Fix egghunter for win10 wow64 #43
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
the current egghunter for win10 wow64 fails to loop through the pages. this is due to some missing PUSH EBX (0) before NtAccessCheckAndAuditAlarm. without them, last error will be set to INVALID_NAME. tested on QuickZip 4.60 SEH exploit on win10. after fixing the page loop, we noticed that this was not enough. the egghunter has to reset EBX every loop with XOR EBX, EBX, otherwise it will stop at offset 1 of the current page.
phra
force-pushed
the
fix/egghunter-win10-wow64
branch
from
5ff6382 to
3dc4e2e
Compare
Contributor
Author
|
any updates? :) |
Member
|
hey - sorry for the feedback, I have not forgotten about this - I will look at the issue and your fix very soon - thank you for your help and contribution ! :) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
the current egghunter for win10 wow64 fails to loop through the pages.
this is due to some missing
PUSH EBX(0) beforeNtAccessCheckAndAuditAlarm.without them, the syscall always fails and last error is set to
INVALID_NAME.tested on QuickZip 4.60 SEH exploit on win10.
after fixing the page loop, we noticed that this was not enough.
the egghunter has to reset
EBXevery loop withXOR EBX, EBXotherwise it will stop at offset 1 of the current page.