Andrew McGill emailed me with the following comments: > This is a nice technique - however it is quite probable that a > jmp esp instruction can be found which is preceeded by an > innocuous instruction ( add bx,si ; jmp esp ... ) ... "quite > probable" in the above means I haven't actually looked. That was a very good question. Actually, I thought about the above more after my original post and came up with the following. The basic concept is “there will be no void parameter function call or traditional WINAPI call”. For a void parameter function: 1. Call SomeVoidFunction() The compiler will generate this code such as: Push 0 Call SomeVoidFunction Add esp, 4 ; can be pop ecx etc. In the called function SomeVoidFunction itself, it is coded as: Add [esp+4], 0cch ret 2. Call SomeApiFunction(par1, par2 .. ) The compiler will generate this code such as: Push 0 Push .. Push par2 Push par1 Call SomeApiFunction ; PASCAL-style Add esp, 4 ; can be pop ecx, etc In the called function SomeApiFunction itself, it is coded as: Mov [esp+4+X << 2], 0cch ; where x is the parameter number Ret X << 2 3. For a normal C function with parameter, it is still coded as: add [esp+4], 0cch ret This method will work to call old existing libraries because it just wastes a few cycles with “push 0” and “add esp, 4”. However, the 0CCh-inserted libraries or object files will not work with old call methods (without extra push 0 and pop). Best regards Peter Huang For the latest update on this thread, pls visit http://members.rogers.com/yinrong/articles/BreakpointBufferFlow.htm
This archive was generated by hypermail 2b30 : Tue Feb 11 2003 - 06:13:52 PST