Informative Information for the Uninformed | ||||||||||||||
|
||||||||||||||
Next: KPRCB IdleThread Scandown
Up: Finding Ntoskrnl.exe Base Address
Previous: Finding Ntoskrnl.exe Base Address
  Contents
IDT Scandown
The approach for finding the base address of nt discussed in eEye's paper involved finding the high-order word of an IDT handler that was set to a symbol somewhere inside nt. After acquiring the symbol address, the payload simply walked down toward lower addresses in memory byte-by-byte until it found the MZ checksum. The following disassembly shows the approach taken to do this[2]: 00000000 8B3538F0DFFF mov esi,[0xffdff038] 00000006 AD lodsd 00000007 AD lodsd 00000008 48 dec eax 00000009 81384D5A9000 cmp dword [eax],0x905a4d 0000000F 75F7 jnz 0x8This approach is perfectly fine, however, it could be prone to error if the four checksum bytes were found somewhere within nt which did not actually coincide with its base address. This issue is one that is present to any scandown technique (referred to as ``mid-deltas'' by eEye). However, scanning down byte-by-byte can be seen as potentially more error prone, but this is purely conjecture at this point as the authors are aware of no specific cases in which it would fail. It may also fail if the direction flag is not cleared, though the chances of this happening are minimal. One other limiting factor may be the presence of the NULL byte in the comparison. It is possible to slightly improve (depending upon which perspective one is looking at it from) this approach by scanning downward one page at a time and by eliminating the need to clear the direction flag3.2. This also eliminates the presence of NULL bytes. However, some of these changes lead to the code being slightly larger (20 bytes total): 00000000 6A38 push byte +0x38 00000002 5B pop ebx 00000003 648B03 mov eax,[fs:ebx] 00000006 8B4004 mov eax,[eax+0x4] 00000009 662501F0 and ax,0xf001 0000000D 48 dec eax 0000000E 6681384D5A cmp word [eax],0x5a4d 00000013 75F4 jnz 0x9
Next: KPRCB IdleThread Scandown
Up: Finding Ntoskrnl.exe Base Address
Previous: Finding Ntoskrnl.exe Base Address
  Contents
|