); return ; }
str的地址:0X00414410 这是shellcode的实例: Press any key to continue