Chinaunix首页 | 论坛 | 博客
  • 博客访问: 1804080
  • 博文数量: 290
  • 博客积分: 10653
  • 博客等级: 上将
  • 技术积分: 3178
  • 用 户 组: 普通用户
  • 注册时间: 2007-10-24 23:08
文章存档

2013年(6)

2012年(15)

2011年(25)

2010年(86)

2009年(52)

2008年(66)

2007年(40)

分类: WINDOWS

2010-12-30 15:29:05

If you’ve coded shellcode before, you know that the code often needs to find out the base address address where kernel32.dll is loaded in memory. Most publicly available code expects the second entry in the “InitializationOrder” list to be kernel32. Unfortunately, it seems that this is not the case in the public Windows 7 beta.

I’ve create a solution to this problem that should be able to find kernel32.dll on all versions of Windows with minimal code size increase. It works by walking the “InInitializationOrder” list mentioned above and checking the length of the name of the module: the Unicode string “kernel32.dll” has a terminating 0 as the 12th character. From my (limited) testing, it seems that scanning for a 0 as the 24th byte in the name allows the code to find kernel32.dll correctly.

More details can be found .

The code:
    XOR     ECX, ECX                    ; ECX = 0     MOV     ESI, [FS:ECX + 0x30]        ; ESI = &(PEB) ([FS:0x30])     MOV     ESI, [ESI + 0x0C]           ; ESI = PEB->Ldr     MOV     ESI, [ESI + 0x1C]           ; ESI = PEB->Ldr.InInitOrder next_module:     MOV     EBP, [ESI + 0x08]           ; EBP = InInitOrder[X].base_address     MOV     EDI, [ESI + 0x20]           ; EBP = InInitOrder[X].module_name (unicode)     MOV     ESI, [ESI]                  ; ESI = InInitOrder[X].flink (next module)     CMP     [EDI + 12*2], CL            ; modulename[12] == 0 ?     JNE     next_module                 ; No: try next module.  

NB. See  for a problem (and solution) on Win2K targets courtesy of aniway.

阅读(2308) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~