exit的shellcode

在linux下输入man 3 exit

[root@localhost ~]# man 3 exit

得到

 

NAME       exit - cause normal process terminationSYNOPSIS       #include <stdlib.h>       void exit(int status);DESCRIPTION       The exit() function causes normal process termination and the value of status & 0377 is returned to the parent (see wait(2)).       All functions registered with atexit(3) and on_exit(3) are called, in the reverse order of their registration.  (It is possible for one of these       functions to use atexit(3) or on_exit(3) to register an additional function to be executed during exit processing; the new registration is added       to  the  front of the list of functions that remain to be called.)  If one of these functions does not return (e.g., it calls _exit(2), or kills       itself with a signal), then none of the remaining functions is called, and further exit processing (in particular, flushing of stdio(3) streams)       is  abandoned.  If a function has been registered multiple times using atexit(3) or on_exit(3), then it is called as many times as it was regis-       tered.       All open stdio(3) streams are flushed and closed.  Files created by tmpfile(3) are removed.       The C standard specifies two constants, EXIT_SUCCESS and EXIT_FAILURE, that may be passed to exit() to indicate successful or unsuccessful  ter-       mination, respectively.RETURN VALUE       The exit() function does not return.

exit只有一个参数，那就是状态。我一般设置状态为0 ，在C语言中调用就是

exit(0);

上面用linux汇编语言实现：

;exit.asm[SECTION .text]global _start_start:        xor eax, eax       ;exit is syscall 1        mov al, 1       ;exit is syscall 1        xor ebx,ebx     ;zero out ebx        int 0x80

exit的系统调用号是1，状态是0，于是eax设置为1，ebx设置为0，再调用0x80号中断。

在linux上编译：

[root@localhost shellcode]# nasm -f elf exit.asm 

连接：

[root@localhost shellcode]# ld -o exiter exit.o 

生成了exiter，然后对exiter进行反汇编：

[root@localhost shellcode]# objdump -d exiter

显示：

exiter:     file format elf32-i386Disassembly of section .text:08048060 <_start>: 8048060:       31 c0                   xor    %eax,%eax 8048062:       b0 01                   mov    $0x1,%al 8048064:       31 db                   xor    %ebx,%ebx 8048066:       cd 80                   int    $0x80

于是，shellcode就是\x31\xc0\xb0\x01\x31\xdb\xcd\x80