Dailydave mailing list archives
Re: Shellcode
From: Alexander Sotirov <asotirov () determina com>
Date: Tue, 29 Nov 2005 11:55:50 -0800
Pedro E wrote:
LibraryReturn: pop ecx ;get the library string mov [ecx + 10], dl ;MY PROBLEM is this line I don't have the right permissions to modify the NULL value and finish the string mov ebx, 0x79470221 ;LoadLibraryA(libraryname); push ecx ;beginning of user32.dll call ebx ;eax will hold the module handle jmp short FunctionName xxx .. .. GetLibrary: call LibraryReturn db 'user32.dllN'
Just put the string on the stack: push 0x5f5f6c6c ; 'll__' push 0x642e3233 ; '32.d' push 0x72657375 ; 'user' call LibraryReturn LibraryReturn: lea ecx, [esp+4] ; esp+4 points to the string "user32.dllXX" mov [ecx + 10], dl ; the string is on the stack, so you can write the null terminator or even better: xor eax, eax mov ax, 6c6c push eax ; 'll\0\0' push 0x642e3233 ; '32.d' push 0x72657375 ; 'user' call LibraryReturn Alex
Current thread:
- Shellcode Pedro E (Nov 29)
- RE: Shellcode Dave Korn (Nov 29)
- RE: Shellcode Dave Korn (Nov 29)
- Re: Shellcode Alexander Sotirov (Nov 29)
- Re: Shellcode Isaac Dawson (Nov 29)
- Re: Shellcode Dave Aitel (Nov 29)
- Re: Shellcode H D Moore (Nov 29)
- Re: Shellcode halvar (Nov 30)
- RE: Shellcode Dafydd Stuttard (Nov 30)
- Re: Shellcode halvar (Nov 30)
- Re: HOLY GOD WE ARE SO OLD Matt Hargett (Nov 30)
- Re: Shellcode Isaac Dawson (Nov 29)
- Re: Shellcode halvar (Nov 30)
- Re: Shellcode Dustin D. Trammell (Nov 30)
- RE: Shellcode Dave Korn (Nov 30)
- RE: Shellcode Dave Korn (Nov 29)