内联汇编中的jmp地址错误
[英]Error with address for jmp in inline assembly
问题描述
What I do is 
我要做的是
- Get address of
ExitProcess获取ExitProcess地址 - Make space for opcode 为操作码腾出空间
- Modify opcode in the space 修改空间中的操作码
- Execute modified opcode by
__asm__ ("jmp %%ecx"::"c"(opcode));通过__asm__ ("jmp %%ecx"::"c"(opcode));执行修改的操作__asm__ ("jmp %%ecx"::"c"(opcode));
Here is my code: 这是我的代码:
#include <windows.h>
#include <stdio.h>
int main()
{
char addr[4];
*(int*)addr = GetProcAddress(GetModuleHandle("kernel32.dll"),"ExitProcess");
//push 0 == 0x6a 0x00
//call ExitProcess == 0xe8 0xd8 0x79 0xa2 0x75
char opcode[400] = {0x6a, 0x00, 0xe8,addr[0], addr[1],addr[2],addr[3]};
__asm__ ("jmp %%ecx" ::"c"(opcode));
//never be here
printf("never get here");
getchar();
return 0;
}
I expect program to exit normally, but the program terminates with a segmentation fault . 我希望程序能够正常退出,但是程序会因分段错误而终止。
It seems that it jumps to somewhere, but not to the location I want it to jump. 看来它跳到某个地方,但没有跳到我想要它跳的位置。
How can I fix that? 我该如何解决?
1 个解决方案
解决方案1
0 已采纳 2015-01-02 09:03:35
Setting aside the odd thing you are trying to do... 抛开您正在尝试做的奇怪的事情...
Your problem is the opcode e8 is a relative jump. 您的问题是操作码e8是相对跳转。 So you need to account for the address you are storing it at. 因此,您需要考虑存储它的地址。 Something like this maybe: 可能是这样的:
Update: Per taeyun, account for length of x. 更新:每个taeyun的长度为x。
#include <windows.h>
#include <stdio.h>
#pragma pack(1)
struct mfoo {
unsigned char x[3] = {0x6a, 0x00, 0xe8};
void *addr;
} foo;
int main()
{
unsigned char *a = (unsigned char *)GetProcAddress(GetModuleHandle("kernel32.dll"),"ExitProcess");
foo.addr = (void *)(a - sizeof(foo) - (unsigned char *)foo.x);
__asm__ ("jmp *%%ecx" ::"c"(&foo));
//never be here
printf("never get here");
getchar();
return 0;
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.