再发一个
- #include <stdio.h>
- int gi = 1;
- f()
- {
- int i;
- /**/
- int j;
- char cmd[200];
- FILE* f;
- char *p;
- char s[]={
- 0x55,0x89,0xe5,0x81,0xec,0x98,0x00,0x00,0x00,0xc7,0x45,0xfc,0x00,0x00,0x00,0x00,0xc7,0x45,0xf0,0x00,0x00,0x00,0x00,0xa1,0x90,0x98,0x04,0x08,0x83,0xe8,0x01,0xa3,0x90,0x98,0x04,0x08,0xa1,0x90,0x98,0x04,0x08,0x85,0xc0,0x75,0x08,0x83,0x45,0x0c,0x04,0x83,0x45,0x10,0x01,0xc7,0x45,0xf0,0x00,0x00,0x00,0x00,0xeb,0x15,0x8b,0x45,0xf0,0x8b,0x55,0x08,0x0f,0xb6,0x12,0x88,0x54,0x05,0x8c,0x83,0x45,0x08,0x01,0x83,0x45,0xf0,0x01,0x83,0x7d,0xf0,0x06,0x7e,0xe5,0x8b,0x45,0xf0,0xc6,0x44,0x05,0x8c,0x30,0x83,0x45,0xf0,0x01,0x8b,0x45,0xf0,0xc6,0x44,0x05,0x8c,0x78,0x83,0x45,0xf0,0x01,0xc7,0x45,0xf4,0x1c,0x00,0x00,0x00,0xeb,0x5a,0x8b,0x4d,0xf4,0xb8,0x0f,0x00,0x00,0x00,0xd3,0xe0,0x89,0xc2,0x8b,0x45,0x0c,0x21,0xd0,0x8b,0x4d,0xf4,0xd3,0xe8,0x89,0x45,0xf8,0x83,0x7d,0xf8,0x00,0x75,0x06,0x83,0x7d,0xfc,0x00,0x74,0x31,0xc7,0x45,0xfc,0x01,0x00,0x00,0x00,0x83,0x7d,0xf8,0x09,0x7f,0x13,0x8b,0x55,0xf0,0x8b,0x45,0xf8,0x83,0xc0,0x30,0x88,0x44,0x15,0x8c,0x83,0x45,0xf0,0x01,0xeb,0x11,0x8b,0x55,0xf0,0x8b,0x45,0xf8,0x83,0xc0,0x57,0x88,0x44,0x15,0x8c,0x83,0x45,0xf0,0x01,0x83,0x6d,0xf4,0x04,0x83,0x7d,0xf4,0x00,0x79,0xa0,0x83,0x45,0x08,0x02,0xc7,0x45,0xf4,0x00,0x00,0x00,0x00,0xeb,0x19,0x8b,0x45,0xf0,0x8b,0x55,0x08,0x0f,0xb6,0x12,0x88,0x54,0x05,0x8c,0x83,0x45,0xf0,0x01,0x83,0x45,0x08,0x01,0x83,0x45,0xf4,0x01,0x83,0x7d,0xf4,0x08,0x7e,0xe1,0x83,0x7d,0x10,0x01,0x75,0x0e,0x8b,0x45,0xf0,0xc6,0x44,0x05,0x8c,0x31,0x83,0x45,0xf0,0x01,0xeb,0x0c,0x8b,0x45,0xf0,0xc6,0x44,0x05,0x8c,0x32,0x83,0x45,0xf0,0x01,0x8b,0x45,0xf0,0xc6,0x44,0x05,0x8c,0x0a,0x83,0x45,0xf0,0x01,0x8b,0x55,0xf0,0x8d,0x4d,0x8c,0xbb,0x01,0x00,0x00,0x00,0xb8,0x04,0x00,0x00,0x00,0xcd,0x80,0xc9,0xc3,
- 0x00,0x01,0x00,0x00
- };
- i=(unsigned)printf;
- sprintf(cmd,"awk '{x=$1;y=x;sub(/.*-/,\"\",x);sub(/-.*/,\"\",y);if(strtonum(\"0x\"x)>%#x&&strtonum(\"0x\"y<%#x)){print y,x-y;exit}}' /proc/%d/maps",i,i,getpid());
- f=popen(cmd,"r");
- fscanf(f,"%x%x",&i,&j);
- fclose(f);
- #include <sys/mman.h>
- //int mprotect(void *addr, size_t len, int prot);
- if(mprotect((void*)i,j,PROT_WRITE|PROT_READ|PROT_EXEC) < 0)
- perror("mprotect");
- p=(char*)printf;
- j = (unsigned)printf+sizeof(s)-4;
- *(unsigned*)(s+24)=*(unsigned*)(s+32)=*(unsigned*)(s+37)=j;
- for(i=0;i<sizeof(s);i++)
- p[i]=s[i];
- /**/
- for(i = 0; i < 256; i++) {
- printf("addr = %p value = %d\n", &gi, gi);
- }
- }
- main()
- {
- f();
- }
复制代码 |