[Code-Crunchers] Some Kernel Code Crunching

[Arkon]

While it doesn't guarantee page aligned scans only, it still scans page
aligned addresses also, which is good enough for this purpose.

BTW - the pointer loading into EAX is really cool. :)


> -----Original Message-----
> From: Peter Ferrie [mailto:pferrie at symantec.com]
> Sent: Monday, February 19, 2007 9:17 PM
> To: code-crunchers at whitestar.linuxbox.org
> Subject: Re: [Code-Crunchers] Some Kernel Code Crunching
> 
> >Here's a very interesting paper in general and it has some assembly gems
> for kernel payloads in particular...
> >Check it out:
> >http://uninformed.org/?v=3&a=4&t=sumry
> 
> Nice, but second IDT scan-down example is 21 bytes long, not 20 bytes.
> Perhaps they meant this instead
> 
> 00000000  6A38              push byte +0x38
> 00000002  5E                pop esi
> 00000003  64AD              fs:lodsd
> 00000005  96                xchg esi, eax
> 00000006  AD                lodsd
> 00000007  AD                lodsd
> 00000008  662501F0          and ax,0xf001
> 0000000C  48                dec eax
> 0000000D  6681384D5A        cmp word [eax],0x5a4d
> 00000012  75F4              jnz 0x8
> 
> Now it's 20 bytes.
> It does not guarantee page-aligned scans, either, because the AND and DEC
> are reversed.
> I mean, if ax==xxx0 already, then after the AND, it's still xxx0, then the
> DEC -> xxyf, then the compare of xxyf and xxx0 instead of xxx0 and xxx1.
> Should really be (but introduces a null-byte)
> 
> 00000008  48                dec eax
> 00000009  662500F0          and ax,0xf000
> 
> We can make it safe if we increase by one byte, which returns us to their
> original size, this way
> 
> 00000008  48                dec eax
> 00000009  30C0              xor al, al
> 0000000B  80E4F0            and ah,0xf0
> 
> _______________________________________________
> Code-Crunchers mailing list
> Code-Crunchers at whitestar.linuxbox.org
> http://whitestar.linuxbox.org/mailman/listinfo/code-crunchers