Windows buffer overflows almost always require knowledge of offsets in dll's. Even if rva is used, usually one offset is still known, to jmp to where the code is (e.g., let's say the shellcode is pointed to by eax, we need to know the offset of somewhere to jmp eax). Which dll's are the most static? For the jmp instruction, we can use any dll, as long as it has those bytes (i.e., we are not limited to kernel, user, and gdi). Which dll's are the best to use, and why? (BTW, I would like to suggest that the term "buffer overflow" be replaced with the term "memory overwrite," as there are many forms besides buffer overflow, such as format string, malloc (0) mangling, etc. ) Franklin DeMatto Senior Analyst, qDefense Penetration Testing http://qDefense.com qDefense: Making Security Accessible
This archive was generated by hypermail 2b30 : Sun Sep 23 2001 - 22:22:11 PDT