|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: GetPC code (was: Shellcode from ASCII)
From: Roland Postle (mail
blazde.co.uk)
Date: Thu Jun 26 2003 - 14:40:30 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Thu, 26 Jun 2003 11:46:33 -0300, Gerardo Richarte wrote:
>Ok, first challenge: create a Get PC code with no zeros and no 0xff
>in it. sounds easy? hehe, it's not. However, we know it's possible,
>at least sometimes.
Not so generic, it's only for Windows NT, but I imagine similar things
could be done on other platforms if some guaranteed mapped space could
be found without null or 0xFF in it's address.
B9 D0FEFD7F MOV ECX,7FFDFED0
8B01 MOV EAX,DWORD PTR DS:[ECX]
C701 5B53C341 MOV DWORD PTR DS:[ECX],41C3535B
E8 D8DFBD7F CALL 7FFDFED0
8901 MOV DWORD PTR DS:[ECX],EAX
First thoughts on the second challenge: You can't use any of the call
opcodes, but you might be able to setup a quick exception handler in
the known mapped space. Cause a fault, and then find the address of
your fault causing instruction in the structure that's passed. (Again
I'm talking NT).
- Blazde
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]