{"id":94,"date":"2014-05-19T07:49:58","date_gmt":"2014-05-19T07:49:58","guid":{"rendered":""},"modified":"2014-05-19T07:49:58","modified_gmt":"2014-05-19T07:49:58","slug":"","status":"publish","type":"post","link":"http:\/\/weizn.net\/?p=94","title":{"rendered":"[\u8f6c]\u52a8\u6001\u5b9a\u4f4dAPI\u7684shellcode"},"content":{"rendered":"<p>\n\t\u524d\u9762\u7684&lt;&lt;<a href=\"http:\/\/www.cnblogs.com\/unixstudio\/archive\/2012\/11\/08\/2761701.html\">HOOK IAT RING3<\/a>&gt;&gt;\u6587\u7ae0\u4e2d\u4f7f\u7528\u5230\u4e86shellcode\uff0c\u90a3\u4e48\u8fd9\u4e2ashellcode\u662f\u600e\u4e48\u5236\u9020\u51fa\u6765\u7684\u5462\uff0c\u672c\u6587\u5c06\u4e3a\u4f60\u4e00\u6b65\u4e00\u6b65\u7684\u89e3\u60d1\n<\/p>\n<p>\n\t\u8fd9\u4e2ashellcode\u7684\u4e3b\u8981\u529f\u80fd\u662f\u8c03\u7528MessageBoxA\u5f39\u51fa\u4e00\u4e2a\u7a7a\u7684\u5bf9\u8bdd\u6846\uff0c\u6ce8\u610f\u6b64\u65f6\u7684\u5730\u5740\u7a7a\u95f4\u662f\u5728\u522b\u7684\u8fdb\u7a0b\uff0c\u7531\u4e8e\u4e0d\u540c\u7684\u64cd\u4f5c\u7cfb\u7edf\u4f1a\u5f71\u54cd\u52a8<br \/>\n\u6001\u94fe\u63a5\u5e93\u7684\u52a0\u8f7d\u5730\u5740\uff0c\u800c\u4e14\u4e0d\u540c\u7248\u672c\u7684dll\u4e2d\u51fd\u6570\u7684\u504f\u79fb\u91cfRVA\u4e5f\u4e0d\u5c3d\u76f8\u540c\uff0c\u56e0\u6b64\u5199\u4e00\u4e2a\u901a\u7528\u578b\u7684shellcode\u5c31\u663e\u5f97\u975e\u5e38\u7684\u6709\u5fc5\u8981&nbsp;\n<\/p>\n<p>\n\t&nbsp;\n<\/p>\n<p>\n\t\u90a3\u4e48shellcode\u8981\u600e\u4e48\u52a8\u6001\u53bb\u5b9a\u4f4dAPI\u7684\u5730\u5740\u5462\uff0c\u65b9\u6cd5\u8fd8\u662f\u4e00\u6837\u7684\uff0c\u9996\u5148\u5b9a\u4f4d\u51fd\u6570\u6240\u5728\u7684\u6a21\u5757\uff0c\u7136\u540e\u5728EAT\u91cc\u9762\u8fdb\u884c\u641c\u7d22\u5373\u53ef\uff0c\u53ea\u8981\u627e\u5230<br \/>\nKernel32.dll\u4e2d\u7684GetProcAddress\u548cLoadLibraryA\u7684\u5730\u5740\u5c31\u53ef\u4ee5\u901a\u8fc7\u8fd9\u4e24\u4e2a\u83b7\u5f97\u5176\u4ed6\u6a21\u5757\u4e2d\u51fd\u6570\u7684\u5730\u5740\n<\/p>\n<p>\n\t&nbsp;\n<\/p>\n<p>\n\t\u6ce8\u610f\uff1a\u7f51\u4e0a\u7684\u5f88\u591a\u6b64\u7c7b\u4ee3\u7801\u5e76\u6ca1\u6709\u901a\u8fc7\u641c\u7d22kernel32.dll\u6a21\u5757\uff0c\u800c\u662f\u76f4\u63a5\u53bb\u5bfb\u627e<br \/>\nLdr-&gt;InInitializationModuleList\u7684\u7b2c3\u4e2a\u6a21\u5757\uff0c\u8fd9\u662f\u6709\u95ee\u9898\u7684\uff0c\u56e0\u4e3a\u4ecewin7\u5f00\u59cb\u5f15\u5165\u4e86MinWin\u7684\u6982\u5ff5\u5bfc\u81f4<br \/>\nInInitializationModuleList\u4e2d\u7684\u7b2c\u4e09\u4e2a\u6a21\u5757\u662fKernelBase.dll\uff0c\u7b2c\u56db\u4e2a\u624d\u662fKernel32.dll\uff0c\u4e0d\u8fc7<br \/>\nLdr-&gt;InMemoryOrderModuleList\u4e2d\u7684\u7b2c\u4e09\u4e2a\u6a21\u5757\u5e76\u6ca1\u6709\u6539\u53d8\u8fd8\u662fKernel32.dll\uff0c\u4e3a\u4e86\u4ee5\u9632\u4e07\u4e00\u8fd8\u662f\u641c\u7d22\u5427\uff0c\u641c\u7d22<br \/>\n\u7684\u65f6\u5019\u7528\u7684\u662f\u6bd4\u8f83\u6a21\u5757\u7684\u7b2c\u4e03\u4e2a\u5b57\u7b26\u662f\u4e0d\u662f&#8217;3\u2019\u6765\u5339\u914d\uff0c\u56e0\u4e3akernel32.dll\u7684\u7b2c\u4e03\u4e2a\u5b57\u7b26\u5c31\u662f3\uff0c\u8fd9\u6837\u5c31\u53ef\u4ee5\u4e0d\u7528\u901a\u8fc7\u8ba1\u7b97\u54c8\u5e0c\u503c\u6765\u6bd4\u8f83\n<\/p>\n<p>\n\t&nbsp;\n<\/p>\n<p>\n\t\u4e0b\u9762\u8d34\u51fa\u5185\u5d4c\u6c47\u7f16\u4ee3\u7801\uff0c\u5e76\u52a0\u4e86\u4e00\u4e9b\u6ce8\u91ca\uff08winxp\uff0cwin7x86,win7x64\u4ee5\u517c\u5bb932\u4f4d\u7684\u6a21\u5f0f\u8fd0\u884c\uff0c\u90fd\u6ca1\u95ee\u9898~\uff09\n<\/p>\n<p>\n\t\u8fd9\u4e2ashellcode\u662f\u6211\u82b1\u4e86\u4e00\u4e2a\u4e0b\u5348\u7684\u65f6\u95f4\u5199\u7684\uff0c\u7531\u4e8e\u662f\u65b0\u624b\uff0c\u5982\u679c\u4e0b\u6587\u4e2d\u6709\u4ec0\u4e48\u7eb0\u6f0f\u7684\u8bdd\u6b22\u8fce\u6307\u6b63\uff01\n<\/p>\n<p>\n\t#include &lt;windows.h&gt;<br \/>\n#include &lt;stdio.h&gt;<\/p>\n<p>void PopMessageBox()<br \/>\n{<br \/>\n&nbsp;&nbsp;&nbsp; __asm{<br \/>\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; jmp start<\/p>\n<p>find_function:<br \/>\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; push ebp<br \/>\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; mov ebp,esp<\/p>\n<p>\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; mov eax,fs:[0x30]&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \/\/fs points to teb in user mode\uff0cget pointer to peb<br \/>\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; mov eax,[eax+0x0c]&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \/\/get peb-&gt;ldr<br \/>\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; mov eax,[eax+0x14]&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \/\/get peb-&gt;ldr.InMemoryOrderModuleList.Flink(1st entry)<br \/>\nmodule_loop:<br \/>\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; mov eax,[eax]&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \/\/skip the first entry or get the next entry<br \/>\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; mov esi,[eax+0x28]&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \/\/get the BaseDllName-&gt;Buffer<br \/>\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; cmp byte ptr [esi+0x0c],&#8217;3&#8242;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \/\/test the module&#8217;s seventh&#8217;s wchar is &#8216;3&#8217; or not\uff0ckernel32.dll<br \/>\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; jne module_loop<\/p>\n<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \/\/====================================<br \/>\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \/\/find kernel32.dll module<br \/>\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \/\/====================================<br \/>\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; mov eax,[eax+0x10]&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \/\/LDR_DATA_TABLE_ENTRY-&gt;DllBase<\/p>\n<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \/\/====================================<br \/>\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \/\/kernel32.dll PE Header<br \/>\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \/\/====================================<br \/>\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; mov edi,eax<br \/>\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; add edi,[edi+0x3c]&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \/\/IMAGE_DOS_HEADER-&gt;e_lfanew<\/p>\n<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \/\/====================================<br \/>\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \/\/kernel32.dll export directory table<br \/>\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \/\/====================================<br \/>\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; mov edi,[edi+0x78]&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \/\/IMAGE_NT_HEADERS-&gt;OptinalHeader.DataDirectory[EAT].VirtualAddress<br \/>\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; add edi,eax<\/p>\n<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; mov