首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全工具>网络工具>软件详细
软件名称:  Findjmp2.zip
文件类型:  
界面语言:  简体中文
软件类型:  国产软件
运行环境:  WinNT/2K/Xp
授权方式:  共享软件
软件大小:  8K
软件等级:  ★★★★☆
发布时间:  2005-02-18
官方网址: http://www.eeye.com 作者:Ryan
演示网址:
软件说明:  
Findjmp2 - Find jmp, call, push in a Loaded DLL
Credit:
To keep updated with the tool visit the project's homepage at: http://www.hat-squad.com/en/000157.html
Details
Findjmp2 is a modified version of Findjmp from eEye.com to find jmp, call, push in a loaded DLL. This version includes search for pop/pop/ret set of instructions that is useful to bypass Windows XP SP2 and Windows 2003 stack protection mechanism.

Source Code:
/*
Findjmp.c
written by Ryan Permeh - ryan at eeye - Summarily modified by I2S-LaB.com
http://www.eeye.com
   
Findjmp2.c (pop/pop/ret scanner, logging to file)
version by A.D - class101 at hat-squad
http://class101.org, http://www.hat-squad.com


This finds useful jump points in a dll. Once you overflow a buffer, by
looking in the various registers, it is likely that you will find a
reference to your code. This program will find addresses suitible to
overwrite eip that will return to your code.

It should be easy to modify this to search for other good jump points,
or specific code patterns within a dll.

It currently supports looking for:
   1. jmp reg

   2. call reg

   3. push reg
      ret
All three options result in the same thing, EIP being set to reg.

It also supports the following registers:
  EAX
  EBX
  ECX
  EDX
  ESI
  EDI
  ESP
  EBP
*/

#include <iostream.h>
#include <fstream.h>
#include <Windows.h>
#include <stdio.h>

FILE *fplog;

void usage();
void sep();
void iok(BYTE *curpos, char *reg);
void iok2(BYTE *curpos, char *reg);
void ook(BYTE *curpos, char *reg);
void ook2(BYTE *curpos, char *reg);

DWORD GetRegNum( char *reg );
void findjmp( char *dll, char *reg );

//This finds useful jump points in a dll. Once you overflow a buffer, by
//looking in the various registers, it is likely that you will find a
//reference to your code. This program will find addresses of suitible
//addresses of eip that will return to your code.

int main( int argc, char **argv )
{
if( argc <= 2 )
  usage();
  
else
{
  char dll[512], //holder for the dll to look in
  reg[512]; // holder for the register

  if ((fplog =fopen("findjmp.txt","r"))==NULL){
   fplog =fopen("findjmp.txt","w");}
  else fplog =fopen("findjmp.txt","a");
  strncpy( dll, argv[1], 512 );
  strncpy( reg, argv[2], 512 );
  findjmp( dll, reg );
}
return 0;
}

//This prints the usage information.

void usage()
{
printf("\nFindjmp, Eeye, I2S-LaB\nFindjmp2, Hat-Squad\nFindJmp DLL registre\nEx: findjmp KERNEL32.DLL esp"\
     "\nCurrently supported registre are: EAX, EBX, ECX, EDX, ESI, EDI, ESP, EBP\n" );
}

//findjmp is the workhorse. it loads the requested dll, and searches for
//the specific patterns for jmp reg, push reg ret, and call reg

void findjmp( char *dll,char *reg )
{
    char reg1[]="eax";char reg2[]="ebx";
    char reg3[]="ecx";char reg4[]="edx";
char reg5[]="esi";char reg6[]="edi";
    char reg7[]="esp";char reg8[]="ebp";

BYTE jmppat[8][2]={ { 0xFF, 0xE0 }, { 0xFF, 0xE3 }, { 0xFF, 0xE1 }, { 0xFF, 0xE2 },
       { 0xFF, 0xE6 }, { 0xFF, 0xE7 }, { 0xFF, 0xE4 }, { 0xFF, 0xE5 } }; // patterns for jmp ops

