Hosting Provided By

Re: Getting Base Address using the Structured Exception Handler

From: Costin Ionescu <costin.ionescu(at)fokus.fraunhofer.de>
Date: Thu Jun 26 2003 - 07:23:31 EDT

Nobody Mind wrote:

>I basically am wondering if anyone has links or can
Because installing a SEH means that you get execution control when your thread causes an exception.
If you want to find the base of kernel32 you just access some pages where you think it is
(around 0xBFF70000 on Win9x, around 0x77F0000/0x77E80000 on WinNT/2K/XP). If the kernel isn't there
either those pages are not allocated and accessing them will cause a General Protection Fault, either the
pages are allocated but there is something else there and you can find that out by verifying some info that
is specific for kernel32.
So when a GPF is raised the OS will pass the execution control to the SEH handlers. And so you can probe
for valid memory pages without terminating the process and having that annoing message box
(This application has performed an illegal operation and will be terminated).

ico Received on Thu Jun 26 12:04:29 2003

This message: [ Message body ]
Next message: Gerardo Richarte: "GetPC code (was: Shellcode from ASCII)"
Previous message: dave(at)immunitysec.com: "Re: Getting Base Address using the Structured Exception Handler"
In reply to Nobody Mind: "Getting Base Address using the Structured Exception Handler"
Next in thread: sk: "Re: Getting Base Address using the Structured Exception Handler"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:07:40 EDT