Uninformed: Informative Information for the Uninformed

Vol 3» 2006.Jan

Known Portable Base Scandown

Size: 17 bytes
Compat: 2000, XP, 2003 SP0

A quick sampling of base addresses across different major releases show that the base address of nt is always within a certain range. The one exception to this in the polling was Windows 2003 Server SP1, and for that reason this payload is not compatible. The basic idea is to simply use an offset that is known to reside within the region that nt will be mapped at on different operating system versions. The table below describes the mapping ranges for nt on a few different samplings:

Platform Base Address End Address
Windows 2000 SP4 0x80400000 0x805a3a00
Windows XP SP0 0x804d0000 0x806b3f00
Windows XP SP2 0x804d7000 0x806eb780
Windows 2003 SP1 0x80800000 0x80a6b000

As can be seen from the table, the address 0x8050babe resides within every region that nt could be mapped at except for Windows 2003 Server SP1. The payload below implements this approach:

00000000  B8BEBA5080        mov eax,0x8050babe
00000005  662501F0          and ax,0xf001
00000009  48                dec eax
0000000A  6681384D5A        cmp word [eax],0x5a4d
0000000F  75F4              jnz 0x5