lilo_x

摘要： optional头的最后一个域是一个数组列表，该数组大小为16，元素为IMAGE_DATA_DIRECTORY,至于以后平台是否会增加，说不清楚，但是FileHeader中明确给出了该数组的大小。该数组表的第一个元素就是指向输出表的。而输出表的定义如下：typedef struct _IMAGE_EXPORT_DIRECTORY { DWORD Characteristics; DWORD TimeDateStamp; WORD MajorVersion; WORD MinorVersion; DWORD Name; DWORD Base; DWORD NumberOfFunctions; D 阅读全文

摘要： 先在虚拟机的windows安装目录下C盘下有个boot.ini（当然是处于隐藏状态，选择工具-》文件夹选项-》把隐藏受保护的操作系统文件这个选项去掉）修改boot。ini内容改为 [boot loader]timeout=30default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS[operating systems]multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetec 阅读全文

摘要： Retrieving Kernel32's Base AddressFor shellcode, a common method to resolve the addresses of library functions needed, is to get the base address of the kernel32.dll image in memory and retrieve the addresses of GetProcAddress and LoadLibraryA by parsing the kernel32 images Export Address Table 阅读全文