waliedassar

Wow64SharedInformation vs. Shellcode

Jan 19th, 2013
461
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. //http://waleedassar.blogspot.com/
  2. //http://www.twitter.com/waleedassar
  3.  
  4. //In 64-bit versions of Windows e.g. Win7, the SharedUserData page (_KUSER_SHARED_DATA)
  5. //defines 16 new fields for an array called Wow64SharedInformation. The "Wow64SharedInformation"
  6. //array is found at offset 0x340 from the start of the "SharedUserData" page.
  7.  
  8. ---------------Side Note :) -----------------------------------------------------
  9. //N.B. The "SharedUserData" page exists at address 0x7ffe0000 on all versions of
  10. //windows (exception Win8) no matter how the system is configured.
  11. // e.g. On 32-bit systems    , the page still exists at 0x7ffe0000.
  12. // e.g. On /3GB configuration, the page still exists at 0x7ffe0000.
  13. // e.g. On 64-bit systems    , the page still exists at 0x7ffe0000.
  14. //------------------------------------------------------------------------------
  15.  
  16. //The array fields are as follows:
  17. ------Field-----------              ----Holds address of------
  18. 0:000:x86> dps 7ffe0340
  19. 7ffe0340  ------------------>        ntdll32!LdrInitializeThunk
  20. 7ffe0344  ------------------>        ntdll32!KiUserExceptionDispatcher
  21. 7ffe0348  ------------------>        ntdll32!KiUserApcDispatcher
  22. 7ffe034c  ------------------>        ntdll32!KiUserCallbackDispatcher
  23. 7ffe0350  ------------------>        ntdll32!LdrHotPatchRoutine
  24. 7ffe0354  ------------------>        ntdll32!ExpInterlockedPopEntrySListFault
  25. 7ffe0358  ------------------>        ntdll32!ExpInterlockedPopEntrySListResume
  26. 7ffe035c  ------------------>        ntdll32!ExpInterlockedPopEntrySListEnd
  27. 7ffe0360  ------------------>        ntdll32!RtlUserThreadStart
  28. 7ffe0364  ------------------>        ntdll32!RtlpQueryProcessDebugInformationRemote
  29. 7ffe0368  ------------------>        ntdll32!EtwpNotificationThread
  30. 7ffe036c  ------------------>        BaseAddress of 32-bit ntdll.dll
  31.  
  32.  
  33.  
  34. This should be useful for writing shellcode since you have several functions
  35. entrypoints ready i.e. no need to go through GetProcAddress or LdrGetProcedureAddress.
  36.  
  37. In case this is useful for you, ping me @waleedassar, i am just curious to know.
RAW Paste Data