char buffer[100]; for (int i = 0; i < 214; i++) buffer[i] = 'C'; } __except (EXCEPTION_EXECUTE_HANDLER) { puts("Now we get exception...."); }
}
实际上是不会打印Now we get exception....这句话的。因为当Cookie被修改的时候,代码会陷入上文提到的int 29中断,这个中断会让程序直接终止,而不是去调用异常处理链。(可以这么理解:检查cookie这个过程实际上是发生在函数调用结束的时候,此时代码并没有被try...except包含,也就不会触发异常链。)如果想要实现劫持SEH链的目的,那么需要做到的其实是
在try…except包含的代码块中间直接抛出错误
在这类代码中可以通过写入大量数据做到:
1 2 3 4 5 6
__try{ gets(buffer); } __except (EXCEPTION_EXECUTE_HANDLER) { puts("Now we get exception...."); }
#ifdef SECURE // Secure Note: This is secure because the developer is passing a size // equal to size of KernelBuffer to RtlCopyMemory()/memcpy(). Hence, // there will be no overflow RtlCopyMemory((PVOID)KernelBuffer, UserBuffer, sizeof(KernelBuffer)); #else DbgPrint("[+] Triggering Stack Overflow (GS)\n");
// Vulnerability Note: This is a vanilla Stack based Overflow vulnerability // because the developer is passing the user supplied size directly to // RtlCopyMemory()/memcpy() without validating if the size is greater or // equal to the size of KernelBuffer RtlCopyMemory((PVOID)KernelBuffer, UserBuffer, Size); #endif } __except (EXCEPTION_EXECUTE_HANDLER) { Status = GetExceptionCode(); DbgPrint("[-] Exception Code: 0x%X\n", Status); }
DEBUG_INFO("\t\t[+] Mapping Shared Memory To Current Process Space\n");
// Map the shared memory in the process space of this process SharedMappedMemoryAddress = MapViewOfFile(Sharedmemory, FILE_MAP_ALL_ACCESS, 0, 0, PageSize);