#include "stdafx.h"
#include "stdlib.h"
#include <windows.h>
#include <EXCPT.h>
#include <tchar.h>
int main(int argc, char* argv[])
{
BYTE shellcode[12]="\x66\xB8\x01\x20\x66\xBA\x04\x10\x66\xEF\xC3";
for (int i = 0; i < sizeof(shellcode); ++i){
printf("%04d,0x%02X\n", shellcode[i],shellcode[i]);
}
// SEH异常处理程序是在栈中捕获异常,其局限性比较大
BYTE oldByte = 0;
PBYTE pAddr = NULL;
DWORD dwProtect = 0;
_asm mov ebx,ebx
_asm push eax
_asm pop eax
_asm mov eax,eax
_try{
_asm mov EAX,EAX
_asm mov eax,eax
_asm mov eax,eax
_asm mov eax,eax
HMODULE hMod = LoadLibrary(_T("user32.dll"));
pAddr = (PBYTE)GetProcAddress(hMod, _T("MessageBoxA"));
VirtualProtect(pAddr, 1, PAGE_EXECUTE_READWRITE, &dwProtect);
oldByte = *pAddr;
printf("pAddr:0x%08X\n", pAddr);
printf("oldByte:%02d\n", oldByte);
*pAddr = 0XCC;
VirtualProtect(pAddr, 1, dwProtect, NULL);
MessageBoxA(NULL, "Test","Test",MB_OK);
}
_except(EXCEPTION_EXECUTE_HANDLER){
MessageBoxW(NULL, L"接管异常", L"异常处理",MB_OK);
VirtualProtect(pAddr, 1, PAGE_EXECUTE_READWRITE, &dwProtect);
memset(pAddr, oldByte, 1);
VirtualProtect(pAddr, 1, dwProtect, NULL);
MessageBoxA(NULL, "Test","Test",MB_OK);
}
system("pause");
return 0;
}
浙公网安备 33010602011771号