Re: searching through the address space of a process

[Gigi Sullivan <sullivan () sikurezza org>]

Aiee :)

   Hello!

On Sun, Oct 14, 2001 at 12:32:10AM -0400, Franklin DeMatto wrote:
> Is there a way for a process (i.e., shellcode) to search through its 
> address space (looking for a particular string, etc.)?  I'm interested 

   Sure.

> particularly in doing this under Windows, although Unix would be nice 
> also.  Can this be done without using any API/syscalls, just in assembly alone?

   I do nothing about doing it under Windows, but you can achieve this
   quite easly under Unix; Just look for "Return in LibC" in BugtraQ archives
   by Solar Designer (indeed, that article is much more than you need) or
   just take a look at the attached example.

> 1) Determining the address space, and then searching it

   You don't have to determine the exact address space since you'll
   get segfault if you're going outside it.

> 2) Trying every block, but catching the gpf/segfault exceptions

   Just trap segfault (since GP will cause a segfault to be delivered
   to the process causing it).
   This is basically what the example does (starting from a libc function 
   address), trapping SIGSEGV, using setjmp/longjmp pair (as non local goto)
   to change the search direction (you'll change search direction when
   you catch SIGSEGV, i.e. you're going outside your process address space).

   Hope it helps just a little bit

> Franklin
>
>
>
> Franklin DeMatto
> Senior  Analyst, qDefense Penetration Testing
> http://qDefense.com
> qDefense: Making Security Accessible

bye bye

                           -- gg sullivan

-- 
Lorenzo Cavallaro       `Gigi Sullivan' <sullivan () sikurezza org>

Until I loved, life had no beauty;
I did not know I lived until I had loved. (Theodor Korner)