News:

MASM32 SDK Description, downloads and other helpful links
MASM32.com New Forum Link
masmforum WebSite

The PEB Address

Started by six_L, October 04, 2005, 02:07:47 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions

six_L

October 04, 2005, 02:07:47 PM Last Edit: October 05, 2005, 03:09:48 AM by six_L
Hello,All
the doc was recommended by FOUR-F. i translated it into English.
;===============================================================
                                  Protecting Stack Overflow of The Widows Xp Sp2
                                                         19-12-2004

       We often need to use the Global variables and SEH while we are doing EXP towards the bug of overflow. But Now, we can't use this skill to finish our work. What's MS do in the windows XP SP2? She did a lot. For example, she encoded the Global variables.
For detail, The document include the follow:
1、   Processing the frist address of mapping PEB manager structure through random. After a while, we'll see the processing
        method is weak, but it is enough to forbiding EXP finished the work or working stably.
2、   Protecting TOP SEH
3、   Protecting the VEH chaining point _RtlpCalloutEntryList
4、   Protecting the cookie of stack structure

;===============================================================
the attachment is part one

[attachment deleted by admin]
regards

Infro_X

#1
October 05, 2005, 01:46:10 AM
Umm, nothing shows and I get an error saying that I need the simplified chinese launage support pack. ...

six_L

#2
October 05, 2005, 03:07:44 AM
changed into txt.
if the txt can't be opened suitably, let me know.
regards

GregL

#3
October 06, 2005, 01:10:43 AM
The PDF worked for me but Adobe Reader 7.0 insisted on downloading some Chinese fonts first.

The text works fine.

Infro_X

#4
October 06, 2005, 07:03:45 AM
indeed, text works fine, thx btw!

ToutEnMasm

#5
October 06, 2005, 12:45:06 PM Last Edit: October 06, 2005, 03:08:31 PM by ToutEnMasm
Hello,
It's a good day for me, i find in MSDN
process's environment block (PEB)
http://msdn.microsoft.com/msdnmag/issues/02/03/Loader/

Later:another news
In another article of MSDN on server 2003, I find

The CoGetContextToken API returns the IObjContext for the current
context. It's interesting primarily because this value is stored
in the ReservedForOle field in the TEB, which is finally
documented in WINTERNL.H

The WINTERNL.H help us not to make errors,subjects to change
//
// Instead of using the Tls fields, use the Win32 TLS APIs
//     TlsAlloc, TlsGetValue, TlsSetValue, TlsFree
//
// Instead of using the ReservedForOle field, use the COM API
//     CoGetContextToken
//typedef struct _TEB {
    BYTE Reserved1[1952];
    PVOID Reserved2[412];
    PVOID TlsSlots[64];
    BYTE Reserved3[8];
    PVOID Reserved4[26];
    PVOID ReservedForOle;  // Windows 2000 only
    PVOID Reserved5[4];
    PVOID TlsExpansionSlots;
} TEB;
typedef TEB *PTEB;

                                ToutEnMasm

six_L

#6
October 07, 2005, 02:45:44 AM
part2 about Protecting TOP SEH.

[attachment deleted by admin]
regards
Print
Go Up Pages1
User actions