Sponsored by: █ Sparkhost - Hosting Without Compromises! █ Hybrid Performance Web Hosting █ Spark Host Stream Hosting █ Hybrid IRC & IRCd Server Shell Accounts
Posted 12 February 2004 - 06:26 PM
Naw..i mailed HDM but havent got a response.
The 'Understanding Windows Shellcode' paper cited earlier in this thread covers the technique of walking down in increments of 16 pages (64KB) to locate the MZ header associated with kernel32 by taking an address that is known to be inside kernel32. It applies this technique with both walking the SEH list to the last handler as well as using a known offset from the top of the stack which is in the TEB. The latter ends up being about 25 bytes all told. Is this what you're describing?
When windows spawns a new process it calls CreateProcess which makes a call after the pe loader has done everything. So that means esp on entry is = to somewhere in kernel32. So if the compiler builds a stack frame like most vc++ apps then it'll do like:
push ebp mov ebp, esp
which means that you can do:
mov eax, [esp+4]; account for push ebp
and youll find somewhere in kernel32 where i just decriment 1 byte and check for MZ signiture then you can go from there.
like that code above i think would generate 15 bytes vs. 25 if you were trying to find the base.
Posted 12 February 2004 - 10:17 PM
The method you describe is definitely viable, just pointing out why it is approached differently in general.
Posted 13 February 2004 - 04:36 PM
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users