BYTE callpat[8][2]={ { 0xFF, 0xD0 }, { 0xFF, 0xD3 }, { 0xFF, 0xD1 }, { 0xFF, 0xD2},
       { 0xFF, 0xD6 }, { 0xFF, 0xD7 }, { 0xFF, 0xD4 }, { 0xFF, 0xD5 } }; // patterns for call ops

BYTE pushretpat[8][2]={ { 0x50, 0xC3 }, { 0x53, 0xC3 }, { 0x51, 0xC3 }, { 0x52, 0xC3 },
       { 0x56, 0xC3 }, { 0x57, 0xC3 }, { 0x54, 0xC3 }, { 0x55, 0xC3 } }; // patterns for pushret ops

BYTE poppat[8][1]={ { 0x58 }, { 0x5B }, { 0x59 }, { 0x5A }, // patterns for pop,pop,ret
     { 0x5E }, { 0x5F }, { 0x5C }, { 0x5D },};

BYTE retn[1][1]={ 0xC3 }; // pattern for pop,pop,ret

BYTE retnbis[1][1]={ 0xC2 }; // pattern for pop,pop,ret


HMODULE loadedDLL; //base pointer for the loaded DLL

BYTE *curpos; //current position within the DLL
BYTE *curpos2; //subposition pop,pop,ret

DWORD regnum=GetRegNum(reg); // decimal representation of passed register
DWORD regnum1=GetRegNum(reg1);DWORD regnum2=GetRegNum(reg2);
DWORD regnum3=GetRegNum(reg3);DWORD regnum4=GetRegNum(reg4);
DWORD regnum5=GetRegNum(reg5);DWORD regnum6=GetRegNum(reg6);
DWORD regnum7=GetRegNum(reg7);DWORD regnum8=GetRegNum(reg8);

DWORD numaddr=0; //accumulator for addresses

if( regnum == -1 ) //check if register is useable
{ //it didn't load, time to bail
  printf( "There was a problem understanding the register.\n"\
   "Please check that it isa correct IA32 register name\n"\
   "Currently supported are:\n "\
   "EAX, EBX, ECX, EDX, ESI, EDI, ESP, EBP\n"\
   );

  exit(-1);
}

if( (loadedDLL=LoadLibraryA(dll)) == NULL) // check if DLL loaded correctly
{ //it didn't load, time to bail
  printf( "There was a problem Loading the requested DLL.\n"\
    "Please check that it is in your path and readable\n" );
  exit(-1);
}
else
{
  sep();
  fprintf(fplog,"Findjmp, Eeye, I2S-LaB\nFindjmp2, Hat-Squad\n");
  printf("\nFindjmp, Eeye, I2S-LaB\nFindjmp2, Hat-Squad\n");
  printf( "Scanning %s for code useable with the %s register\n", dll, reg ); //we loaded the dll correctly, time to scan it
  fprintf(fplog,"Scanning %s for code useable with the %s register\n", dll, reg ); //we loaded the dll correctly, time to scan it
  sep();
  curpos=(BYTE*)loadedDLL; //set curpos at start of DLL
  curpos2=(BYTE*)loadedDLL; //pop,pop,ret subscan.

  __try
  {
   while(1)
   {
    Sleep(1/10);
    if( !memcmp( curpos, jmppat[regnum], 2) ) //check for jmp match
    {
     printf( "0x%X\tjmp %s\n", curpos, reg ); // we have a jmp match
     fprintf(fplog,"0x%X\tjmp %s\n", curpos, reg ); // we have a jmp match
     numaddr++;
    }
    else if( !memcmp( curpos, callpat[regnum],2) ) //check for call match

