Exetools  

Go Back   Exetools > General > General Discussion
Reload this Page ImpRec module User32.dll overwritting buffer overflow
Register Forum Rules FAQ Calendar Mark Forums Read

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 04-24-2005, 22:22
MaRKuS-DJM's Avatar
MaRKuS-DJM MaRKuS-DJM is offline
Cracker + Unpacker
  
Join Date: Aug 2003
Location: Virtual World / Network
Posts: 553
Rept. Given: 7
Rept. Rcvd 6 Times in 4 Posts
Thanks Given: 3
Thanks Rcvd at 16 Times in 10 Posts
MaRKuS-DJM Reputation: 6
ImportRec needs to read the header of user32.dll. it does this in the target process. but there the header got destroyed. i included a little check when ReadProcessMemory is called to compare
lpBaseAddress Parameter of ReadProcessMemory to ModuleBase of user32.dll.
if the check succeeds, i wrote a small read-function which reads the user32.dll loaded by ImportRec instead of the user32.dll used by the target process. so it gets a valid header and valid values.
regards

btw, the invalid IAT-value isn't the point it crashes. most of the time IAT-entry isn't needed.
Reply With Quote
Reply

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Hybrid Mode Hybrid Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
OllyDBG v1.10 and ImpREC v1.7f export name buffer overflow vulnerability bukkake General Discussion 0 07-28-2008 03:40
Buffer Overflow in SentinelLM Service prt General Discussion 0 03-19-2005 05:20
Creating a buffer overflow ? Rhodium General Discussion 6 08-19-2003 04:39


All times are GMT +8. The time now is 23:44.

Aaron's homepage - Top

Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( Since 1998 )