Informative Information for the Uninformed | ||||||||||||||||||||
|
||||||||||||||||||||
Next: Resolving Symbols
Up: Finding Ntoskrnl.exe Base Address
Previous: SYSENTER_EIP_MSR Scandown
  Contents
Known Portable Base Scandown
A quick sampling of base addresses across different major releases show that the base address of nt is always within a certain range. The one exception to this in the polling was Windows 2003 Server SP1, and for that reason this payload is not compatible. The basic idea is to simply use an offset that is known to reside within the region that nt will be mapped at on different operating system versions. The table below describes the mapping ranges for nt on a few different samplings:
As can be seen from the table, the address 0x8050babe resides within every region that nt could be mapped at except for Windows 2003 Server SP1. The payload below implements this approach: 00000000 B8BEBA5080 mov eax,0x8050babe 00000005 662501F0 and ax,0xf001 00000009 48 dec eax 0000000A 6681384D5A cmp word [eax],0x5a4d 0000000F 75F4 jnz 0x5
Next: Resolving Symbols
Up: Finding Ntoskrnl.exe Base Address
Previous: SYSENTER_EIP_MSR Scandown
  Contents
|