    {
     printf( "0x%X\tcall %s\n", curpos, reg ); // we have a call match
     fprintf(fplog,"0x%X\tcall %s\n", curpos, reg );
     numaddr++;
    }
    else if( !memcmp(curpos,pushretpat[regnum], 2) ) //check for push/ret match
    {
     printf( "0x%X\tpush %s - ret\n", curpos, reg ); // we have a pushret match
     fprintf(fplog,"0x%X\tpush %s - ret\n", curpos, reg ); // we have a jmp match
     numaddr++;
    }
    else if( !memcmp(curpos,poppat[regnum], 1) ) //check for pop/pop/ret match
    {
     curpos2++;
     if( !memcmp(curpos2,poppat[regnum1], 1) )
     {
      curpos2++;
      if( !memcmp(curpos2,retn, 1) )
      {
       iok(curpos, reg); // we have a popopret match
       ook(curpos, reg); // we have a popopret match
       numaddr++;
      }
      if( !memcmp(curpos2,retnbis, 1) )
      {
       iok2(curpos, reg); // we have a popopret match
       ook2(curpos, reg); // we have a popopret match
       numaddr++;
      }
      curpos2--;curpos2--;goto loop;
     }
     if( !memcmp(curpos2,poppat[regnum2], 1) )
     {
      curpos2++;
      if( !memcmp(curpos2,retn, 1) )
      {
       iok(curpos, reg); // we have a popopret match
       ook(curpos, reg); // we have a popopret match
       numaddr++;
      }
      if( !memcmp(curpos2,retnbis, 1) )
      {
       iok2(curpos, reg); // we have a popopret match
       ook2(curpos, reg); // we have a popopret match
       numaddr++;
      }
      curpos2--;curpos2--;goto loop;
     }
     if( !memcmp(curpos2,poppat[regnum3], 1) )
     {
      curpos2++;
      if( !memcmp(curpos2,retn, 1) )
      {
       iok(curpos, reg); // we have a popopret match
       ook(curpos, reg); // we have a popopret match
       numaddr++;
      }
      if( !memcmp(curpos2,retnbis, 1) )
      {
       iok2(curpos, reg); // we have a popopret match
       ook2(curpos, reg); // we have a popopret match
       numaddr++;
      }
      curpos2--;curpos2--;goto loop;
     }
     if( !memcmp(curpos2,poppat[regnum4], 1) )
     {
      curpos2++;
      if( !memcmp(curpos2,retn, 1) )
      {
       iok(curpos, reg); // we have a popopret match
       ook(curpos, reg); // we have a popopret match
       numaddr++;
      }
      if( !memcmp(curpos2,retnbis, 1) )
      {
       iok2(curpos, reg); // we have a popopret match
       ook2(curpos, reg); // we have a popopret match
       numaddr++;
      }
      curpos2--;curpos2--;goto loop;
     }
     if( !memcmp(curpos2,poppat[regnum5], 1) )
     {
      curpos2++;
      if( !memcmp(curpos2,retn, 1) )
      {
       iok(curpos, reg); // we have a popopret match
       ook(curpos, reg); // we have a popopret match
       numaddr++;
      }
      if( !memcmp(curpos2,retnbis, 1) )
      {
       iok2(curpos, reg); // we have a popopret match
       ook2(curpos, reg); // we have a popopret match
       numaddr++;
      }
      curpos2--;curpos2--;goto loop;
     }
     if( !memcmp(curpos2,poppat[regnum6], 1) )
     {
      curpos2++;
      if( !memcmp(curpos2,retn, 1) )
      {
       iok(curpos, reg); // we have a popopret match
       ook(curpos, reg); // we have a popopret match
       numaddr++;
      }
      if( !memcmp(curpos2,retnbis, 1) )
      {
       iok2(curpos, reg); // we have a popopret match
       ook2(curpos, reg); // we have a popopret match
       numaddr++;
      }
      curpos2--;curpos2--;goto loop;
     }
     if( !memcmp(curpos2,poppat[regnum7], 1) )
     {
      curpos2++;
      if( !memcmp(curpos2,retn, 1) )
      {
       iok(curpos, reg); // we have a popopret match
       ook(curpos, reg); // we have a popopret match
       numaddr++;
      }
      if( !memcmp(curpos2,retnbis, 1) )
      {
       iok2(curpos, reg); // we have a popopret match
       ook2(curpos, reg); // we have a popopret match
       numaddr++;
      }
      curpos2--;curpos2--;goto loop;
     }
     if( !memcmp(curpos2,poppat[regnum8], 1) )
     {
      curpos2++;
      if( !memcmp(curpos2,retn, 1) )
      {
       iok(curpos, reg); // we have a popopret match
       ook(curpos, reg); // we have a popopret match
       numaddr++;
      }
      if( !memcmp(curpos2,retnbis, 1) )
      {
       iok2(curpos, reg); // we have a popopret match
       ook2(curpos, reg); // we have a popopret match
       numaddr++;
      }
      curpos2--;curpos2--;goto loop;
     }
     curpos2--;
    }
loop:
    curpos++;
    curpos2++;
   }
  }
  __except(1)
  {
   sep();
   fprintf( fplog,"Finished Scanning %s for code useable with the %s register\n", dll, reg );
   printf( "Finished Scanning %s for code useable with the %s register\n", dll, reg );
   printf( "Found %d usable addresses\n", numaddr );
   fprintf( fplog,"Found %d usable addresses\n", numaddr );sep();fprintf( fplog,"\n\n\n");
  }
}

