Yet another one…
\nThis time, smaller, more correct, and still null-free.
\nI looked a bit at some shellcodes at exploit-db and googled too, to see whether anyone got a smaller way to no avail.<\/p>\n
I based my code on: And this is my version:<\/p>\n The tricky part was how to read from FS:0x30, and the way I use is the smallest one, at least from what I checked. This way, it’s only 22 bytes, it doesn’t assume that kernel32.dll is the second\/third entry in the list, it actually loops till it finds the correct module length (len of ‘kernel32.dll’ * 2 bytes). Also since kernelbase.dll can come first and that renders lots of implementations of this technique unusable. Enjoy<\/p>\n
\nhttp:\/\/skypher.com\/index.php\/2009\/07\/22\/shellcode-finding-kernel32-in-windows-7\/<\/a>
\nAFAIK, who based his post on:
\nhttp:\/\/blog.harmonysecurity.com\/2009_06_01_archive.html<\/a><\/p>\n\r\n00000000 (02) 6a30 PUSH 0x30\r\n00000002 (01) 5e POP ESI\r\n; Use DB 0x64; LODSD\r\n00000003 (02) 64ad LODS EAX, [FS:ESI]\r\n00000005 (03) 8b700c MOV ESI, [EAX+0xc]\r\n00000008 (03) 8b761c MOV ESI, [ESI+0x1c]\r\n0000000b (03) 8b5608 MOV EDX, [ESI+0x8]\r\n0000000e (04) 807e1c18 CMP BYTE [ESI+0x1c], 0x18\r\n00000012 (02) 8b36 MOV ESI, [ESI]\r\n00000014 (02) 75f5 JNZ 0xb\r\n<\/pre>\n
\nAnother issue that was fixed is the check for kernel32.dll, usually the variation of this shellcode checks for a null byte, but it turned out to be bogous on W2k machines, so it was changed to check for a null word. Getting the shellcode by a byte or two longer.<\/p>\n
\nAnd obviously the resulting base address of kernel32.dll is in EDX.<\/p>\n