从C程序加载原始code [英] Loading raw code from C program
问题描述
我在写一个程序,加载并执行文件code。
但我得到了一个问题:写系统调用不起作用。
code成功地加载和执行,但不显示在屏幕上的任何文字。
加载code程序:
的#include< stdio.h中>
#包括LT&; stdlib.h中>INT主(INT ARGC,CHAR *的argv [])
{
unsigned int类型f_size = 0;
无符号字符* code_buf = NULL;
无效(* func_call)(无效)= NULL; 如果(的argc 2)
{
的printf(用法:%S<文件> \\ N的argv [0]);
返回1;
} FILE *计划生育=的fopen(的argv [1],RB);
如果(!FP)
{
的printf(错误而打开此文件:%s \\ n,ARGV [1]);
返回1;
} unsigned int类型的fsize = 0;
fseek的(FP,0,SEEK_END);
FSIZE = FTELL(FP);
fseek的(FP,0,SEEK_SET);
如果(FSIZE 4;)
{
的printf(code尺寸必须是→4个字节的\\ n);
返回1;
} code_buf =(无符号字符*)malloc的(sizeof的(无符号字符)* FSIZE);
如果(FREAD(code_buf,FSIZE,1,FP)。1)
{
的printf(当读取文件错误:%s \\ n,ARGV [1]);
免费(code_buf);
返回1;
}
func_call =(无效(*)(无效))code_buf; 的printf([执行]二进制装载\\ n
\\ tFirst 2个字节:为0x%X为0x%X \\ n
\\ tLast 2个字节:为0x%X为0x%X \\ n
code_buf [0],code_buf [1]
code_buf [FSIZE-2],code_buf [FSIZE-1]);
的printf([执行]启动code ... \\ n);
(* func_call)();
的printf([执行] code执行\\ n!); 免费(code_buf); 返回0;
}
code,我试图通过这一计划来执行(test.s):
的.text
MOVL $ 4,%EAX
MOVL $ 1,EBX%
MOVL $海峡,ECX%
MOVL $ 5%EDX
INT 0x80的$
JMP结束
STR:
.string测试\\ n
结束:
RET
这是我如何编译:
GCC -c test.s
objcopy把-O二进制test.o TEST.bin,烧写
解决,感谢@Christoph
有工作code:
的.text
呼叫开始
STR:
.string测试\\ n
开始:
MOVL $ 4,%EAX
MOVL $ 1,EBX%
流行%ECX
MOVL $ 5%EDX
INT 0x80的$
RET
您的方法不能工作:壳code必须是位置独立的,但你的code指的是绝对地址 STR
。无条件跳转也可以是相对或绝对的:确保你得到的相对verison(运codeS EB和E9在x86)
请参阅The编写可移植的shell code 了解更多信息技术。
I'm writing a program that loads and executes code from file. But i got a problem: "write" syscall does not work. Code successfully loads and executes, but does not display any text on the screen.
Program that loads code:
#include < stdio.h >
#include < stdlib.h >
int main(int argc,char* argv[])
{
unsigned int f_size = 0;
unsigned char* code_buf = NULL;
void (*func_call)(void) = NULL;
if(argc < 2)
{
printf("Usage: %s <FILE>\n",argv[0]);
return 1;
}
FILE* fp = fopen(argv[1],"rb");
if(!fp)
{
printf("Error while opening this file: %s\n",argv[1]);
return 1;
}
unsigned int fsize = 0;
fseek(fp,0,SEEK_END);
fsize = ftell(fp);
fseek(fp,0,SEEK_SET);
if(fsize < 4)
{
printf("Code size must be > 4 bytes\n");
return 1;
}
code_buf = (unsigned char*) malloc(sizeof(unsigned char)*fsize);
if(fread(code_buf,fsize,1,fp)<1)
{
printf("Error while reading file: %s\n",argv[1]);
free(code_buf);
return 1;
}
func_call = (void (*)(void)) code_buf;
printf("[EXEC] Binary is loaded\n"
"\tFirst 2 bytes: 0x%x 0x%x\n"
"\tLast 2 bytes: 0x%x 0x%x\n",
code_buf[0],code_buf[1],
code_buf[fsize-2],code_buf[fsize-1]);
printf("[EXEC] Starting code...\n");
(*func_call)();
printf("[EXEC] Code executed!\n");
free(code_buf);
return 0;
}
code that i trying to execute by this program (test.s):
.text
movl $4, %eax
movl $1, %ebx
movl $str, %ecx
movl $5, %edx
int $0x80
jmp end
str:
.string "test\n"
end:
ret
Here is how i compile it:
gcc -c test.s
objcopy -O binary test.o test.bin
Solved, thanks to @Christoph
There are working code:
.text
call start
str:
.string "test\n"
start:
movl $4, %eax
movl $1, %ebx
pop %ecx
movl $5, %edx
int $0x80
ret
Your approach can't work: shellcode must be position-independant, but your code refers to the absolute address str
. The unconditional jump can also be either relative or absolute: make sure you get the relative verison (opcodes EB and E9 on x86).
See The Technique of Writing Portable Shell Code for more information.
这篇关于从C程序加载原始code的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!