Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix egghunter for win10 wow64 #43

Merged
merged 1 commit into from Jan 8, 2020

Conversation

phra
Copy link
Contributor

@phra phra commented Nov 13, 2019

the current egghunter for win10 wow64 fails to loop through the pages.
this is due to some missing PUSH EBX (0) before NtAccessCheckAndAuditAlarm.
without them, the syscall always fails and last error is set to INVALID_NAME.
tested on QuickZip 4.60 SEH exploit on win10.

after fixing the page loop, we noticed that this was not enough.
the egghunter has to reset EBX every loop with XOR EBX, EBX otherwise it will stop at offset 1 of the current page.

the current egghunter for win10 wow64 fails to loop through the pages.
this is due to some missing PUSH EBX (0) before
NtAccessCheckAndAuditAlarm.
without them, last error will be set to INVALID_NAME.
tested on QuickZip 4.60 SEH exploit on win10.

after fixing the page loop, we noticed that this was not enough.
the egghunter has to reset EBX every loop with XOR EBX, EBX,
otherwise it will stop at offset 1 of the current page.
@phra phra force-pushed the fix/egghunter-win10-wow64 branch from 5ff6382 to 3dc4e2e Compare Nov 13, 2019
@phra
Copy link
Contributor Author

@phra phra commented Dec 22, 2019

any updates? :)

@corelanc0d3r
Copy link
Member

@corelanc0d3r corelanc0d3r commented Dec 22, 2019

hey - sorry for the feedback, I have not forgotten about this - I will look at the issue and your fix very soon - thank you for your help and contribution ! :)

@corelanc0d3r corelanc0d3r merged commit 2afb1e1 into corelan:master Jan 8, 2020
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

2 participants