Metasploit mailing list archives
Functions in DLLs
From: tyronmiller at gmail.com (Ty Miller)
Date: Sun, 6 Apr 2008 08:15:48 +1000
In that paper that you recommended, there is no mention of the hashing algorithm used. Do you know what it is, or do you have some code to create the hashes? Thanks, Ty On 3/28/08, mmiller at hick.org <mmiller at hick.org> wrote:
On Thu, Mar 27, 2008 at 08:55:02PM +1100, Ty Miller wrote:Hey guys, Is there a program or website that maps which functions exist in whichDLLsso that I can determine the address of a function? Wow, does that sentence make any sence??? ... In other words, if I am creating shellcode and I am using a function, say "strlen", I need to replace this call with the address of where it exists in memory within a loaded DLL ... so how do I determine the best DLL to use?Hardcoding the address of a function to be called in shellcode is generally bad practice. I'd suggest taking a look at how the Metasploit payloads resolve the address of a function to be called. There is some explanation as to how this works here: http://hick.org/code/skape/papers/win32-shellcode.pdf If you must hardcode the address just use a debugger, run a program that uses msvcrt, and find the address of msvcrt!strlen (such as by trying to disassemble it).
-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.metasploit.com/pipermail/framework/attachments/20080406/91dcc9d0/attachment.htm>
Current thread:
- Functions in DLLs Ty Miller (Apr 02)
- <Possible follow-ups>
- Functions in DLLs Ty Miller (Apr 05)
- Functions in DLLs mmiller at hick.org (Apr 05)
- Functions in DLLs Vlad Tsyrklevich (Apr 05)
- Functions in DLLs mmiller at hick.org (Apr 05)