Aiee :) Hello! On Sun, Oct 14, 2001 at 12:32:10AM -0400, Franklin DeMatto wrote: > Is there a way for a process (i.e., shellcode) to search through its > address space (looking for a particular string, etc.)? I'm interested Sure. > particularly in doing this under Windows, although Unix would be nice > also. Can this be done without using any API/syscalls, just in assembly alone? I do nothing about doing it under Windows, but you can achieve this quite easly under Unix; Just look for "Return in LibC" in BugtraQ archives by Solar Designer (indeed, that article is much more than you need) or just take a look at the attached example. > 1) Determining the address space, and then searching it You don't have to determine the exact address space since you'll get segfault if you're going outside it. > 2) Trying every block, but catching the gpf/segfault exceptions Just trap segfault (since GP will cause a segfault to be delivered to the process causing it). This is basically what the example does (starting from a libc function address), trapping SIGSEGV, using setjmp/longjmp pair (as non local goto) to change the search direction (you'll change search direction when you catch SIGSEGV, i.e. you're going outside your process address space). Hope it helps just a little bit > Franklin > > > > Franklin DeMatto > Senior Analyst, qDefense Penetration Testing > http://qDefense.com > qDefense: Making Security Accessible bye bye -- gg sullivan -- Lorenzo Cavallaro `Gigi Sullivan' <sullivanat_private> Until I loved, life had no beauty; I did not know I lived until I had loved. (Theodor Korner)
This archive was generated by hypermail 2b30 : Mon Oct 15 2001 - 08:38:39 PDT