}


DWORD GetRegNum( char *reg )
{
DWORD ret=-1;
if( !stricmp( reg, "eax") )
{
  ret=0;
}
else if( !stricmp( reg, "ebx") )
{
  ret=1;
}
else if( !stricmp( reg, "ecx") )
{
  ret=2;
}
else if( !stricmp( reg, "edx") )
{
  ret=3;
}
else if( !stricmp( reg, "esi") )
{
  ret=4;
}
else if( !stricmp( reg, "edi") )
{
  ret=5;
}
else if( !stricmp( reg, "esp") )
{
  ret=6;
}
else if( !stricmp( reg, "ebp") )
{
  ret=7;
}

return ret; //return our decimal register number
}

void sep()
{
fprintf(fplog,"----------------------------------------------------------------------------\n");
}

void iok(BYTE *curpos, char *reg)
{
printf( "0x%X\tpop %s - pop - ret\n", curpos, reg ); // we have a popopret match
}

void iok2(BYTE *curpos, char *reg)
{
printf( "0x%X\tpop %s - pop - retbis\n", curpos, reg ); // we have a popopret match
}

void ook(BYTE *curpos, char *reg)
{
fprintf(fplog,"0x%X\tpop %s - pop - ret\n", curpos, reg ); // we have a jmp match
}

void ook2(BYTE *curpos, char *reg)
{
fprintf(fplog,"0x%X\tpop %s - pop - retbis\n", curpos, reg ); // we have a jmp match
}


// EOF

Download information:
The original source source code and binary can be found at: http://www.hat-squad.com/~class101/36/55/002/Findjmp2.zip (ZIP Passwd: byclass101). 
下载地址: 进入下载地址列表
下载说明: ☉推荐使用网际快车下载本站软件,使用 WinRAR v3.10 以上版本解压本站软件。
☉如果这个软件总是不能下载的请点击报告错误,谢谢合作!!
☉下载本站资源,如果服务器暂不能下载请过一段时间重试!
☉如果遇到什么问题,请到本站论坛去咨寻,我们将在那里提供更多 、更好的资源!
☉本站提供的一些商业软件是供学习研究之用,如用于商业用途,请购买正版。
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热门软件
·WIN2003 Resource Kit Tools
·W2K-Server-ResourceKit
·TracertGUI.rar
·VNN_20_Pre8.rar
·DatabaseEditor.rar
·getproxy2.exe
·rmtsvc2.4.6a.rar
·sqlexec.zip
·foundstone_tools.zip
·getproxy2.pl
·pstools.zip
·eyes.exe
  相关软件
·DatabaseEditor.rar
·sqlexec.zip
·cadt_v1.0.rar
·VNN_20_Pre8.rar
·getproxy2.pl
·BkSSL.rar
·getproxy2.exe
·rmtsvc2.4.6a.rar
·GUIControlTelnet.rar
·foundstone_tools.zip
·FileSystem Investigator
·eyes.exe
 
  推荐广告
CopyRight © 2002-2021 VFocuS.Net All Rights Reserved