在linux下输入man 3 exit
[root@localhost ~]# man 3 exit得到
NAME
exit - cause normal process termination
SYNOPSIS
#include <stdlib.h>
void exit(int status);
DESCRIPTION
The exit() function causes normal process termination and the value of status & 0377 is returned to the parent (see wait(2)).
All functions registered with atexit(3) and on_exit(3) are called, in the reverse order of their registration. (It is possible for one of these
functions to use atexit(3) or on_exit(3) to register an additional function to be executed during exit processing; the new registration is added
to the front of the list of functions that remain to be called.) If one of these functions does not return (e.g., it calls _exit(2), or kills
itself with a signal), then none of the remaining functions is called, and further exit processing (in particular, flushing of stdio(3) streams)
is abandoned. If a function has been registered multiple times using atexit(3) or on_exit(3), then it is called as many times as it was regis-
tered.
All open stdio(3) streams are flushed and closed. Files created by tmpfile(3) are removed.
The C standard specifies two constants, EXIT_SUCCESS and EXIT_FAILURE, that may be passed to exit() to indicate successful or unsuccessful ter-
mination, respectively.
RETURN VALUE
The exit() function does not return.exit只有一个参数,那就是状态。我一般设置状态为0 ,在C语言中调用就是
exit(0);上面用linux汇编语言实现:
;exit.asm
[SECTION .text]
global _start
_start:
xor eax, eax ;exit is syscall 1
mov al, 1 ;exit is syscall 1
xor ebx,ebx ;zero out ebx
int 0x80exit的系统调用号是1,状态是0,于是eax设置为1,ebx设置为0,再调用0x80号中断。
在linux上编译:
[root@localhost shellcode]# nasm -f elf exit.asm连接:
[root@localhost shellcode]# ld -o exiter exit.o生成了exiter,然后对exiter进行反汇编:
[root@localhost shellcode]# objdump -d exiter显示:
exiter: file format elf32-i386
Disassembly of section .text:
08048060 <_start>:
8048060: 31 c0 xor %eax,%eax
8048062: b0 01 mov $0x1,%al
8048064: 31 db xor %ebx,%ebx
8048066: cd 80 int $0x80于是,shellcode就是\x31\xc0\xb0\x01\x31\xdb\xcd\x80
