Re: searching through the address space of a process
From: dullien@gmx.deDate: 10/14/01
- Previous message: leon: "pop3 exploit????"
- In reply to: Franklin DeMatto: "searching through the address space of a process"
- Next in thread: John Hillman: "Re: searching through the address space of a process"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 14 Oct 2001 12:47:51 -0700 From: dullien@gmx.de Message-ID: <62446652.20011014124751@gmx.de> To: Franklin DeMatto <franklin.lists@qdefense.com> Subject: Re: searching through the address space of a process
Hey Franklin,
FD> Is there a way for a process (i.e., shellcode) to search through its
FD> address space (looking for a particular string, etc.)? I'm interested
FD> particularly in doing this under Windows, although Unix would be nice
FD> also. Can this be done without using any API/syscalls, just in assembly alone?
FD> I can see to basic ways of doing it:
FD> 1) Determining the address space, and then searching it
FD> 2) Trying every block, but catching the gpf/segfault exceptions
Of course it can be done - it is quite easy under windows as every
process can easily install their own exception handler through SEH
structures pointed to by FS:[0]. A lot of the old 29A virii used this
technique to scan for KERNEL32.DLL base address.
How long is the string you're looking for ? If you're searching for a
dword-aligned dword value on a certain page, you might wanna look into
rep scasd ;)
Need source ?
Cheers,
dullien@gmx.de
- Previous message: leon: "pop3 exploit????"
- In reply to: Franklin DeMatto: "searching through the address space of a process"
- Next in thread: John Hillman: "Re: searching through the address space of a process"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
