 |
- ... addresses3.1
- This
is completely synonymous with the mid-delta term used by
eEye, but just clarified to indicate a direction
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
- ... flag3.2
- It is not possible walk downward
in 16-page decrements due to the fact that 16 page alignment is not
guaranteed universally in kernel-mode
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
- ... symbol3.3
- The technique of walking the export
directory to resolve symbols has been used for ages, so don't take
the example here to be the first ever use of it
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
- ...0x0311b83f3.4
- This was calculated by doing
perl -Ilib -MPex::Utils -e "printf ¨%.8x,
Pex::Utils::Ror(Pex::Utils::RorHash("ExAllocatePool"), 13);"
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
- ... below4.1
- In kernel-mode, the fs segment
points to the current processor's KPCR structure
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
- ...
possible4.2
- Consequently, if anyone knows a definitive answer
to this, the authors would love to hear it
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
- ...nt!PsProcessType4.3
- These
procedures can be found in the _OBJECT_TYPE_INITIALIZER
structure
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
- ...
disassembly4.4
- This may not be safe if the KPRCB is
not located immediately after the KPCR
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
- ...
below4.5
- Testing was only performed on XP SP0
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
|
