Widows Xp Sp2 Overflow Protection

Overflow Protection for Widows Xp Sp2
Funnywei & jerry

We know that when we execute exp on the overflow vulnerability, we often use global pointers to handle exceptions. So XP sp2 handles this. This makes it impossible for us to use our previous skills to complete our work. For example, all global pointers are encoded.

Specifically, this article focuses on the following:
1. The starting address mapped to the PEB management structure is randomly processed. Later we will see that this random type is very weak, but it is enough to make exp unable to complete or work stably.
2. top seh Protection
3. Protection of the VEH linked list pointer _ RtlpCalloutEntryList
4. cookie protection for heap Block Structure

NO content involved:
1. How to bypass the protection mechanism
2. The details of heap management have not changed much.

Topic start:

1. Random PEB addresses

In the XP System, the creation process uses the _ NtCreateProcessEx function instead of the _ NtCreateProcess function. _ NtCreateProcess mainly calls the _ PspCreateProcess @ 36 function to create a process.

PAGE: 004B4649 call _ PspCreateProcess @ 36; PspCreateProcess (x, x)

Process Creation mainly includes setting EPROCESS and creating the initial process address space. It won't be long here. You can call _ MmCreatePeb to set PEB.


PAGE: 004B428E push eax
PAGE: 004B428F push ebx
PAGE: 004B4290 push dword ptr [ebp-60h]
PAGE: 004B4293 call _ MmCreateProcessAddressSpace @ 12; MmCreateProcessAddressSpace (x, x, x)


PAGE: 004B43E5 lea eax, [ebx + 1B0h]
PAGE: 004B43EB push eax
PAGE: 004B43EC lea eax, [ebp-40h]
PAGE: 004B43EF push eax
PAGE: 004B43F0 push ebx
PAGE: 004B43F1 call _ MmCreatePeb @ 12; MmCreatePeb (x, x, x)

While MmCreatePeb mainly calls _ MiCreatePebOrTeb

PAGE: 004B4A61; _ stdcall MmCreatePeb (x, x, x)
PAGE: 004B4A61 _ MmCreatePeb @ 12 proc near; code xref: PspCreateProcess (x, x) + 303 p
PAGE: 004B4A61
PAGE: 004B4A61; function chunk at page: 005267FF SIZE limit 00dc BYTES
PAGE: 004B4A61
PAGE: 004B4A61 push 3Ch
PAGE: 004B4A63 push offset dword_42DAA8
PAGE: 004B4A68 call _ SEH_prolog
PAGE: 004B4A6D xor ebx, ebx
PAGE: 004B4A6F mov [ebp-20h], ebx
PAGE: 004B4A72 mov [ebp-4Ch], ebx
PAGE: 004B4A75 mov [ebp-48h], ebx
PAGE: 004B4A78 mov [ebp-2Ch], ebx
PAGE: 004B4A7B mov esi, [ebp + 8]
PAGE: 004B4A7E push esi
PAGE: 004B4A7F call _ KeAttachProcess @ 4; KeAttachProcess (x)
PAGE: 004B4A84 push 2
PAGE: 004B4A86 pop edi
PAGE: 004B4A87 push edi
PAGE: 004B4A88 push (offset loc_4FFFFE + 2)
PAGE: 004B4A8D push 1
PAGE: 004B4A8F lea eax, [ebp-2Ch]
PAGE: 004B4A92 push eax
PAGE: 004B4A93 lea eax, [ebp-4Ch]
PAGE: 004B4A96 push eax
PAGE: 004B4A97 push ebx
PAGE: 004B4A98 push ebx
PAGE: 004B4A99 lea eax, [ebp-20h]
PAGE: 004B4A9C push eax
PAGE: 004B4A9D push esi
PAGE: 004B4A9E push ds: _ InitNlsSectionPointer
PAGE: 004B4AA4 call _ MmMapViewOfSection @ 40; MmMapViewOfSection (x, x)
PAGE: 004B4AA9 mov [ebp-24h], eax
PAGE: 004B4AAC cmp eax, ebx
PAGE: 004B4AAE jl loc_5267FF
PAGE: 004B4AB4 lea eax, [ebp-1Ch]

Note that the following 210 parameter is similar to a Flag. Later, you will find that if this parameter is not equal to 210, the mapped PEB address will not generate a random value, but will be the same as before,