Hey Franklin, FD> Is there a way for a process (i.e., shellcode) to search through its FD> address space (looking for a particular string, etc.)? I'm interested FD> particularly in doing this under Windows, although Unix would be nice FD> also. Can this be done without using any API/syscalls, just in assembly alone? FD> I can see to basic ways of doing it: FD> 1) Determining the address space, and then searching it FD> 2) Trying every block, but catching the gpf/segfault exceptions Of course it can be done - it is quite easy under windows as every process can easily install their own exception handler through SEH structures pointed to by FS:[0]. A lot of the old 29A virii used this technique to scan for KERNEL32.DLL base address. How long is the string you're looking for ? If you're searching for a dword-aligned dword value on a certain page, you might wanna look into rep scasd ;) Need source ? Cheers, dullienat_private
This archive was generated by hypermail 2b30 : Sun Oct 14 2001 - 21:39:49 PDT