ebx,edi&nbsp;&nbsp;&nbsp; \/\/ ebx is EAT&#8217;s virtual address,we\u2019ll use it later<\/p>\n<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \/\/====================================<br \/>\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \/\/kernel32.dll Name Pointer Table<br \/>\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \/\/====================================<br \/>\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; mov edi,[ebx+0x20]&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \/\/IMAGE_EXPORT_DESCRIPTOR-&gt;AddressOfNames RVA<br \/>\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; add edi,eax<\/p>\n<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; xor ecx,ecx&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \/\/NameOrdinals<\/p>\n<p>name_loop:<br \/>\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; mov esi,[edi+ecx*4]<br \/>\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; add esi,eax<br \/>\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; inc ecx<br \/>\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; mov edx,[esp+8]&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \/\/first parameter<br \/>\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; cmp dword ptr [esi],edx<br \/>\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; jne name_loop<br \/>\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; mov edx,[esp+0xc]&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \/\/second parameter<br \/>\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; cmp dword ptr [esi+4],edx<br \/>\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; jne name_loop<\/p>\n<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \/\/======================================<br \/>\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \/\/kernel32.dll Ordinal Table<br \/>\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \/\/======================================<br \/>\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; mov edi,[ebx+0x24]<br \/>\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; add edi,eax<br \/>\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; mov ecx,[edi+ecx*2]<br \/>\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; and ecx,0xFFFF&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \/\/cause ordinal is USHORT of size,so we just use its lower 16-bits<\/p>\n<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \/\/======================================<br \/>\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \/\/kernel32.dll Address Table<br \/>\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \/\/======================================<br \/>\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; mov edi,[ebx+0x1c]<br \/>\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; add edi,eax<br \/>\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; dec ecx&nbsp;&nbsp;&nbsp; \/\/subtract ordinal base<br \/>\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; sal ecx,2<br \/>\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; mov edi,[edi+ecx]<br \/>\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; add eax,edi<\/p>\n<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; pop ebp<br \/>\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ret 8<\/p>\n<p>start:<br \/>\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \/\/====================================<br \/>\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \/\/ Get GetProcAddress&#8217;s address<br \/>\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \/\/====================================<br \/>\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; push 0x41636f72&nbsp;&nbsp;&nbsp; \/\/rocA<br \/>\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; push 0x50746547&nbsp;&nbsp;&nbsp; \/\/Getp<br \/>\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; call find_function<\/p>\n<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; push eax&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \/\/store GetProcAddress in stack<\/p>\n<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \/\/====================================<br \/>\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \/\/Get LoadLibraryA&#8217;s address<br \/>\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \/\/====================================<br \/>\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; push 0x7262694c&nbsp;&nbsp;&nbsp; \/\/Libr<br \/>\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; push 0x64616f4c&nbsp;&nbsp;&nbsp; \/\/Load<br \/>\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; call find_function<\/p>\n<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; push eax&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \/\/store LoadLibraryA in stack<\/p>\n<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \/\/&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; stack snap<br \/>\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \/\/&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8211;high address<br \/>\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \/\/&nbsp;&nbsp;&nbsp; GetProcAddress&#8217;s address<br \/>\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \/\/&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8211;<br \/>\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \/\/&nbsp;&nbsp;&nbsp; LoadLibraryA&#8217;s address&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;&#8212;&#8212;&#8212;&#8212;&#8212;&#8211;esp<br \/>\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \/\/&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8211;low address<\/p>\n<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \/\/====================================<br \/>\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \/\/ Get User32.dll&#8217;s image base<br \/>\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \/\/====================================<br \/>\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; push 0x3233&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \/\/32<br \/>\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; push 0x72657375&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \/\/user<br \/>\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; push esp&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \/\/lpFileName<br \/>\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; call eax&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \/\/call LoadLibraryA(&#8220;user32.dll&#8221;)<\/p>\n<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; add esp,8&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \/\/cause we push user32 string<\/p>\n<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \/\/====================================<br \/>\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \/\/Get