Re: Getting Base Address using the Structured Exception Handler

From: Gerardo Richarte (gera_at_corest.com)
Date: 06/26/03

  • Next message: Gerardo Richarte: "Re: Shellcode from ASCII" 
    Date: Thu, 26 Jun 2003 12:24:45 -0300
To: vuln-dev@securityfocus.com

    Gerardo Richarte wrote:

    > 2nd trick:
    > I think I like it, if it works...
    > to know the address of ntdll.dll may be easy using SEH:
    > ntdll.dll calls the exception handler, and as call "is synonim" for push eip/jmp,
    > ntdll.dll is pushing its own address in the stack before execution the exception
    > handler. Now, if the exception handler you install, gets the return address from
    > the stack (pop eax), and uses compares to a list of known ntdll.dll addresses,
    > it will be easy to find out the version of ntdll.dll. Then, if you can, somehow,
    > infer the version of kernel32.dll from the version of ntdll.dll, well... Bingo!

        Yeah, I know this is about to become insane (answering myself so many times I mean),
    but well...

        I think it'll be easier to learn to use

        LdrGetDllHandle()
        LdrGetProcedureAddress()
        LdrLoadDll()
        and probably LdrUnloadDll()

        (use The Oracle [google] to find out info about them)

        They look pretty promising.

        And then, once again as hernan told me, it may be enough to mask out the least
    significant bits of the return address (address after the call in ntdll.dll:KiUserExceptionDispatcher())
    to get ntdll.dll's base address. Then with that, we could walk the PE header and get
    the address of LdrGetProcedureAddress (if that's enough), or use a table stored
    in our code, as used in the first example (in a previous email)...

        gera

  • Next message: Gerardo Richarte: "Re: Shellcode from ASCII"