So if you're in a situation where you get this:
mov ecx, [edx] : edx = [something you control]
push edx
call [ecx + 0x1c]
You know you've trashed a vtable pointer. If you also say have esi pointing to a buffer you control, then you need to get esi into esp, then return. To do this though, you'll need a pointer to a pointer that when 0x1c is added to it points to a pointer to (for example):
mov esp, esi
ret
This used to mean clever IDA scripts, searching over multiple DLLs, lots of time, PITA. To do this automagically in byakugan, you can now type:
!jutsu searchVtptr [offset in vtable] [opcodes]
So in this case:
!jutsu searchVtptr 0x1c mov esp, esi | ret
This works a lot like the searchOpcode jutsu. Instructions are delineated by the | character in your command. Currently, no wildcards are supported, but I plan to add that functionality. The main stopping block to that I think is speed. It's not really a speed demon jutsu now as it is (with three nested search loops) but I suppose it beats hunting by hand ;) So if you're lucky, and your process space contains the code and pointers you need, you'll get something like this back:
0x75cb4b36 -> 0x10450107 -> 0x100ffc08 -> sequence
0x6bb322a6 -> 0x1045891b -> 0x100ffc08 -> sequence
0x6f862d19 -> 0x1045891b -> 0x100ffc08 -> sequence
0x6b7e9459 -> 0x10458b3f -> 0x100ffc08 -> sequence
0x6b82884e -> 0x10458b3f -> 0x100ffc08 -> sequence
Once you have a working chain of pointers, you can put the return address to turn off dep in your pointer at esi, one of your chain pointers in edx, and roll on along from there. Happy hunting!
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.