[Code-Crunchers] Some Kernel Code Crunching
Peter Ferrie
pferrie at symantec.com
Mon Feb 19 13:16:43 CST 2007
>Here's a very interesting paper in general and it has some assembly gems for kernel payloads in particular...
>Check it out:
>http://uninformed.org/?v=3&a=4&t=sumry
Nice, but second IDT scan-down example is 21 bytes long, not 20 bytes. Perhaps they meant this instead
00000000 6A38 push byte +0x38
00000002 5E pop esi
00000003 64AD fs:lodsd
00000005 96 xchg esi, eax
00000006 AD lodsd
00000007 AD lodsd
00000008 662501F0 and ax,0xf001
0000000C 48 dec eax
0000000D 6681384D5A cmp word [eax],0x5a4d
00000012 75F4 jnz 0x8
Now it's 20 bytes.
It does not guarantee page-aligned scans, either, because the AND and DEC are reversed.
I mean, if ax==xxx0 already, then after the AND, it's still xxx0, then the DEC -> xxyf, then the compare of xxyf and xxx0 instead of xxx0 and xxx1.
Should really be (but introduces a null-byte)
00000008 48 dec eax
00000009 662500F0 and ax,0xf000
We can make it safe if we increase by one byte, which returns us to their original size, this way
00000008 48 dec eax
00000009 30C0 xor al, al
0000000B 80E4F0 and ah,0xf0
More information about the Code-Crunchers
mailing list