WinDbg tips for writing shellcode

I’ve had to search for instruction using WinDbg when doing a stack pivot. The following example will search for jump edx (ff e2):

s 0 L?7EEEEEEE ff e2

Once you find a list of instructions that can be used for your pivot, verify you have the correct command by disassembling at that address:

0:000> u 7706da75 7706da75 ffe2 jmp edx 7706da77 48 dec eax 7706da78 8b05ca160300 mov eax,dword ptr ds:[316CAh] 7706da7e 48 dec eax 7706da7f 85c0 test eax,eax 7706da81 7419 je 7706da9c 7706da83 807c246000 cmp byte ptr [esp+60h],0 7706da88 7412 je 7706da9c

Once you have found an address to use for your stack pivot double check the memory protections at that address using !vprot:

0:000> !vprot 7706da75 BaseAddress: 7706d000 AllocationBase: 77050000 AllocationProtect: 00000080 PAGE_EXECUTE_WRITECOPY RegionSize: 00018000 State: 00001000 MEM_COMMIT Protect: 00000020 PAGE_EXECUTE_READ Type: 01000000 MEM_IMAGE

Leave a Reply Cancel reply

Enter your comment here...

Fill in your details below or click an icon to log in:

Email (required) (Address never made public)

Name (required)

Website

You are commenting using your WordPress.com account. ( Log Out / Change )

You are commenting using your Facebook account. ( Log Out / Change )

Cancel

Connecting to %s

Share this:

Like this:

Leave a Reply Cancel reply