我有一个Perl程序,它连接一个套接字,接收套接字上的二进制文件,读取这个二进制文件,并与其他二进制文件进行比较,以便我知道是否有我在套接字上收到的二进制文件。看:
perlProgram.pl
# some code here ...
my $sock = IO::Socket::INET->new(PeerAddr => $host, PeerPort => 666, Proto => 'tcp');
$sock->sockopt(SO_LINGER, pack("ii", 1, 0));
# some code here for another porposes...
# ...
read($sock, $buff, 0xfffff);
close($sock);
if (($v = index $buff, "xC7x44x24x08x03x00x00x00xC7x04x24x00x00x00x00x89x44x24x04") >= 0) {
$offset = $v;
printf "your offset is %08xn", $offset;
} else {
if (($v = index $buff, "x89x44x24x10xA1xBCxA5x0Fx08x89x44x24x04xe8") >= 0) {
$offset = $v;
printf "your offset is %08xn", $offset;
} else {
print "Could not find your binariesn";
exit;
}
}
# more code here ...
这个Perl程序可以正常运行,我确信我的二进制文件是在socket上运行的。所以,我用C写了同样的代码,有一个问题:在C中,我不能验证我的二进制文件是否在套接字上,但我确信二进制文件是在套接字上。看:
sameProgramInC.c:
// some code here ...
char binaries_1[]="xc7x44x24x08x03x00x00x00xc7x04x24x00x00x00x00x89x44x24x04";
char binaries_2[]="x89x44x24x10xa1xbcxa5x0fx08x89x44x24x04xe8";
int indexOf(const unsigned char *data_buffer, const unsigned int length, const unsigned char *needle, const unsigned int needlelen) {
unsigned int i, j, index=0;
for(i=0; i < length-needlelen; i++) {
if(data_buffer[i] == needle[0]){
index=i;
for(j=1; j < needlelen; j++){
if(data_buffer[i+j] != needle[j]){
index=0;
break;
}
}
if(index == i){
return index;
}
}
}
return index;
}
int main(int argc, char *argv[]) {
int sockfd, buflen;
struct hostent *host_info;
struct sockaddr_in target_addr;
unsigned char read_buffer[0xfffff];
if((host_info = gethostbyname(argv[1])) == NULL)
fatal("looking up hostname");
if ((sockfd = socket(PF_INET, SOCK_STREAM, 0)) == -1)
fatal("in socket");
target_addr.sin_family = AF_INET;
target_addr.sin_port = htons(PORT);
target_addr.sin_addr = *((struct in_addr *)host_info->h_addr);
memset(&(target_addr.sin_zero), ' ', 8); // zero the rest of the struct
if (connect(sockfd, (struct sockaddr *)&target_addr, sizeof(struct sockaddr)) == -1)
fatal("connecting to target server");
// some code here for another porposes...
// ...
printf("nt Attempting to read memory of the server...");
bzero(read_buffer, sizeof(read_buffer));
read(sockfd, read_buffer, 0xfffff);
index = indexOf(read_buffer, sizeof(read_buffer), binaries_1, sizeof(binaries_1));
if(index != 0){
printf("nt [+] your offset is 0x%08x", index);
} else {
index = indexOf(read_buffer, sizeof(read_buffer), binaries_2, sizeof(binaries_2));
if(index != 0){
printf("nt [+] your offset is 0x%08x", index);
} else {
printf("nt [-] Fail! Could not find your offset!");
}
}
// more code here
所以,这个C代码不像我的Perl代码那样工作。在运行时没有任何错误,只是C代码不能像Perl代码那样验证我的二进制文件是否存在。然后,我尝试使用memmem
, memcmp
和strstr
,但也不工作。为什么它不起作用?怎么了?
当您指定sizeof(binaries_1)
作为搜索子字符串长度时,它包含末尾的零,将其更改为sizeof(binaries_1) - 1