Vulnerability Development mailing list archives
Re: Getting Base Address using the Structured Exception Handler
From: Gerardo Richarte <gera () corest com>
Date: Thu, 26 Jun 2003 12:24:45 -0300
Gerardo Richarte wrote:
2nd trick: I think I like it, if it works... to know the address of ntdll.dll may be easy using SEH: ntdll.dll calls the exception handler, and as call "is synonim" for push eip/jmp, ntdll.dll is pushing its own address in the stack before execution the exception handler. Now, if the exception handler you install, gets the return address from the stack (pop eax), and uses compares to a list of known ntdll.dll addresses, it will be easy to find out the version of ntdll.dll. Then, if you can, somehow, infer the version of kernel32.dll from the version of ntdll.dll, well... Bingo!
Yeah, I know this is about to become insane (answering myself so many times I mean), but well... I think it'll be easier to learn to use LdrGetDllHandle() LdrGetProcedureAddress() LdrLoadDll() and probably LdrUnloadDll() (use The Oracle [google] to find out info about them) They look pretty promising. And then, once again as hernan told me, it may be enough to mask out the least significant bits of the return address (address after the call in ntdll.dll:KiUserExceptionDispatcher()) to get ntdll.dll's base address. Then with that, we could walk the PE header and get the address of LdrGetProcedureAddress (if that's enough), or use a table stored in our code, as used in the first example (in a previous email)... gera
Current thread:
- Getting Base Address using the Structured Exception Handler Nobody Mind (Jun 25)
- Re: Getting Base Address using the Structured Exception Handler dave (Jun 25)
- Re: Getting Base Address using the Structured Exception Handler Costin Ionescu (Jun 26)
- Re: Getting Base Address using the Structured Exception Handler sk (Jun 26)
- Re: Getting Base Address using the Structured Exception Handler Gerardo Richarte (Jun 26)
- Re: Getting Base Address using the Structured Exception Handler Gerardo Richarte (Jun 26)
- Re: Getting Base Address using the Structured Exception Handler Gerardo Richarte (Jun 26)