Re: hard-coded windows exploits

[dullien () GMX DE (Thomas Dullien)]

On Tue, 16 Nov 1999 14:00:31 PST, Jeremy Kothe wrote:

> Using checksums of function names instead of the actual names, and an
> optimized GetProcAddress routine, results in generic code of about 200 bytes
> which can locate kernel32 and get the addressses of any functions,
> completely irrespective of the version of Windows.

Well, IMO using such a routine is not necessary for something like a buffer
overflow in a Ring3-Program under NT. In the win32 environment, all your
applications that reside in the pageable memory pool (ALL User-Mode Apps)
will always be loaded at a fixed base address. In that scenario, you can
just as well use hard-coded addresses, namely those of the functions in the
PE-Header of the exploited program. 
The only exceptions to this are DLLs, which are sometimes (only in case of
a collision with already loaded DLLs) relocated, and R0 device drivers (which 
are always relocated due to the nature of the nonpaged pool in NT).
So, all in all, if I am going to overflow a simple NT Server there's no need for me to
actually go to the pain of coding my own GetProcAddress routine, I know the
program I am trying to overflow and can use hard coded values in my header
files for the assembler.  (This is different than from a virus programmers
perspective, in that case your proposal would be quite in place)
On the other hand of course, if I am attacking either a DLL or a driver (drivers
are especially interesting ;) I would need to follow your layout.

Thomas Dullien
dullien () gmx de
Win32 Security Consultant ;-> Hire me !