- 论坛徽章:
- 2
|
回复 12# li574000
- b8 xx xx xx xx, mov eax xx xx xx xx
- ff e0, jmp eax
复制代码 懂了吧?
- #include <stddef.h>
- #include <stdio.h>
- #include <string.h>
- #include <windows.h>
- void victim(int i) {
- printf("victim(%d);\n", i);
- }
- void hack(int i) {
- printf("hack(%d);\n", i);
- }
- int main()
- {
- void (* victim_)(int) = victim;
- void (* hack_)(int) = hack;
- unsigned char* victim_p = reinterpret_cast<unsigned char*>(victim);
- printf("enter victim\n");
- victim_(1212);
- printf("leave victim\n\n");
- printf("enter hack\n");
- hack_(1212);
- printf("leave hack\n\n");
- DWORD old = 0;
- VirtualProtect(victim_p, 7, PAGE_EXECUTE_READWRITE, &old);
- victim_p[0] = 0xb8;
- ptrdiff_t hack_p = reinterpret_cast<ptrdiff_t>(hack);
- memcpy(victim_p+1, &hack_p, 4);
- victim_p[5] = 0xff;
- victim_p[6] = 0xe0;
- printf("enter victim\n");
- victim_(1212);
- printf("leave victim\n\n");
- }
复制代码 |
|