64,266
社区成员
发帖
与我相关
我的任务
分享
#include <stdlib.h>
#include <stdio.h>
#include <sys/mman.h>
#include <string.h>
#define PAGESIZE 4096
int main(int argc, char *argv[])
{
void *p1 = &&L1;
unsigned char *buf = calloc(sizeof(unsigned char),30);
void *aligned_addr = (char*)(((unsigned long)buf) & ~(PAGESIZE - 1));
int errno = mprotect(aligned_addr, PAGESIZE, PROT_WRITE | PROT_READ | PROT_EXEC);
if(errno != 0) {
printf("error %d:%s\n",errno,strerror(errno));
return errno;
}
unsigned int offset = (unsigned int)((unsigned long)p1 - (unsigned long)buf - 5);
buf[0] = '\xe9';
buf[1] = (unsigned char)(offset & 0xFF);
buf[2] = (unsigned char)(offset >> 8 & 0xFF);
buf[3] = (unsigned char)(offset >> 16 & 0xFF);
buf[4] = (unsigned char)(offset >> 24 & 0xFF);
asm volatile(
"jmp *%0\n\t"
:
:"r"((void *)buf)
);
goto L1;
return 0;
L1:
printf("hit L1,congratulation!\n");
return 0;
}
#include <stdlib.h>
#include <stdio.h>
#include <sys/mman.h>
#define PAGESIZE 4096
int main(int argc, char *argv[])
{
char* buf = (char*)malloc(30);
void* page_addr = (void*)(((unsigned long)buf) & ~(PAGESIZE - 1));
int errno = mprotect(page_addr, PAGESIZE, PROT_WRITE | PROT_READ | PROT_EXEC);
if(errno != 0) {
printf("error %d:%s\n",errno,strerror(errno));
return errno;
}
void* p1 = &&L1;
unsigned long offset = (char*)p1 - buf - 5;
*buf++ = '\xe9';
*(unsigned long*)buf-- = offset;
asm volatile("jmp *%0\n\t"::"r"(buf));
printf("Tricky code. Right?\n");
L1:
printf("Hit L1. Congratulation!\n");
return 0;
}
另外,LZ说的那个goto L1;去掉的话,看了下对应汇编码,后面的代码的不见了,估计GCC认为return 0;后面的代码没用直接拿掉了吧,甚至于连printf都被直接换成了puts,字符串后的'\n'也被拿掉了。即使用-O0也没用。再次表示GCC水深啊,谨慎!#include <stdio.h>
void test()
{
printf("------> I'm the test function!!! <-------\n");
}
int main(int argc, char *argv[])
{
unsigned char *buf = new unsigned char[5];
buf[0] = '\xe9';
*(unsigned int*)(buf+1) = (unsigned int)((unsigned long)test - (unsigned long)buf - 5);
__asm
{
lea eax, L1
push eax
jmp buf
}
return 0;
L1:
printf("hit L1,congratulation!\n");
return 0;
}
#include <stdlib.h>
#include <stdio.h>
#include <windows.h>
#include <string.h>
#define PAGESIZE 4096
int main(int argc, char *argv[])
{
void *p1;
DWORD OldProtect;
unsigned char *buf = (unsigned char*)calloc(sizeof(unsigned char), 30);
void *aligned_addr = (char*)(((unsigned long)buf) & ~(PAGESIZE - 1));
int errno = VirtualProtect(aligned_addr, PAGESIZE, PAGE_EXECUTE_READWRITE, &OldProtect);
if(errno != TRUE) {
printf("error %d:%s\n",errno,strerror(errno));
return errno;
}
__asm
{
lea eax, L1
mov p1, eax
}
unsigned int offset = (unsigned int)((unsigned long)p1 - (unsigned long)buf - 5);
buf[0] = '\xe9';
buf[1] = (unsigned char)(offset & 0xFF);
buf[2] = (unsigned char)(offset >> 8 & 0xFF);
buf[3] = (unsigned char)(offset >> 16 & 0xFF);
buf[4] = (unsigned char)(offset >> 24 & 0xFF);
__asm
{
mov eax,buf
jmp eax
}
return 0;
L1:
printf("hit L1,congratulation!\n");
return 0;
}