Windows缓冲区溢出从零开始[0]
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<!-- saved from url=(0045)http://www.yourblog.org/Data/20044/35012.html -->
<HTML><HEAD><TITLE>Windows缓冲区溢出从零开始</TITLE>
<META http-equiv=Content-Type content="text/html; charset=gb2312"><LINK
href="articles/01.css" type=text/css
rel=stylesheet>
<META content="MSHTML 6.00.2900.2523" name=GENERATOR>
</HEAD>
<BODY leftMargin=10 topMargin=10 marginheight="0" marginwidth="0">
<TABLE cellSpacing=0 cellPadding=0 width=580 align=center border=0>
<TBODY>
<TR>
<TD
background="./articles/01view_line.gif"
height=1></TD>
<TD width=559 bgColor=#666666></TD>
<TD width=1 bgColor=#666666 rowSpan=5></TD></TR>
<TR>
<TD width=22
background="./articles/01view_b.gif"
height=5></TD>
<TD></TD></TR>
<TR>
<TD
background="./articles/01view_bg.gif"></TD>
<TD vAlign=top>
<TABLE cellSpacing=0 cellPadding=0 width=550 align=center
border=0>
<TBODY>
<TR>
<TD id=zoom>
<DIV align=left><STRONG><FONT
size=2>Windows缓冲区溢出从零开始[0]</FONT></STRONG> </DIV>
<DIV align=left>作者:coolend
<HR align=center width="98%" color=#666666 SIZE=1>
<DIV align=left>目的:了解缓冲区溢出的原理并简单实现
<DIV align=left>工具:nasm,ollydbg,vc++
<br>
<strong>1、</strong>c语言基础<br>
<strong>1.1</strong> c中数据的几个存储区。<br>
1.栈: 有编译器自动分配释放 <br>
2.堆: 一般由程序员分配释放,若程序员不释放,程序结束时可能由OS回收 <br>
3.全局区(静态区):全局变量和静态变量的存储是放在一块的,初始化的全局变量和静态变量在一块 <br>
区域,未初始化的全局变量和未初始化的静态变量在相邻的另一块区域。 <br>
一般而言: <br>
1. 函数内部的局部自动变量,使用进程或线程的栈空间。 <br>
2. 动态内存分配使用堆空间。不同的操作系统对堆有不同的管理方式。<br>
3. 初始化的全局变量,放在数据段,DATA段。未初始化的全局变量,放在未初始化数据段,一般为BSS段。</p>
vc++6.0中建一个Win32 console Application,输入如下内容。<br>
<TABLE cellSpacing=1 cellPadding=0 width="98%" align=center
bgColor=#cccccc border=0>
<TBODY>
<TR>
<TD
style="PADDING-RIGHT: 10px; PADDING-LEFT: 15px; PADDING-BOTTOM: 10px; PADDING-TOP: 10px"
bgColor=#eeffee><BR>
#include <stdio.h><br>
#defined BUFFERLEN 100<br>
int gGlobal = 0; <br>
int *gpPoint; <br>
main() <br>
{ <br>
int mVar1; <br>
char mVar2[] = "qazqazqaz"; <br>
char *pPoint1; <br>
char *pPoint2 = "qazqazqaz"; <br>
static int mConst = 0; <br>
pPoint1 = (char *)malloc(BUFFERLEN*sizeof(char)); <br>
pPoint2 = (char *)malloc(BUFFERLEN*sizeof(char)); <br>
printf("0x%08x\n",&gGlobal);<br>
printf("0x%08x\n",&gpPoint);<br>
printf("0x%08x\n",&mVar1);<br>
printf("0x%08x\n",&mVar2);<br>
printf("0x%08x\n",&pPoint1);<br>
printf("0x%08x\n",&pPoint2);<br>
printf("0x%08x\n",&mConst);<br>
printf("0x%08x\n",pPoint1);<br>
printf("0x%08x\n",pPoint1);<br>
} </TD>
</TR>
</TBODY>
</TABLE> <br>
输出: <TABLE cellSpacing=1 cellPadding=0 width="98%" align=center
