Here I am again with shellcoding questions ... bear with me, its hard to find info on this subject other than txts with 2 pages of assembly codes that constitutes a remote, http-trojan downloading, all portable, optimized shellcodes that I can't even begin to assimilate. I'm just trying a simple ExitProcess shellcode, hardcoded address. (By the way, this is on win32.) kernel32.dll imagebase= 0x77E80000 ExitProcess RVA = 0x0000F32D Got these from DUMPPE, added them together to get 0x77E8F32D for ExitProcess address. Pretty sure thats the right way to get address. To test it out, I wrote a program that used inline assembly with that address. ----------------------------------------------------- #include <windows.h> int main() { HINSTANCE h; h = LoadLibrary("kernel32.dll"); __asm(" xor %edi, %edi push %edi call 0x77E8F32D "); FreeLibrary(h); } ---------------------------------------------------- The program runs fine. No errors, no problems at all, so i'm assuming it worked just fine. When disassembled in Gdb(win32 port), I followed from xor edi, edi with x/bx to get the opcodes 0x31, 0xFF, 0x57 for the xor and push; which doesn't seem right. 0xE8 for call, and and then 0xF9, 0xE0, 0xA8 and 0x77. I assume it loaded into memory at diferent addresses and got addresses changed, no biggy. I put the codes into a char array shellcode, and put my original address in after the 0xE8 backwards (I think thats how to do it.) and it errors out. I've tried rearranging the address all possible combinations, so I don't think thats the problem. -------------------------------------------------------- #include <windows.h> char shellcode[] = "\x31\xFF\x57\xE8" // opcodes gotten from gdb "\x2D\xF3\xE8\x77"; // address backwards. int main(void) { HINSTANCE h; h = LoadLibrary("kernel32.dll"); ((void (*)(void)) &shellcode)(); FreeLibrary(h); } ----------------------------------------------------- I'm getting lost now ... this was so much easier on unix. if anyone would like to help me out, i'd appreciate it. deepcode _________________________________________________________________ The new MSN 8: advanced junk mail protection and 2 months FREE* http://join.msn.com/?page=features/junkmail
This archive was generated by hypermail 2b30 : Thu Jul 24 2003 - 12:40:02 PDT