Author:tnttools
Law of ESP: If Stack keep balance for compression shell execute before and after,Interrupt will break on push ebp(the first instruction of OEP) When breakpoint was on 12FFC0.Why not ESP is 0xFFFC,but 0x0FFC4 ? This is realize by source code of windows.
Window use functiong to create process to use :kernel32.dll!_CreateProcessInternalW -> … -> kernel32.dll!_BaseProcessStartThunk() -> kernel32.dll!_BaseProcessStart() -> EP
Enter _BaseProcessStartThunk(),Stack:
+ 0012FFFC 00000000 <- ESP
---------------------------------------------------------<code>
_BaseProcessStartThunk@8 proc near
xor ebp, ebp
push eax
push 0
jmp _BaseProcessStart@4 ; BaseProcessStart(x)
_BaseProcessStartThunk@8 endp
----------------------------------------------------------</code>
在执行完_BaseProcessStartThunk时,堆栈的状态为
+ 0012FFFC 00000000
+ 0012FFF8 EAX
+ 0012FFF4 0x00000000 <- ESP
---------------------------------------------------------<code>
_BaseProcessStart proc
push 0Ch
push offset dword_7C816FE0
call __SEH_prolog
and [ebp+ms_exc.disabled], 0
push 4
lea eax, [ebp+8]
push eax
push 9
push 0FFFFFFFEh
call ds:__imp__NtSetInformationThread@16 ; NtSetInformationThread(x,x,x,x)
call dword ptr [ebp+8]
push eax ; dwExitCode
call _ExitThread@4
nop
nop
nop
---------------------------------------------------------</code>
Finish BaseProcessStart(),Stack:
---------------------------------------------------------<code>
_BaseProcessStartThunk@8 proc near
xor ebp, ebp
push eax
push 0
jmp _BaseProcessStart@4 ; BaseProcessStart(x)
_BaseProcessStartThunk@8 endp
----------------------------------------------------------</code>
在执行完_BaseProcessStartThunk时,堆栈的状态为
+ 0012FFFC 00000000
+ 0012FFF8 EAX
+ 0012FFF4 0x00000000 <- ESP
---------------------------------------------------------<code>
_BaseProcessStart proc
push 0Ch
push offset dword_7C816FE0
call __SEH_prolog
and [ebp+ms_exc.disabled], 0
push 4
lea eax, [ebp+8]
push eax
push 9
push 0FFFFFFFEh
call ds:__imp__NtSetInformationThread@16 ; NtSetInformationThread(x,x,x,x)
call dword ptr [ebp+8]
push eax ; dwExitCode
call _ExitThread@4
nop
nop
nop
---------------------------------------------------------</code>
Finish BaseProcessStart(),Stack:
+ 0012FFFC 0x00000000
+ 0012FFF8 OldEAX -2-> EntryPoint By NtSetInformationThread()
+ 0012FFF4 reserved, inited to 0x00000000
+ 0012FFF0 OldEBP(0x00000000) <-p- NowEBP
+ 0012FFEC TryLevel, inited to 0xFFFFFFFF
+ 0012FFE8 ScopeTable
+ 0012FFE4 __except_handler3 in kernel32.dll
+ 0012FFE0 0xFFFFFFFF <-p- fs:00h
+ 0012FFDC ExceptionInfo, Parameter of UnhandledExceptionFilter()
+ 0012FFD8 OldESP(0x0012FFC8)
+ 0012FFD4 ExceptionCode, Parameter of kernel32.dll!ExitProcess
+ 0012FFD0 EBX(pPEB)
+ 0012FFCC ESI
+ 0012FFC8 EDI <-p- OldESP
+ 0012FFC4 retaddr in kernel32.dll!_BaseProcessStartThunk
<-p- NowESP
Attach:
+ 0012FFF8 OldEAX -2-> EntryPoint By NtSetInformationThread()
+ 0012FFF4 reserved, inited to 0x00000000
+ 0012FFF0 OldEBP(0x00000000) <-p- NowEBP
+ 0012FFEC TryLevel, inited to 0xFFFFFFFF
+ 0012FFE8 ScopeTable
+ 0012FFE4 __except_handler3 in kernel32.dll
+ 0012FFE0 0xFFFFFFFF <-p- fs:00h
+ 0012FFDC ExceptionInfo, Parameter of UnhandledExceptionFilter()
+ 0012FFD8 OldESP(0x0012FFC8)
+ 0012FFD4 ExceptionCode, Parameter of kernel32.dll!ExitProcess
+ 0012FFD0 EBX(pPEB)
+ 0012FFCC ESI
+ 0012FFC8 EDI <-p- OldESP
+ 0012FFC4 retaddr in kernel32.dll!_BaseProcessStartThunk
<-p- NowESP
Attach:
DWORD SizeOfStackReserve; // 0x48-4b
DWORD SizeOfStackCommit; // 0x4c-4f
DWORD SizeOfHeapReserve; // 0x50-53
DWORD SizeOfHeapCommit; // 0x54-57
DWORD SizeOfStackCommit; // 0x4c-4f
DWORD SizeOfHeapReserve; // 0x50-53
DWORD SizeOfHeapCommit; // 0x54-57
This is four region of IOH.
Committed submit two types of virtual memory.
Reserved explain this memory to be purposes and can's be allocation;Memory is already map to virtual memory segment with physics memory by Committed submit(also can be moved to disk cache files pagefile.sys ).Beacause Memory Segment of Stack and Heap increasing properties of size with program running,first off don't gobble up precious physics memory.When they exhausted to exception,windows memory manager allot a part again.
SizeOfStackReserve Program reserve to be used for memory segment size of stack space at the beginning
SizeOfStackCommit Program reserve to be used for memory segment size of stack space and physics memory mapping size is submint at the beginning
SizeOfHeapReserve Program reserve memory segment size of stack space at the beginning
SizeOfHeapCommit Program reserve to be used for memory segment size of stack space and physics memory mapping size is submint at the beginning
Committed submit two types of virtual memory.
Reserved explain this memory to be purposes and can's be allocation;Memory is already map to virtual memory segment with physics memory by Committed submit(also can be moved to disk cache files pagefile.sys ).Beacause Memory Segment of Stack and Heap increasing properties of size with program running,first off don't gobble up precious physics memory.When they exhausted to exception,windows memory manager allot a part again.
SizeOfStackReserve Program reserve to be used for memory segment size of stack space at the beginning
SizeOfStackCommit Program reserve to be used for memory segment size of stack space and physics memory mapping size is submint at the beginning
SizeOfHeapReserve Program reserve memory segment size of stack space at the beginning
SizeOfHeapCommit Program reserve to be used for memory segment size of stack space and physics memory mapping size is submint at the beginning
No comments:
Post a Comment