bgColor=#cccccc border=0>
<TBODY>
<TR>
<TD
style="PADDING-RIGHT: 10px; PADDING-LEFT: 15px; PADDING-BOTTOM: 10px; PADDING-TOP: 10px"
bgColor=#eeffee>0x00406910<br>
0x00406acc<br>
0x0012ff7c<br>
0x0012ff70<br>
0x0012ff68<br>
0x0012ff6c<br>
0x00406914<br>
0x00410510<br>
0x00410510</TD>
</TR>
</TBODY>
</TABLE>
<br>
说明: <TABLE cellSpacing=1 cellPadding=0 width="98%" align=center
bgColor=#cccccc border=0>
<TBODY>
<TR>
<TD
style="PADDING-RIGHT: 10px; PADDING-LEFT: 15px; PADDING-BOTTOM: 10px; PADDING-TOP: 10px"
bgColor=#eeffee>堆: *pPoint1,*pPoint2<br>
栈: mVar1,mVar2,pPoint1,pPoint2<br>
DATA段: gGlobal,mConst <br>
BSS段: gpPoint</TD>
</TR>
</TBODY>
</TABLE> <br><strong> 1.2</strong>c语言中函数调用机制<br>
vc++6.0中建一个Win32 console Application,输入如下内容。<br>
<TABLE cellSpacing=1 cellPadding=0 width="98%" align=center
bgColor=#cccccc border=0>
<TBODY>
<TR>
<TD
style="PADDING-RIGHT: 10px; PADDING-LEFT: 15px; PADDING-BOTTOM: 10px; PADDING-TOP: 10px"
bgColor=#eeffee>//example.c<br>
int add(int number1,int number2)<br>
{<br>
int result = 0;<br>
result = number1 + number2;<br>
return result;<br>
}<br>
int main(int argc, char* argv[])<br>
{<br>
int a,b,res=0;<br>
a = 0x100;<br>
b = 0x200;<br>
res = add(a,b);<br>
return 0;<br>
}</TD>
</TR>
</TBODY>
</TABLE> <p> 在res = add(a,b);处设断点,F5,再Alt+8,看到如下的汇编代码。<br>
main函数的汇编代码:<br>
<TABLE cellSpacing=1 cellPadding=0 width="98%" align=center
bgColor=#cccccc border=0>
<TBODY>
<TR>
<TD
style="PADDING-RIGHT: 10px; PADDING-LEFT: 15px; PADDING-BOTTOM: 10px; PADDING-TOP: 10px"
bgColor=#eeffee>main:<br>
00401060 55 push ebp<br>
00401061 8B EC mov ebp,esp<br>
00401063 83 EC 4C sub esp,4Ch<br>
00401066 53 push ebx<br>
00401067 56 push esi<br>
00401068 57 push edi<br>
00401069 8D 7D B4 lea edi,[ebp-4Ch]<br>
0040106C B9 13 00 00 00 mov ecx,13h<br>
00401071 B8 CC CC CC CC mov eax,0CCCCCCCCh<br>
00401076 F3 AB rep stos dword ptr [edi]<br>
00401078 C7 45 F4 00 00 00 00 mov dword ptr [ebp-0Ch],0<br>
0040107F C7 45 FC 00 01 00 00 mov dword ptr [ebp-4],100h<br>
00401086 C7 45 F8 00 02 00 00 mov dword ptr [ebp-8],200h<br>
0040108D 8B 45 F8 mov eax,dword ptr [ebp-8]<br>
00401090 50 push eax<br>
00401091 8B 4D FC mov ecx,dword ptr [ebp-4]<br>
00401094 51 push ecx<br>
00401095 E8 6B FF FF FF call @ILT+0(add) (00401005)<br>
0040109A 83 C4 08 add esp,8<br>
0040109D 89 45 F4 mov dword ptr [ebp-0Ch],eax<br>
004010A0 33 C0 xor eax,eax<br>
004010A2 5F pop edi<br>
004010A3 5E pop esi<br>
004010A4 5B pop ebx<br>
004010A5 83 C4 4C add esp,4Ch<br>
