Windows shellcode

[Robert Larsen <robert () the-playground dk>]

Hi all

I'm trying to get my head around Skapes Windows shellcoding paper and
things are looking well.

Except for one thing...finding kernel32dll.dll using PEB.

While reading the assembly I follow the definition of the structures on
MSDN and one of them, PEB_LDR_DATA, doesn't quite match the code.

The code (skipping the Windows 9x version) begins with:

find_kernel_32:
    push esi
    xor  eax
    mov  eax, fs:[eax+0x30] ;Address of PEB
    mov  eax, [eax+0x0c]    ;Address of LDR
    mov  esi, [eax+0x1c]    ;Supposedly address of first entry

The last one is the one I am having trouble with because MSDN says that
the LDR looks like this:

typedef struct _PEB_LDR_DATA {
  BYTE       Reserved1[8];
  PVOID      Reserved2[3];
  LIST_ENTRY InMemoryOrderModuleList;
} PEB_LDR_DATA, *PPEB_LDR_DATA;

typedef struct _LIST_ENTRY {
   struct _LIST_ENTRY *Flink;
   struct _LIST_ENTRY *Blink;
} LIST_ENTRY, *PLIST_ENTRY, *RESTRICTED_POINTER PRLIST_ENTRY;

I would think that the InMemoryOrderModuleList entry (and thus the Flink
pointer) was located 20 bytes (0x14) down...below an array of eight
bytes + an array of three pointers. So why loading [eax+0x1c] into esi ?

Attachment: signature.asc
Description: OpenPGP digital signature