Functions in DLLs

[tyronmiller at gmail.com (Ty Miller)]

In that paper that you recommended, there is no mention of the hashing
algorithm used. Do you know what it is, or do you have some code to create
the hashes?

Thanks,
Ty



On 3/28/08, mmiller at hick.org <mmiller at hick.org> wrote:
> On Thu, Mar 27, 2008 at 08:55:02PM +1100, Ty Miller wrote:
> > Hey guys,
> >
> > Is there a program or website that maps which functions exist in which
> DLLs
> > so that I can determine the address of a function?
> >
> > Wow, does that sentence make any sence??? ... In other words, if I am
> > creating shellcode and I am using a function, say "strlen", I need to
> > replace this call with the address of where it exists in memory within a
> > loaded DLL ... so how do I determine the best DLL to use?
>
> Hardcoding the address of a function to be called in shellcode is
> generally bad practice.  I'd suggest taking a look at how the Metasploit
> payloads resolve the address of a function to be called.  There is some
> explanation as to how this works here:
>
> http://hick.org/code/skape/papers/win32-shellcode.pdf
>
> If you must hardcode the address just use a debugger, run a program that
> uses msvcrt, and find the address of msvcrt!strlen (such as by trying to
> disassemble it).
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.metasploit.com/pipermail/framework/attachments/20080406/91dcc9d0/attachment.htm>