Changeset 4111


Ignore:
Timestamp:
12/09/09 01:28:28 (3 years ago)
Author:
sam
Message:

Try to work around the Vista ASLR feature by retrieving the executable's
base address once it is loaded in memory.

File:
1 edited

Legend:

Unmodified
Added
Removed

  • zzuf/trunk/src/zzuf.c

    r4109 r4111  
    4545#if defined HAVE_WINDOWS_H 
    4646#   include <windows.h> 
     47#   include <imagehlp.h> 
     48#   include <tlhelp32.h> 
    4749#endif 
    4850#if defined HAVE_IO_H 
     
    122124#if defined HAVE_WINDOWS_H 
    123125static int dll_inject(void *, void *); 
    124 static void *get_entry(char const *); 
     126static intptr_t get_base_address(DWORD); 
     127static intptr_t get_entry_point_offset(char const *); 
    125128#endif 
    126129static void finfo(FILE *, struct opts *, uint32_t); 
     
    10891092    pid = GetCurrentProcess(); 
    10901093 
    1091     /* Get entry point */ 
    1092     epaddr = get_entry(opts->newargv[0]); 
    1093     if(!epaddr) 
    1094         return -1; 
    1095  
    10961094    memset(&sinfo, 0, sizeof(sinfo)); 
    10971095    sinfo.cb = sizeof(sinfo); 
     
    11061104                        CREATE_SUSPENDED, NULL, NULL, &sinfo, &pinfo); 
    11071105    if(!ret) 
     1106        return -1; 
     1107 
     1108    /* Get the child process's entry point address */ 
     1109    epaddr = (void *)(get_base_address(pinfo.dwProcessId) 
     1110                       + get_entry_point_offset(opts->newargv[0])); 
     1111    if(!epaddr) 
    11081112        return -1; 
    11091113 
     
    11981202} 
    11991203 
    1200 static void *get_entry(char const *name) 
     1204/* Find the process's base address once it is loaded in memory (the header 
     1205 * information is unreliable because of Vista's ASLR). */ 
     1206static intptr_t get_base_address(DWORD pid) 
     1207{ 
     1208    MODULEENTRY32 entry; 
     1209    intptr_t ret = 0; 
     1210    void *list; 
     1211    int k; 
     1212 
     1213    list = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, pid); 
     1214    entry.dwSize = sizeof(entry); 
     1215    for(k = Module32First(list, &entry); k; k = Module32Next(list, &entry)) 
     1216    { 
     1217        /* FIXME: how do we select the correct module? */ 
     1218        ret = (intptr_t)entry.modBaseAddr; 
     1219    } 
     1220    CloseHandle(list); 
     1221 
     1222    return ret; 
     1223} 
     1224 
     1225/* Find the process's entry point address offset. The information is in 
     1226 * the file's PE header. */ 
     1227static intptr_t get_entry_point_offset(char const *name) 
    12011228{ 
    12021229    PIMAGE_DOS_HEADER dos; 
    12031230    PIMAGE_NT_HEADERS nt; 
    1204     void *file, *map, *base, *ret = NULL; 
     1231    intptr_t ret = 0; 
     1232    void *file, *map, *base; 
    12051233 
    12061234    file = CreateFile(name, GENERIC_READ, FILE_SHARE_READ, 
     
    12321260      && nt->OptionalHeader.Magic == 0x10b /* IMAGE_NT_OPTIONAL_HDR32_MAGIC */) 
    12331261    { 
    1234         ret = (void *)(uintptr_t)(nt->OptionalHeader.ImageBase + 
    1235                                   nt->OptionalHeader.AddressOfEntryPoint); 
     1262        ret = (intptr_t)nt->OptionalHeader.AddressOfEntryPoint; 
    12361263    } 
    12371264 
Note: See TracChangeset for help on using the changeset viewer.