Vulnerability Development mailing list archives

Re: searching through the address space of a process

From: dullien () gmx de
Date: Sun, 14 Oct 2001 12:47:51 -0700

Hey Franklin,

FD> Is there a way for a process (i.e., shellcode) to search through its 
FD> address space (looking for a particular string, etc.)?  I'm interested 
FD> particularly in doing this under Windows, although Unix would be nice 
FD> also.  Can this be done without using any API/syscalls, just in assembly alone?
FD> I can see to basic ways of doing it:
FD> 1) Determining the address space, and then searching it
FD> 2) Trying every block, but catching the gpf/segfault exceptions

Of course it can be done - it is quite easy under windows as every
process can easily install their own exception handler through SEH
structures pointed to by FS:[0]. A lot of the old 29A virii used this
technique to scan for KERNEL32.DLL base address.

How long is the string you're looking for ? If you're searching for a
dword-aligned dword value on a certain page, you might wanna look into
rep scasd ;)

Need source ?

Cheers,
dullien () gmx de

Current thread:

searching through the address space of a process Franklin DeMatto (Oct 14)
- Re: searching through the address space of a process dullien (Oct 14)
- Re: searching through the address space of a process Gigi Sullivan (Oct 15)
  - Re: searching through the address space of a process Gigi Sullivan (Oct 15)
- Re: searching through the address space of a process Enrique A. Compañ Gzz. (Oct 15)
- <Possible follow-ups>
- Re: searching through the address space of a process John Hillman (Oct 14)