Vulnerability Development mailing list archives
Re: searching through the address space of a process
From: dullien () gmx de
Date: Sun, 14 Oct 2001 12:47:51 -0700
Hey Franklin, FD> Is there a way for a process (i.e., shellcode) to search through its FD> address space (looking for a particular string, etc.)? I'm interested FD> particularly in doing this under Windows, although Unix would be nice FD> also. Can this be done without using any API/syscalls, just in assembly alone? FD> I can see to basic ways of doing it: FD> 1) Determining the address space, and then searching it FD> 2) Trying every block, but catching the gpf/segfault exceptions Of course it can be done - it is quite easy under windows as every process can easily install their own exception handler through SEH structures pointed to by FS:[0]. A lot of the old 29A virii used this technique to scan for KERNEL32.DLL base address. How long is the string you're looking for ? If you're searching for a dword-aligned dword value on a certain page, you might wanna look into rep scasd ;) Need source ? Cheers, dullien () gmx de
Current thread:
- searching through the address space of a process Franklin DeMatto (Oct 14)
- Re: searching through the address space of a process dullien (Oct 14)
- Re: searching through the address space of a process Gigi Sullivan (Oct 15)
- Re: searching through the address space of a process Gigi Sullivan (Oct 15)
- Re: searching through the address space of a process Enrique A. CompaƱ Gzz. (Oct 15)
- <Possible follow-ups>
- Re: searching through the address space of a process John Hillman (Oct 14)