MessageBox&#8217;s address<br \/>\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \/\/====================================<br \/>\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; push 0x41786f&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \/\/oxA<br \/>\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; push 0x42656761&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \/\/ageB<br \/>\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; push 0x7373654d&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \/\/Mess<br \/>\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; push esp&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \/\/lpProcName<br \/>\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; push eax&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \/\/hModule<br \/>\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; call [esp+0x18]&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \/\/call GetProcAddress(hModule,&#8221;MessageBoxA&#8221;)<\/p>\n<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; add esp,0xc&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \/\/cause we push MessageBoxA string<\/p>\n<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; push 0<br \/>\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; push 0<br \/>\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; push 0<br \/>\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; push 0<br \/>\n&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; call eax&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \/\/call MessagBoxA(0,0,0,0)<\/p>\n<p>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; add esp,8&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \/\/cause we push GetProcAddress and LoadLibrary in stack<br \/>\n&nbsp;&nbsp;&nbsp; }<br \/>\n}<\/p>\n<p>int main()<br \/>\n{<br \/>\n&nbsp;&nbsp;&nbsp; PopMessageBox();<br \/>\n&nbsp;&nbsp;&nbsp; return 0;<br \/>\n}\n<\/p>\n<p>\n\t\u81f3\u4e8e\u600e\u4e48\u8f6c\u4e3ashellcode\uff0c\u8fd9\u91cc\u63d0\u4f9b\u4e00\u4e2a\u65b9\u6cd5\uff0c\u5c31\u662f\u6309F10\u8fdb\u5165VS\u7684\u8c03\u8bd5\u6a21\u5f0f\uff0c\u7136\u540e\u518d\u53f3\u952e\u9009\u62e9\u67e5\u770b\u6c47\u7f16\u4ee3\u7801\uff0c\u627e\u5230\u5185\u5d4c\u6c47\u7f16\u7684\u5f00\u59cb\u5730\u5740\uff0c\u590d\u5236<br \/>\n\u90a3\u4e2a\u5730\u5740\u5904\u7684\u5185\u5bb9\u76f4\u5230\u5185\u5d4c\u6c47\u7f16\u7684\u53f3\u5927\u62ec\u53f7\uff0c\u653e\u5230\u5341\u516d\u8fdb\u5236\u7684\u7f16\u8f91\u5668\u4e2d\u6bd4\u5982NotePad++\uff0c\u7136\u540e\u66ff\u6362\u7a7a\u683c\u4e3a\\0x\uff0c\u518d\u7a0d\u4f5c\u4fee\u6539\u5373\u53ef\uff0c\u8fd9\u91cc\u8bf4\u7684\u6bd4\u8f83\u7684\u6a21\u7cca\uff0c<br \/>\n\u7b49\u6709\u65f6\u95f4\u7684\u65f6\u5019\u518d\u56de\u5934\u8fc7\u6765\u7167\u987e\u4e00\u4e0b\u65b0\u624b\u5427\uff0c\u5148\u628a\u4e0a\u9762\u7684\u6c47\u7f16\u6d88\u5316\u6389~<\/p>\n","protected":false},"excerpt":{"rendered":"<p>\n\t\u524d\u9762\u7684&lt;&lt;<a href=\"http:\/\/www.cnblogs.com\/unixstudio\/archive\/2012\/11\/08\/2761701.html\">HOOK IAT RING3<\/a>&gt;&gt;\u6587\u7ae0\u4e2d\u4f7f\u7528\u5230\u4e86shellcode\uff0c\u90a3\u4e48\u8fd9\u4e2ashellcode\u662f\u600e\u4e48\u5236\u9020\u51fa\u6765\u7684\u5462\uff0c\u672c\u6587\u5c06\u4e3a\u4f60\u4e00\u6b65\u4e00\u6b65\u7684\u89e3\u60d1\n<\/p>\n<p>\n\t\u8fd9\u4e2ashellcode\u7684\u4e3b\u8981\u529f\u80fd\u662f\u8c03\u7528MessageBoxA\u5f39\u51fa\u4e00\u4e2a\u7a7a\u7684\u5bf9\u8bdd\u6846\uff0c\u6ce8\u610f\u6b64\u65f6\u7684\u5730\u5740\u7a7a\u95f4\u662f\u5728\u522b\u7684\u8fdb\u7a0b\uff0c\u7531\u4e8e\u4e0d\u540c\u7684\u64cd\u4f5c\u7cfb\u7edf\u4f1a\u5f71\u54cd\u52a8<br \/>\n\u6001\u94fe\u63a5\u5e93\u7684\u52a0\u8f7d\u5730\u5740\uff0c\u800c\u4e14\u4e0d\u540c\u7248\u672c\u7684dll\u4e2d\u51fd\u6570\u7684\u504f\u79fb\u91cfRVA\u4e5f\u4e0d\u5c3d\u76f8\u540c\uff0c&#8230;<\/p>\n","protected":false},"author":1,"featured_media":578,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[329],"tags":[],"class_list":["post-94","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v16.9 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>[\u8f6c]\u52a8\u6001\u5b9a\u4f4dAPI\u7684shellcode - Wayne&#039;s Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"http:\/\/weizn.net\/?p=94\" \/>\n<meta property=\"og:locale\" content=\"zh_CN\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"[\u8f6c]\u52a8\u6001\u5b9a\u4f4dAPI\u7684shellcode - Wayne&#039;s Blog\" \/>\n<meta property=\"og:description\" content=\"\u524d\u9762\u7684&lt;&lt;HOOK IAT RING3&gt;&gt;\u6587\u7ae0\u4e2d\u4f7f\u7528\u5230\u4e86shellcode\uff0c\u90a3\u4e48\u8fd9\u4e2ashellcode\u662f\u600e\u4e48\u5236\u9020\u51fa\u6765\u7684\u5462\uff0c\u672c\u6587\u5c06\u4e3a\u4f60\u4e00\u6b65\u4e00\u6b65\u7684\u89e3\u60d1    \u8fd9\u4e2ashellcode\u7684\u4e3b\u8981\u529f\u80fd\u662f\u8c03\u7528MessageBoxA\u5f39\u51fa\u4e00\u4e2a\u7a7a\u7684\u5bf9\u8bdd\u6846\uff0c\u6ce8\u610f\u6b64\u65f6\u7684\u5730\u5740\u7a7a\u95f4\u662f\u5728\u522b\u7684\u8fdb\u7a0b\uff0c\u7531\u4e8e\u4e0d\u540c\u7684\u64cd\u4f5c\u7cfb\u7edf\u4f1a\u5f71\u54cd\u52a8 \u6001\u94fe\u63a5\u5e93\u7684\u52a0\u8f7d\u5730\u5740\uff0c\u800c\u4e14\u4e0d\u540c\u7248\u672c\u7684dll\u4e2d\u51fd\u6570\u7684\u504f\u79fb\u91cfRVA\u4e5f\u4e0d\u5c3d\u76f8\u540c\uff0c...\" \/>\n<meta property=\"og:url\" content=\"http:\/\/weizn.net\/?p=94\" \/>\n<meta property=\"og:site_name\" content=\"Wayne&#039;s Blog\" \/>\n<meta property=\"article:published_time\" content=\"2014-05-19T07:49:58+00:00\" \/>\n<meta property=\"og:image\" content=\"http:\/\/weizn.net\/wp-content\/uploads\/2020\/10\/bg2018012205.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"800\" \/>\n\t<meta property=\"og:image:height\" content=\"400\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"\u4f5c\u8005\" \/>\n\t<meta name=\"twitter:data1\" content=\"zinan\" \/>\n\t<meta name=\"twitter:label2\" content=\"\u9884\u8ba1\u9605\u8bfb\u65f6\u95f4\" \/>\n\t<meta name=\"twitter:data2\" content=\"9 \u5206\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebSite\",\"@id\":\"http:\/\/weizn.net\/#website\",\"url\":\"http:\/\/weizn.net\/\",\"name\":\"Wayne&#039;s Blog\",\"description\":\"\",\"publisher\":{\"@id\":\"http:\/\/weizn.net\/#\/schema\/person\/e88bc12c590502d8b6249326f960b264\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"http:\/\/weizn.net\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"zh-Hans\"},{\"@type\":\"ImageObject\",\"@id\":\"http:\/\/weizn.net\/?p=94#primaryimage\",\"inLanguage\":\"zh-Hans\",\"url\":\"http:\/\/weizn.net\/wp-content\/uploads\/2020\/10\/bg2018012205.jpg\",\"contentUrl\":\"http:\/\/weizn.net\/wp-content\/uploads\/2020\/10\/bg2018012205.jpg\",\"width\":800,\"height\":400},{\"@type\":\"WebPage\",\"@id\":\"http:\/\/weizn.net\/?p=94#webpage\",\"url\":\"http:\/\/weizn.net\/?p=94\",\"name\":\"[\\u8f6c]\\u52a8\\u6001\\u5b9a\\u4f4dAPI\\u7684shellcode - Wayne&#039;s