Text only | Text with Images

The MASM Forum Archive 2004 to 2012

General Forums => The Laboratory => Topic started by: six_L on October 04, 2005, 02:07:47 PM

Title: The PEB Address
Post by: six_L on October 04, 2005, 02:07:47 PM
Hello,All
the doc was recommended by FOUR-F. i translated it into English.
;===============================================================
                                  Protecting Stack Overflow of The Widows Xp Sp2
                                                         19-12-2004

       We often need to use the Global variables and SEH while we are doing EXP towards the bug of overflow. But Now, we can't use this skill to finish our work. What's MS do in the windows XP SP2? She did a lot. For example, she encoded the Global variables.
For detail, The document include the follow:
1、   Processing the frist address of mapping PEB manager structure through random. After a while, we'll see the processing
        method is weak, but it is enough to forbiding EXP finished the work or working stably.
2、   Protecting TOP SEH
3、   Protecting the VEH chaining point _RtlpCalloutEntryList
4、   Protecting the cookie of stack structure

;===============================================================
the attachment is part one

[attachment deleted by admin]
Title: Re: The PEB Address
Post by: Infro_X on October 05, 2005, 01:46:10 AM
Umm, nothing shows and I get an error saying that I need the simplified chinese launage support pack. ...
Title: Re: The PEB Address
Post by: six_L on October 05, 2005, 03:07:44 AM
changed into txt.
if the txt can't be opened suitably, let me know.
Title: Re: The PEB Address
Post by: GregL on October 06, 2005, 01:10:43 AM
The PDF worked for me but Adobe Reader 7.0 insisted on downloading some Chinese fonts first.

The text works fine.

Title: Re: The PEB Address
Post by: Infro_X on October 06, 2005, 07:03:45 AM
indeed, text works fine, thx btw!
Title: Re: The PEB Address
Post by: ToutEnMasm on October 06, 2005, 12:45:06 PM
Hello,
It's a good day for me, i find in MSDN
process's environment block (PEB)
http://msdn.microsoft.com/msdnmag/issues/02/03/Loader/

Later:another news
In another article of MSDN on server 2003, I find

The CoGetContextToken API returns the IObjContext for the current
context. It's interesting primarily because this value is stored
in the ReservedForOle field in the TEB, which is finally
documented in WINTERNL.H

The WINTERNL.H help us not to make errors,subjects to change
//
// Instead of using the Tls fields, use the Win32 TLS APIs
//     TlsAlloc, TlsGetValue, TlsSetValue, TlsFree
//
// Instead of using the ReservedForOle field, use the COM API
//     CoGetContextToken
//typedef struct _TEB {
    BYTE Reserved1[1952];
    PVOID Reserved2[412];
    PVOID TlsSlots[64];
    BYTE Reserved3[8];
    PVOID Reserved4[26];
    PVOID ReservedForOle;  // Windows 2000 only
    PVOID Reserved5[4];
    PVOID TlsExpansionSlots;
} TEB;
typedef TEB *PTEB;

                                ToutEnMasm
Title: Re: The PEB Address
Post by: six_L on October 07, 2005, 02:45:44 AM
part2 about Protecting TOP SEH.

[attachment deleted by admin]
Text only | Text with Images