Dailydave mailing list archives
Re: Fix heap code
From: dave <dave () immunitysec com>
Date: Fri, 18 Jun 2004 21:00:41 -0400
Well, that's certainly smaller than my code! :> My original code was similar to this, although I also replaced all the other heaps stored in the PEB with one from HeapCreate, and then went through and did a SP-dependant replacement of various global variables where MSVCRT and WS2_32 had stored a copy of the default heap.
I've basically given up on that way except for special cases now though. Although future mallocs will take place with the new heap, free() on a corrupted heap can still crash the program. For most people this doesn't really matter, as their shellcode CreateProcess()'s immediately and does some simple anonymous pipe stuff, but the CANVAS shellcode is a bit more complex, and requires the full API to be steady.
Of course, my shellcode is now a whopping 1259 bytes, which does have its disadvantages. I can hear dildog now: "What are you writing, an MFC shellcode?"
-dave Cesar wrote:
Hi. Dave was talking about some generic fix heap code, i'm working in a new Windows local heap hole, and i'm using the next code to fix the heap, it's working ok on W2k, i just thought i would share this and hear comments: //Fixing the heap mov eax, dword ptr fs:[0x18] // Get pointer to TEB mov eax, dword ptr[eax+0x30] // Get pointer to the PEB from TEB. lea ebx, dword ptr[eax+0x18] // Get pointer to process heap from PEB mov eax, dword ptr[eax+0x90] // Get pointer to heaps list lea eax, [eax+0x4] mov eax, [eax] // Get pointer to next heap in list mov [ebx], eax // Replace process heap with next heap in list Cesar. __________________________________ Do you Yahoo!? Yahoo! Mail - Helps protect you from nasty viruses. http://promotions.yahoo.com/new_mail _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://www.immunitysec.com/mailman/listinfo/dailydave
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://www.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Fix heap code Cesar (Jun 18)
- Re: Fix heap code dave (Jun 18)