Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix egghunter for win10 wow64 #43

Open
wants to merge 1 commit into
base: master
from

Conversation

@phra
Copy link

phra commented Nov 13, 2019

the current egghunter for win10 wow64 fails to loop through the pages.
this is due to some missing PUSH EBX (0) before NtAccessCheckAndAuditAlarm.
without them, the syscall always fails and last error is set to INVALID_NAME.
tested on QuickZip 4.60 SEH exploit on win10.

after fixing the page loop, we noticed that this was not enough.
the egghunter has to reset EBX every loop with XOR EBX, EBX otherwise it will stop at offset 1 of the current page.

the current egghunter for win10 wow64 fails to loop through the pages.
this is due to some missing PUSH EBX (0) before
NtAccessCheckAndAuditAlarm.
without them, last error will be set to INVALID_NAME.
tested on QuickZip 4.60 SEH exploit on win10.

after fixing the page loop, we noticed that this was not enough.
the egghunter has to reset EBX every loop with XOR EBX, EBX,
otherwise it will stop at offset 1 of the current page.
@phra phra force-pushed the phra:fix/egghunter-win10-wow64 branch from 5ff6382 to 3dc4e2e Nov 13, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
1 participant
You can’t perform that action at this time.