flat assembler
Message board for the users of flat assembler.

Index > Windows > return addresses

Author
Thread Post new topic Reply to topic
asmrox



Joined: 19 Jan 2008
Posts: 160
asmrox
im writing an universal shellcode and i need all return addresses in all version of windows.
2k/2k3/millenium/xp/vista including all SP's


thanks.
Post 07 May 2008, 14:08
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17450
Location: In your JS exploiting you and your system
revolution
What about the monthly patches also? What about future updates/upgrades? Return address for what? Each and every DLL in Windows? Including all different optional components and other whatnot?

Forget it, this is a crazy idea.
Post 07 May 2008, 14:21
View user's profile Send private message Visit poster's website Reply with quote
asmrox



Joined: 19 Jan 2008
Posts: 160
asmrox
umm return addreses from normal .exe/.dll files.
You know, to ExitThread. I have an idea to scan stack for one of them, and obtain version of windows (so i have addreses of kernel32 api's like LoadLibraryA)


Quote:
Forget it, this is a crazy idea.

why?
Post 07 May 2008, 15:19
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17450
Location: In your JS exploiting you and your system
revolution
You can get all the addresses you need by simply linking to the DLL and call GetProcAddress at runtime.

To ask everyone to give you return address is not needed and is very silly. The addresses change because the DLL's are relocatable.
Post 07 May 2008, 15:27
View user's profile Send private message Visit poster's website Reply with quote
asmrox



Joined: 19 Jan 2008
Posts: 160
asmrox
Quote:
DLL's are relocatable


can you tell me which function relocate dll?
AFAIK kernel32 cant be relocated abyway ;] Returning by 'ret' would have no sense. And LoadLibraryA/GetProcAddress are from kernel32, but not in same place on all systems. And in shellcode i cant link dll, lol.
http://www.google.com/search?q=what+is+shellcode
Post 07 May 2008, 17:13
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17450
Location: In your JS exploiting you and your system
revolution
asmrox wrote:
can you tell me which function relocate dll?
The loader (LoadLibrary) will relocate the DLL, but it is easy to do with a small utility anyway. I know a few easy ways to find kernel32 but I can't be bothered to explain them right now.

Haha, don't forget about ASLR. Your task is not easy and I doubt many here will support this effort anyway.
Post 07 May 2008, 17:22
View user's profile Send private message Visit poster's website Reply with quote
asmrox



Joined: 19 Jan 2008
Posts: 160
asmrox
aslr under windows?

Quote:
The loader (LoadLibrary) will relocate the DLL

i though it just maps into memory space, and if its already mapped it return handle.
Post 07 May 2008, 17:25
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17450
Location: In your JS exploiting you and your system
revolution
asmrox wrote:
aslr under windows?
Vista has it.
asmrox wrote:
Quote:
The loader (LoadLibrary) will relocate the DLL

i though it just maps into memory space, and if its already mapped it return handle.
Yep, it maps it in and if it won't fit it will then relocate. The OS uses copy-on-write to accomplish this.
Post 07 May 2008, 17:30
View user's profile Send private message Visit poster's website Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar. Also on YouTube, Twitter.

Website powered by rwasa.