Security Basics
Windows shellcode Jun 07 2012 02:57PM
Robert Larsen (robert the-playground dk) (1 replies)
Hi all

I'm trying to get my head around Skapes Windows shellcoding paper and
things are looking well.

Except for one thing...finding kernel32dll.dll using PEB.

While reading the assembly I follow the definition of the structures on
MSDN and one of them, PEB_LDR_DATA, doesn't quite match the code.

The code (skipping the Windows 9x version) begins with:

find_kernel_32:
push esi
xor eax
mov eax, fs:[eax+0x30] ;Address of PEB
mov eax, [eax+0x0c] ;Address of LDR
mov esi, [eax+0x1c] ;Supposedly address of first entry

The last one is the one I am having trouble with because MSDN says that
the LDR looks like this:

typedef struct _PEB_LDR_DATA {
BYTE Reserved1[8];
PVOID Reserved2[3];
LIST_ENTRY InMemoryOrderModuleList;
} PEB_LDR_DATA, *PPEB_LDR_DATA;

typedef struct _LIST_ENTRY {
struct _LIST_ENTRY *Flink;
struct _LIST_ENTRY *Blink;
} LIST_ENTRY, *PLIST_ENTRY, *RESTRICTED_POINTER PRLIST_ENTRY;

I would think that the InMemoryOrderModuleList entry (and thus the Flink
pointer) was located 20 bytes (0x14) down...below an array of eight
bytes + an array of three pointers. So why loading [eax+0x1c] into esi ?

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk/QwWQACgkQzDMeisFqGZYlVgCgypPgVxHHm2Ikc0iUpvM+fK6g
ayYAoMzfPDRCExarcYBBthoxjl/LK0iC
=pxtb
-----END PGP SIGNATURE-----

[ reply ]
Re: Windows shellcode Jun 08 2012 08:50AM
Robert Larsen (robert the-playground dk)


 

Privacy Statement
Copyright 2010, SecurityFocus