Vulnerability Development mailing list archives

Re: searching through the address space of a process

From: "John Hillman" <phsion11 () hotmail com>
Date: Sun, 14 Oct 2001 23:44:28 +0000

IM not sure if this is what you mean, but try www.gamehacking.com and lookthrou the totorials on trainer making. It will have all the WIN API callsto change and search for a value somewhere in a app's memory

From: Franklin DeMatto <franklin.lists () qdefense com>
To: vuln-dev () securityfocus com
Subject: searching through the address space of a process
Date: Sun, 14 Oct 2001 00:32:10 -0400
MIME-Version: 1.0

Received: from [66.38.151.26] by hotmail.com (3.2) with ESMTP idMHotMailBD930D2B00664136E8194226971AE9B50; Sun, 14 Oct 2001 09:49:52 -0700Received: from lists.securityfocus.com (lists.securityfocus.com[66.38.151.19])by outgoing.securityfocus.com (Postfix) with QMQPidEFF8A8F2A5; Sun, 14 Oct 2001 10:46:34 -0600 (MDT)

Received: (qmail 1039 invoked from network); 14 Oct 2001 04:32:23 -0000
From vuln-dev-return-1324-phsion11 Sun, 14 Oct 2001 09:50:17 -0700
Mailing-List: contact vuln-dev-help () securityfocus com; run by ezmlm
Precedence: bulk
List-Id: <vuln-dev.list-id.securityfocus.com>
List-Post: <mailto:vuln-dev () securityfocus com>
List-Help: <mailto:vuln-dev-help () securityfocus com>
List-Unsubscribe: <mailto:vuln-dev-unsubscribe () securityfocus com>
List-Subscribe: <mailto:vuln-dev-subscribe () securityfocus com>
Delivered-To: mailing list vuln-dev () securityfocus com
Delivered-To: moderator for vuln-dev () securityfocus com
Message-Id: <4.2.2.20011014002808.00ad76e8 () compumodel com>
X-Sender:  (Unverified)
X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2

Is there a way for a process (i.e., shellcode) to search through its
address space (looking for a particular string, etc.)?  I'm interested
particularly in doing this under Windows, although Unix would be nice

also. Can this be done without using any API/syscalls, just in assemblyalone?


I can see to basic ways of doing it:
1) Determining the address space, and then searching it
2) Trying every block, but catching the gpf/segfault exceptions

However, I do not know how to implement either one

Franklin



Franklin DeMatto
Senior  Analyst, qDefense Penetration Testing
http://qDefense.com
qDefense: Making Security Accessible



_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp

Current thread:

searching through the address space of a process Franklin DeMatto (Oct 14)
- Re: searching through the address space of a process dullien (Oct 14)
- Re: searching through the address space of a process Gigi Sullivan (Oct 15)
  - Re: searching through the address space of a process Gigi Sullivan (Oct 15)
- Re: searching through the address space of a process Enrique A. Compañ Gzz. (Oct 15)
- <Possible follow-ups>
- Re: searching through the address space of a process John Hillman (Oct 14)