System.AccessViolationException表示不安全的代码

时间:2016-12-08 03:30:53

标签: c# shellcode

我试图从C#运行shellcode并使用下面的存根来执行此操作(我在Github上找到的示例)。但是每次运行应用程序时,我都会得到一个来自callwindowproc函数的System.AccessViolationException occurred in ConsoleApplication1.exe

我对调用不安全的代码不太熟悉,我假设这可能是一个内存保护(例如DEP),但我不确定。任何人都可以提供更多见解吗?

using System;
using System.Runtime.InteropServices;

namespace ConsoleApplication1
{
    class Program
    {

        [DllImport("user32")]
        private static extern int CallWindowProc
            (int lpPrevWndFunc, int hWnd, int Msg, int wParam, int lParam);


        public static unsafe int shl(int x)
        {
            //8B45 0C        MOV EAX,DWORD PTR SS:[EBP+12]
            //D1E0           SHL EAX,1
            //C2 10 00       RETN 10h
            byte[] b = { 0x8B, 0x45, 0x0C, 0xD1, 0xE0, 0xC2, 0x10, 0x00 };
            fixed (byte* bb = &b[0])
            {
                int bi = (int)bb;
                return CallWindowProc(bi, x, 0, 0, 0);
            }
        }

        public static unsafe int shr(int x)
        {
            //8B45 0C        MOV EAX,DWORD PTR SS:[EBP+12]
            //D1E8           SHR EAX,1
            //C2 10 00       RETN 10h
            byte[] b = { 0x8B, 0x45, 0x0C, 0xD1, 0xE8, 0xC2, 0x10, 0x00 };
            fixed (byte* bb = &b[0])
            {
                int bi = (int)bb;
                return CallWindowProc(bi, x, 0, 0, 0);
            }
        }

        public static unsafe void CallShellcode()
        {

            byte[] calc_shellcode = { //skylined calc shellcode from google code
                0x31, 0xF6, 0x56, 0x64, 0x8B, 0x76, 0x30, 0x8B, 0x76, 0x0C, 0x8B,
                0x76, 0x1C, 0x8B, 0x6E, 0x08, 0x8B, 0x36, 0x8B, 0x5D, 0x3C, 0x8B,
                0x5C, 0x1D, 0x78, 0x01, 0xEB, 0x8B, 0x4B, 0x18, 0x67, 0xE3, 0xEC,
                0x8B, 0x7B, 0x20, 0x01, 0xEF, 0x8B, 0x7C, 0x8F, 0xFC, 0x01, 0xEF,
                0x31, 0xC0, 0x99, 0x32, 0x17, 0x66, 0xC1, 0xCA, 0x01, 0xAE, 0x75,
                0xF7, 0x66, 0x81, 0xFA, 0x10, 0xF5, 0xE0, 0xE2, 0x75, 0xCC, 0x8B,
                0x53, 0x24, 0x01, 0xEA, 0x0F, 0xB7, 0x14, 0x4A, 0x8B, 0x7B, 0x1C,
                0x01, 0xEF, 0x03, 0x2C, 0x97, 0x68, 0x2E, 0x65, 0x78, 0x65, 0x68,
                0x63, 0x61, 0x6C, 0x63, 0x54, 0x87, 0x04, 0x24, 0x50, 0xFF, 0xD5,
                0xC3
            };

            try
            {
                fixed (byte* bb = &calc_shellcode[0])
                {
                    int bi = (int)bb;
                    CallWindowProc(bi, 0, 0, 0, 0);
                }
            }
            catch (Exception e) { }

        }

        static void Main(string[] args)
        {

            int a = shl(4);
            int b = shr(4);
            Console.WriteLine("shl(4)=" + a + " shr(4)=" + b);
            Console.WriteLine("Press any key to call skylines calc shellcode");
            Console.ReadKey();
            CallShellcode();


        }
    }
}

1 个答案:

答案 0 :(得分:1)

CallWindowProc将函数指针和窗口句柄作为前两个参数。例如,在shl中,您将x86指令序列的前32位(即垃圾指针值)和硬编码的整数4作为前两个参数传递给它。难怪代码在不久之后就崩溃了。

你到底想要完成什么? CallWindowProc与此有什么关系?看起来您想要执行在运行时生成的任意x86指令,如果您阅读其文档,则与CallWindowProc完全无关。

This question可能会有所帮助。

相关问题
最新问题