004010A8 3B EC cmp ebp,esp<br>
004010AA E8 21 00 00 00 call __chkesp (004010d0)<br>
004010AF 8B E5 mov esp,ebp<br>
004010B1 5D pop ebp<br>
004010B2 C3 ret</TD>
</TR>
</TBODY>
</TABLE>
<p> add函数的汇编代码:<br>
<TABLE cellSpacing=1 cellPadding=0 width="98%" align=center
bgColor=#cccccc border=0>
<TBODY>
<TR>
<TD
style="PADDING-RIGHT: 10px; PADDING-LEFT: 15px; PADDING-BOTTOM: 10px; PADDING-TOP: 10px"
bgColor=#eeffee>add:<br>
00401020 55 push ebp<br>
00401021 8B EC mov ebp,esp<br>
00401023 83 EC 44 sub esp,44h<br>
00401026 53 push ebx<br>
00401027 56 push esi<br>
00401028 57 push edi<br>
00401029 8D 7D BC lea edi,[ebp-44h]<br>
0040102C B9 11 00 00 00 mov ecx,11h<br>
00401031 B8 CC CC CC CC mov eax,0CCCCCCCCh<br>
00401036 F3 AB rep stos dword ptr [edi]<br>
00401038 C7 45 FC 00 00 00 00 mov dword ptr [ebp-4],0<br>
0040103F 8B 45 08 mov eax,dword ptr [ebp+8]<br>
00401042 03 45 0C add eax,dword ptr [ebp+0Ch]<br>
00401045 89 45 FC mov dword ptr [ebp-4],eax<br>
00401048 8B 45 FC mov eax,dword ptr [ebp-4]<br>
0040104B 5F pop edi<br>
0040104C 5E pop esi<br>
0040104D 5B pop ebx<br>
0040104E 8B E5 mov esp,ebp<br>
00401050 5D pop ebp<br>
00401051 C3 ret</TD>
</TR>
</TBODY>
</TABLE>
<p> 以及<br>
<TABLE cellSpacing=1 cellPadding=0 width="98%" align=center
bgColor=#cccccc border=0>
<TBODY>
<TR>
<TD
style="PADDING-RIGHT: 10px; PADDING-LEFT: 15px; PADDING-BOTTOM: 10px; PADDING-TOP: 10px"
bgColor=#eeffee>@ILT+0(?add@@YAHHH@Z):<br>
00401005 E9 16 00 00 00 jmp add (00401020)<br>
@ILT+5(_main):<br>
0040100A E9 51 00 00 00 jmp main (00401060)</TD>
</TR>
</TBODY>
</TABLE>
<p> 刚才按F5,程序停在0040108D 8B 45 F8 mov eax,dword ptr [ebp-8],
<br> 再按F10到00401095 E8 6B FF FF FF call @ILT+0(add) (00401005),
<br> 接着按F11,看到[esp]里是不是显示9A 10 40 00 00,这说明call ******
<br> 相当于push call下面一条指令的地址,再jmp ******
<TABLE cellSpacing=1 cellPadding=0 width="98%" align=center
bgColor=#cccccc border=0>
<TBODY>
<TR>
<TD
style="PADDING-RIGHT: 10px; PADDING-LEFT: 15px; PADDING-BOTTOM: 10px; PADDING-TOP: 10px"
bgColor=#eeffee>堆: *pPoint1,*pPoint2<br>
栈: mVar1,mVar2,pPoint1,pPoint2<br>
DATA段: gGlobal,mConst <br>
BSS段: gpPoint</TD>
</TR>
</TBODY>
</TABLE> <p> </p>
<p> </p> <p> </p>
<p> </p>
<p><BR>
</p> </TD></TR>
<TR>
<TD style="PADDING-TOP: 16px" align = center><FONT color=#ff6600>...待续...</FONT></TD></TR></TBODY></TABLE></TD></TR>
<TR>
<TD width=22
background="./articles/01view_b.gif"
height=5></TD>
<TD></TD></TR>
<TR>
<TD
background="./articles/01view_line.gif"
height=1></TD>
<TD bgColor=#666666 height=1></TD></TR></TBODY></TABLE>
