Welcome back old readers, hello new readers! It has been a little over a month since my last blog post. Life is full and keeps me busy! In the last blog post I wrote about encoding function names using a hashing routine. As a reminder, encoding the function names served the purpose saving space as well as hiding the function names from being stored in an easily detectable string format.
To recap, in the first two shellcoding posts we Located EIP/RIP and Located the base address of Kernel32. In this post we will discuss the encoding, decoding, and storing Win32 function names. It is necessary to cover this topic before covering how to find Win32 API addresses using Assembly, since the techniques that will be discussed will use these concepts. The encoding we will use is a type of hashing routine that was originally written by @rick2600 and “tweaked” by Peter Van Eeckhoutte @corelanc0d3r. I originally came across this routine while researching shellcode on the Exploit-DB web site.
Before the shellcode will we able to locate or use any Windows APIs, the base address of kernel32.dll must be located. Thankfully there’s a trick for that that has been around for quite some time. The method Uses the Win32 Thread Information Block (TIB) to locate the Program Environment Block (PEB) to locate InInitializationOrderModuleList, which contains the base address of kernel32.dll as it’s second list entry.
While studying for my Offensive Security Certified Expert (OSCE) certification I spent a considerable amount of time researching how to author custom shellcode. This is the first of a series of blog posts that I intend to publish that will detail some of the techniques that I learned along the way. The focus of this blog post will be to describe how to find EIP/RIP and what you may want to do with it once you have located it. The OSCE focuses souly on 32-bit systems, as part of my continued learning I will research and document methods that will work with a 64-bit system. This goes beyond what is necessary for the OSCE but is part of my own continued learning process.
Welcome to my new blog! I will occationally post content here related to things that I find interesting and have researched to some degree. The intent of this blog will be to share information and to cement concepts that I have learned. This will be as much for me as it is for anyone reading and learning from it.