[Code-Crunchers] 133 bytes
Peter Ferrie
pferrie at symantec.com
Thu Nov 16 12:40:56 CST 2006
I found an interesting thing this morning:
optional header size can be set to zero, at least on W2K (haven't tried others yet).
You might say "but then the virtual size field interferes with the import table", but it's not so: if virtual size is zero, then the raw size is used instead. So the virtual size field is now the import name terminator, and the "kernel32.dll" string is moved to start at the TimeStamp field, terminated by the zeroed optional header size field. That leaves us with a nice large block of empty space at the end of the header. By carefully choosing the stack and heap values, we can execute code from within those fields, too. That's 26 bytes! Yeah. :-)
More information about the Code-Crunchers
mailing list