Blog\",\"isPartOf\":{\"@id\":\"http:\/\/weizn.net\/#website\"},\"primaryImageOfPage\":{\"@id\":\"http:\/\/weizn.net\/?p=94#primaryimage\"},\"datePublished\":\"2014-05-19T07:49:58+00:00\",\"dateModified\":\"2014-05-19T07:49:58+00:00\",\"breadcrumb\":{\"@id\":\"http:\/\/weizn.net\/?p=94#breadcrumb\"},\"inLanguage\":\"zh-Hans\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"http:\/\/weizn.net\/?p=94\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"http:\/\/weizn.net\/?p=94#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"\\u9996\\u9875\",\"item\":\"http:\/\/weizn.net\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"[\\u8f6c]\\u52a8\\u6001\\u5b9a\\u4f4dAPI\\u7684shellcode\"}]},{\"@type\":\"Article\",\"@id\":\"http:\/\/weizn.net\/?p=94#article\",\"isPartOf\":{\"@id\":\"http:\/\/weizn.net\/?p=94#webpage\"},\"author\":{\"@id\":\"http:\/\/weizn.net\/#\/schema\/person\/e88bc12c590502d8b6249326f960b264\"},\"headline\":\"[\\u8f6c]\\u52a8\\u6001\\u5b9a\\u4f4dAPI\\u7684shellcode\",\"datePublished\":\"2014-05-19T07:49:58+00:00\",\"dateModified\":\"2014-05-19T07:49:58+00:00\",\"mainEntityOfPage\":{\"@id\":\"http:\/\/weizn.net\/?p=94#webpage\"},\"wordCount\":1819,\"commentCount\":0,\"publisher\":{\"@id\":\"http:\/\/weizn.net\/#\/schema\/person\/e88bc12c590502d8b6249326f960b264\"},\"image\":{\"@id\":\"http:\/\/weizn.net\/?p=94#primaryimage\"},\"thumbnailUrl\":\"http:\/\/weizn.net\/wp-content\/uploads\/2020\/10\/bg2018012205.jpg\",\"articleSection\":[\"shellcode\"],\"inLanguage\":\"zh-Hans\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"http:\/\/weizn.net\/?p=94#respond\"]}]},{\"@type\":[\"Person\",\"Organization\"],\"@id\":\"http:\/\/weizn.net\/#\/schema\/person\/e88bc12c590502d8b6249326f960b264\",\"name\":\"zinan\",\"logo\":{\"@id\":\"http:\/\/weizn.net\/#personlogo\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"[\u8f6c]\u52a8\u6001\u5b9a\u4f4dAPI\u7684shellcode - Wayne&#039;s Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"http:\/\/weizn.net\/?p=94","og_locale":"zh_CN","og_type":"article","og_title":"[\u8f6c]\u52a8\u6001\u5b9a\u4f4dAPI\u7684shellcode - Wayne&#039;s Blog","og_description":"\u524d\u9762\u7684&lt;&lt;HOOK IAT RING3&gt;&gt;\u6587\u7ae0\u4e2d\u4f7f\u7528\u5230\u4e86shellcode\uff0c\u90a3\u4e48\u8fd9\u4e2ashellcode\u662f\u600e\u4e48\u5236\u9020\u51fa\u6765\u7684\u5462\uff0c\u672c\u6587\u5c06\u4e3a\u4f60\u4e00\u6b65\u4e00\u6b65\u7684\u89e3\u60d1    \u8fd9\u4e2ashellcode\u7684\u4e3b\u8981\u529f\u80fd\u662f\u8c03\u7528MessageBoxA\u5f39\u51fa\u4e00\u4e2a\u7a7a\u7684\u5bf9\u8bdd\u6846\uff0c\u6ce8\u610f\u6b64\u65f6\u7684\u5730\u5740\u7a7a\u95f4\u662f\u5728\u522b\u7684\u8fdb\u7a0b\uff0c\u7531\u4e8e\u4e0d\u540c\u7684\u64cd\u4f5c\u7cfb\u7edf\u4f1a\u5f71\u54cd\u52a8 \u6001\u94fe\u63a5\u5e93\u7684\u52a0\u8f7d\u5730\u5740\uff0c\u800c\u4e14\u4e0d\u540c\u7248\u672c\u7684dll\u4e2d\u51fd\u6570\u7684\u504f\u79fb\u91cfRVA\u4e5f\u4e0d\u5c3d\u76f8\u540c\uff0c...","og_url":"http:\/\/weizn.net\/?p=94","og_site_name":"Wayne&#039;s Blog","article_published_time":"2014-05-19T07:49:58+00:00","og_image":[{"width":800,"height":400,"url":"http:\/\/weizn.net\/wp-content\/uploads\/2020\/10\/bg2018012205.jpg","path":"\/app\/wp-content\/uploads\/2020\/10\/bg2018012205.jpg","size":"full","id":578,"alt":"","pixels":320000,"type":"image\/jpeg"}],"twitter_card":"summary_large_image","twitter_misc":{"\u4f5c\u8005":"zinan","\u9884\u8ba1\u9605\u8bfb\u65f6\u95f4":"9 \u5206"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebSite","@id":"http:\/\/weizn.net\/#website","url":"http:\/\/weizn.net\/","name":"Wayne&#039;s Blog","description":"","publisher":{"@id":"http:\/\/weizn.net\/#\/schema\/person\/e88bc12c590502d8b6249326f960b264"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"http:\/\/weizn.net\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"zh-Hans"},{"@type":"ImageObject","@id":"http:\/\/weizn.net\/?p=94#primaryimage","inLanguage":"zh-Hans","url":"http:\/\/weizn.net\/wp-content\/uploads\/2020\/10\/bg2018012205.jpg","contentUrl":"http:\/\/weizn.net\/wp-content\/uploads\/2020\/10\/bg2018012205.jpg","width":800,"height":400},{"@type":"WebPage","@id":"http:\/\/weizn.net\/?p=94#webpage","url":"http:\/\/weizn.net\/?p=94","name":"[\u8f6c]\u52a8\u6001\u5b9a\u4f4dAPI\u7684shellcode - Wayne&#039;s Blog","isPartOf":{"@id":"http:\/\/weizn.net\/#website"},"primaryImageOfPage":{"@id":"http:\/\/weizn.net\/?p=94#primaryimage"},"datePublished":"2014-05-19T07:49:58+00:00","dateModified":"2014-05-19T07:49:58+00:00","breadcrumb":{"@id":"http:\/\/weizn.net\/?p=94#breadcrumb"},"inLanguage":"zh-Hans","potentialAction":[{"@type":"ReadAction","target":["http:\/\/weizn.net\/?p=94"]}]},{"@type":"BreadcrumbList","@id":"http:\/\/weizn.net\/?p=94#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"\u9996\u9875","item":"http:\/\/weizn.net\/"},{"@type":"ListItem","position":2,"name":"[\u8f6c]\u52a8\u6001\u5b9a\u4f4dAPI\u7684shellcode"}]},{"@type":"Article","@id":"http:\/\/weizn.net\/?p=94#article","isPartOf":{"@id":"http:\/\/weizn.net\/?p=94#webpage"},"author":{"@id":"http:\/\/weizn.net\/#\/schema\/person\/e88bc12c590502d8b6249326f960b264"},"headline":"[\u8f6c]\u52a8\u6001\u5b9a\u4f4dAPI\u7684shellcode","datePublished":"2014-05-19T07:49:58+00:00","dateModified":"2014-05-19T07:49:58+00:00","mainEntityOfPage":{"@id":"http:\/\/weizn.net\/?p=94#webpage"},"wordCount":1819,"commentCount":0,"publisher":{"@id":"http:\/\/weizn.net\/#\/schema\/person\/e88bc12c590502d8b6249326f960b264"},"image":{"@id":"http:\/\/weizn.net\/?p=94#primaryimage"},"thumbnailUrl":"http:\/\/weizn.net\/wp-content\/uploads\/2020\/10\/bg2018012205.jpg","articleSection":["shellcode"],"inLanguage":"zh-Hans","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["http:\/\/weizn.net\/?p=94#respond"]}]},{"@type":["Person","Organization"],"@id":"http:\/\/weizn.net\/#\/schema\/person\/e88bc12c590502d8b6249326f960b264","name":"zinan","logo":{"@id":"http:\/\/weizn.net\/#personlogo"}}]}},"_links":{"self":[{"href":"http:\/\/weizn.net\/index.php?rest_route=\/wp\/v2\/posts\/94","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/weizn.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/weizn.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/weizn.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/weizn.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=94"}],"version-history":[{"count":0,"href":"http:\/\/weizn.net\/index.php?rest_route=\/wp\/v2\/posts\/94\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/weizn.net\/index.php?rest_route=\/wp\/v2\/media\/578"}],"wp:attachment":[{"href":"http:\/\/weizn.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=94"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/weizn.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=94"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/weizn.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=94"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}