On Tue, 16 Nov 1999 14:00:31 PST, Jeremy Kothe wrote: >Using checksums of function names instead of the actual names, and an >optimized GetProcAddress routine, results in generic code of about 200 bytes >which can locate kernel32 and get the addressses of any functions, >completely irrespective of the version of Windows. Well, IMO using such a routine is not necessary for something like a buffer overflow in a Ring3-Program under NT. In the win32 environment, all your applications that reside in the pageable memory pool (ALL User-Mode Apps) will always be loaded at a fixed base address. In that scenario, you can just as well use hard-coded addresses, namely those of the functions in the PE-Header of the exploited program. The only exceptions to this are DLLs, which are sometimes (only in case of a collision with already loaded DLLs) relocated, and R0 device drivers (which are always relocated due to the nature of the nonpaged pool in NT). So, all in all, if I am going to overflow a simple NT Server there's no need for me to actually go to the pain of coding my own GetProcAddress routine, I know the program I am trying to overflow and can use hard coded values in my header files for the assembler. (This is different than from a virus programmers perspective, in that case your proposal would be quite in place) On the other hand of course, if I am attacking either a DLL or a driver (drivers are especially interesting ;) I would need to follow your layout. Thomas Dullien dullienat_private Win32 Security Consultant ;-> Hire me !
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:13:12 PDT