Vulnerability Development mailing list archives
Re: Getting Base Address using the Structured Exception Handler
From: Costin Ionescu <costin.ionescu () fokus fraunhofer de>
Date: Thu, 26 Jun 2003 13:23:31 +0200
Nobody Mind wrote:
Because installing a SEH means that you get execution control when your thread causes an exception. If you want to find the base of kernel32 you just access some pages where you think it is (around 0xBFF70000 on Win9x, around 0x77F0000/0x77E80000 on WinNT/2K/XP). If the kernel isn't there either those pages are not allocated and accessing them will cause a General Protection Fault, either the pages are allocated but there is something else there and you can find that out by verifying some info thatI basically am wondering if anyone has links or can post a short explanation of why (not how) using theSEH method works for getting the base address of kernel32.dll and others?Thanks
is specific for kernel32.So when a GPF is raised the OS will pass the execution control to the SEH handlers. And so you can probe for valid memory pages without terminating the process and having that annoing message box (This application has performed an illegal operation and will be terminated).
ico
Current thread:
- Getting Base Address using the Structured Exception Handler Nobody Mind (Jun 25)
- Re: Getting Base Address using the Structured Exception Handler dave (Jun 25)
- Re: Getting Base Address using the Structured Exception Handler Costin Ionescu (Jun 26)
- Re: Getting Base Address using the Structured Exception Handler sk (Jun 26)
- Re: Getting Base Address using the Structured Exception Handler Gerardo Richarte (Jun 26)
- Re: Getting Base Address using the Structured Exception Handler Gerardo Richarte (Jun 26)
- Re: Getting Base Address using the Structured Exception Handler Gerardo Richarte (Jun 26)