32位dbg中编辑的:
7711E9D3 | 6A 33 | push 33 |
7711E9D5 | E8 00000000 | call ntdll.7711E9DA | call $0
7711E9DA | 830424 05 | add dword ptr ss:[esp],5 |
7711E9DE | CB | ret far |
6A 33 E8 00 00 00 00 83 04 24 05 CB
64位dbg中获取的:
00007FFC844B11DD | 48:B8 8877665544332211 | mov rax,1122334455667788 |
00007FFC844B11E7 | 50 | push rax |
00007FFC844B11E8 | 41:50 | push r8 |
00007FFC844B11EA | 41:51 | push r9 |
00007FFC844B11EC <ntdll.LdrpGetProcApphelp | 41:52 | push r10 |
00007FFC844B11EE | 41:53 | push r11 |
00007FFC844B11F0 | 41:54 | push r12 |
00007FFC844B11F2 | 41:55 | push r13 |
00007FFC844B11F4 | 41:56 | push r14 | r14:"minkernel\\ntdll\\ldrinit.c"
00007FFC844B11F6 | 41:57 | push r15 |
00007FFC844B11F8 | 50 | push rax |
00007FFC844B11F9 | E8 00000000 | call ntdll.7FFC844B11FE | call $0
00007FFC844B11FE | C74424 04 23000000 | mov dword ptr ss:[rsp+4],23 | 23:'#'
00007FFC844B1206 | 830424 0D | add dword ptr ss:[rsp],D |
00007FFC844B120A | CB | ret far |
00007FFC844B120B | 90 | nop |
48 B8 88 77 66 55 44 33 22 11 50 41 50 41 51 41 52 41 53 41 54 41 55 41 56 41 57 50 E8 00 00 00 00 C7 44 24 04 23 00 00 00 83 04 24 0D CB 90
合成:
7711E9D3 | 6A 33 | push 33 |
7711E9D5 | E8 00000000 | call ntdll.7711E9DA | call $0
7711E9DA | 830424 05 | add dword ptr ss:[esp],5 |
7711E9DE | CB | ret far |
7711E9DF | 48 | dec eax |
7711E9E0 | B8 88776655 | mov eax,55667788 |
7711E9E5 | 44 | inc esp |
7711E9E6 | 3322 | xor esp,dword ptr ds:[edx] |
7711E9E8 | 1150 41 | adc dword ptr ds:[eax+41],edx |
7711E9EB | 50 | push eax |
7711E9EC | 41 | inc ecx |
7711E9ED | 51 | push ecx |
7711E9EE | 41 | inc ecx |
7711E9EF | 52 | push edx |
7711E9F0 | 41 | inc ecx |
7711E9F1 | 53 | push ebx |
7711E9F2 | 41 | inc ecx |
7711E9F3 <ntdll._LdrpForkProcess@0> | 54 | push esp |
7711E9F4 | 41 | inc ecx |
7711E9F5 | 55 | push ebp |
7711E9F6 | 41 | inc ecx |
7711E9F7 | 56 | push esi |
7711E9F8 | 41 | inc ecx |
7711E9F9 | 57 | push edi | edi:"LdrpInitializeProcess"
7711E9FA | 50 | push eax |
7711E9FB | E8 00000000 | call ntdll.7711EA00 | call $0
7711EA00 | C74424 04 23000000 | mov dword ptr ss:[esp+4],23 | 23:'#'
7711EA08 | 830424 0D | add dword ptr ss:[esp],D |
7711EA0C | CB | ret far |
7711EA0D | 90 | nop |
6A 33 E8 00 00 00 00 83 04 24 05 CB 48 B8 88 77 66 55 44 33 22 11 50 41 50 41 51 41 52 41 53 41 54 41 55 41 56 41 57 50 E8 00 00 00 00 C7 44 24 04 23 00 00 00 83 04 24 0D CB 90
取回来的栈: win10_64
$ ==> 1122334455667788
0000000077063620 r15
$+10 0000000000A6E940 0000000000A6FDA0
$+20 0000000002C0A000 0000000000000246
$+30 0000000000000000 00000000770E1FCC
$+40 000000000000002B 1122334455667788
取回来的栈: win7_64
$ ==> > 55667788 11223344
75062450 00000000 r15
$+10 > 0008EC80 00000000 0008FD20 00000000
$+20 > 7EFDB000 00000000 00000202 00000000
$+30 > 00000000 00000000 0018FD10 00000000
$+40 > 778B01C4 00000000 55667788 11223344
浙公网安备 33010602011771号