32位程序可利用段跳轉執(zhí)行64位shellcode
(win32也可執(zhí)行win64位的shellcode cs:eip cs在x32下為0x23儿捧,在64位下為0x33)
1荚坞、shellcode如下
執(zhí)行6140863,修改CS為0x33菲盾,隨后返回颓影。
返回以后,代碼變成了64位代碼
隨后執(zhí)行NtCreateThreadEx, 參數(shù)分布如下:根據(jù) fastcall 調(diào)用約定懒鉴,前四個參數(shù)由寄存器傳遞( RCX瞭空、RDX、R8、R9)咆畏,其他參數(shù)由 RSP+0x20 開始壓棧南捂,所以可以看出線程函數(shù)地址為020f0000
NTSTATUS NtCreateThreadEx(
PHANDLE ThreadHandle,
ACCESS_MASK DesiredAccess,
POBJECT_ATTRIBUTES ObjectAttributes,
HANDLE ProcessHandle,
LPTHREAD_START_ROUTINE lpStartAddress,
LPVOID lpParameter,
BOOL CreateSuspended,
SIZE_T StackZeroBits,
SIZE_T SizeOfStackCommit,
SIZE_T SizeOfStackReserve,
LPVOID lpBytesBuffer
);
找到對應的進程ID,線程函數(shù)為020f0000旧找,windbg 調(diào)試即可溺健。