Re: searching through the address space of a process

From: John Hillman (phsion11at_private)
Date: Sun Oct 14 2001 - 16:44:28 PDT

  • Next message: Gigi Sullivan: "Re: searching through the address space of a process"

    IM not sure if this is what you mean, but try www.gamehacking.com and look 
    throu the totorials on trainer making.  It will have all the WIN API calls 
    to change and search for a value somewhere in a app's memory
    
    
    >From: Franklin DeMatto <franklin.listsat_private>
    >To: vuln-devat_private
    >Subject: searching through the address space of a process
    >Date: Sun, 14 Oct 2001 00:32:10 -0400
    >MIME-Version: 1.0
    >Received: from [66.38.151.26] by hotmail.com (3.2) with ESMTP id 
    >MHotMailBD930D2B00664136E8194226971AE9B50; Sun, 14 Oct 2001 09:49:52 -0700
    >Received: from lists.securityfocus.com (lists.securityfocus.com 
    >[66.38.151.19])by outgoing.securityfocus.com (Postfix) with QMQPid 
    >EFF8A8F2A5; Sun, 14 Oct 2001 10:46:34 -0600 (MDT)
    >Received: (qmail 1039 invoked from network); 14 Oct 2001 04:32:23 -0000
    >From vuln-dev-return-1324-phsion11 Sun, 14 Oct 2001 09:50:17 -0700
    >Mailing-List: contact vuln-dev-helpat_private; run by ezmlm
    >Precedence: bulk
    >List-Id: <vuln-dev.list-id.securityfocus.com>
    >List-Post: <mailto:vuln-devat_private>
    >List-Help: <mailto:vuln-dev-helpat_private>
    >List-Unsubscribe: <mailto:vuln-dev-unsubscribeat_private>
    >List-Subscribe: <mailto:vuln-dev-subscribeat_private>
    >Delivered-To: mailing list vuln-devat_private
    >Delivered-To: moderator for vuln-devat_private
    >Message-Id: <4.2.2.20011014002808.00ad76e8at_private>
    >X-Sender:  (Unverified)
    >X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2
    >
    >Is there a way for a process (i.e., shellcode) to search through its
    >address space (looking for a particular string, etc.)?  I'm interested
    >particularly in doing this under Windows, although Unix would be nice
    >also.  Can this be done without using any API/syscalls, just in assembly 
    >alone?
    >
    >I can see to basic ways of doing it:
    >1) Determining the address space, and then searching it
    >2) Trying every block, but catching the gpf/segfault exceptions
    >
    >However, I do not know how to implement either one
    >
    >Franklin
    >
    >
    >
    >Franklin DeMatto
    >Senior  Analyst, qDefense Penetration Testing
    >http://qDefense.com
    >qDefense: Making Security Accessible
    >
    
    
    _________________________________________________________________
    Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
    



    This archive was generated by hypermail 2b30 : Sun Oct 14 2001 - 21:42:22 PDT