我正在尝试在内存区域中执行shellcode。虽然到目前为止它有效,但我现在面临着另一个问题:在我调用shellcode程序后,main-c-program退出。除了使用线程之外,还有其他(简单的(方法吗?
我认为这与mov rax, 60和以下syscall有关,退出程序。右?
主 C 代码
#include <string.h>
#include <sys/mman.h>
const char shellcode[] = "xebx1exb8x01x00x00x00xbfx01x00x00x00x5exbax0dx00x00x00x0fx05xb8x3cx00x00x00xbfx00x00x00x00x0fx05xe8xddxffxffxffx48x65x6cx6cx6fx2cx20x57x6fx72x6cx64x21";
// Error checking omitted for expository purposes
int main(int argc, char **argv)
{
// Allocate some read-write memory
void *mem = mmap(0, sizeof(shellcode), PROT_READ|PROT_WRITE, MAP_SHARED|MAP_ANONYMOUS, -1, 0);
// Copy the shellcode into the new memory
memcpy(mem, shellcode, sizeof(shellcode));
// Make the memory read-execute
mprotect(mem, sizeof(shellcode), PROT_READ|PROT_WRITE|PROT_EXEC);
// Call the shellcode
void (*func)();
func = (void (*)())mem;
(void)(*func)();
// This text will never appear
printf("This text never appears");
// Now, if we managed to return here, it would be prudent to clean up the memory:
// (I think that this line of code is also never reached)
munmap(mem, sizeof(shellcode));
return 0;
}
外壳代码的基础(汇编程序(英特尔((
global _start
_start:
jmp message
code:
mov rax, 1
mov rdi, 1
pop rsi
mov rdx, 13
syscall
mov rax, 60
mov rdi, 0
syscall
message:
call code
db "Hello, World!"
IMO 最简单的方法是创建一个二进制文件,然后 exec(( 那个。 如果您需要输出,请设置管道。
我实际上是自己发现的。如果有人感兴趣,简单的解决方案是更改汇编代码,如下所示:
global _start
_start:
jmp message
code:
mov rax, 1
mov rdi, 1
pop rsi
mov rdx, 13
syscall
ret # Instead of "mov.., mov..., syscall"
message:
call code
db "Hello, World!"