Vulnerability Development mailing list archives
Re: searching through the address space of a process
From: Gigi Sullivan <sullivan () sikurezza org>
Date: Mon, 15 Oct 2001 11:03:50 +0200
Aiee :) Hello! On Sun, Oct 14, 2001 at 12:32:10AM -0400, Franklin DeMatto wrote:
Is there a way for a process (i.e., shellcode) to search through its address space (looking for a particular string, etc.)? I'm interested
Sure.
particularly in doing this under Windows, although Unix would be nice also. Can this be done without using any API/syscalls, just in assembly alone?
I do nothing about doing it under Windows, but you can achieve this quite easly under Unix; Just look for "Return in LibC" in BugtraQ archives by Solar Designer (indeed, that article is much more than you need) or just take a look at the attached example.
1) Determining the address space, and then searching it
You don't have to determine the exact address space since you'll get segfault if you're going outside it.
2) Trying every block, but catching the gpf/segfault exceptions
Just trap segfault (since GP will cause a segfault to be delivered to the process causing it). This is basically what the example does (starting from a libc function address), trapping SIGSEGV, using setjmp/longjmp pair (as non local goto) to change the search direction (you'll change search direction when you catch SIGSEGV, i.e. you're going outside your process address space). Hope it helps just a little bit
Franklin Franklin DeMatto Senior Analyst, qDefense Penetration Testing http://qDefense.com qDefense: Making Security Accessible
bye bye -- gg sullivan -- Lorenzo Cavallaro `Gigi Sullivan' <sullivan () sikurezza org> Until I loved, life had no beauty; I did not know I lived until I had loved. (Theodor Korner)
Current thread:
- searching through the address space of a process Franklin DeMatto (Oct 14)
- Re: searching through the address space of a process dullien (Oct 14)
- Re: searching through the address space of a process Gigi Sullivan (Oct 15)
- Re: searching through the address space of a process Gigi Sullivan (Oct 15)
- Re: searching through the address space of a process Enrique A. CompaƱ Gzz. (Oct 15)
- <Possible follow-ups>
- Re: searching through the address space of a process John Hillman (Oct 14)