API tools faq
paste
Advertisement
waliedassar

Wow64SharedInformation vs. Shellcode

waliedassar
Jan 19th, 2013
669
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C 2.06 KB | None | 0 0
raw download clone embed print report
  1. //http://waleedassar.blogspot.com/
  2. //http://www.twitter.com/waleedassar
  3.  
  4. //In 64-bit versions of Windows e.g. Win7, the SharedUserData page (_KUSER_SHARED_DATA)
  5. //defines 16 new fields for an array called Wow64SharedInformation. The "Wow64SharedInformation"
  6. //array is found at offset 0x340 from the start of the "SharedUserData" page.
  7.  
  8. ---------------Side Note :) -----------------------------------------------------
  9. //N.B. The "SharedUserData" page exists at address 0x7ffe0000 on all versions of
  10. //windows (exception Win8) no matter how the system is configured.
  11. // e.g. On 32-bit systems    , the page still exists at 0x7ffe0000.
  12. // e.g. On /3GB configuration, the page still exists at 0x7ffe0000.
  13. // e.g. On 64-bit systems    , the page still exists at 0x7ffe0000.
  14. //------------------------------------------------------------------------------
  15.  
  16. //The array fields are as follows:
  17. ------Field-----------              ----Holds address of------
  18. 0:000:x86> dps 7ffe0340
  19. 7ffe0340  ------------------>        ntdll32!LdrInitializeThunk
  20. 7ffe0344  ------------------>        ntdll32!KiUserExceptionDispatcher
  21. 7ffe0348  ------------------>        ntdll32!KiUserApcDispatcher
  22. 7ffe034c  ------------------>        ntdll32!KiUserCallbackDispatcher
  23. 7ffe0350  ------------------>        ntdll32!LdrHotPatchRoutine
  24. 7ffe0354  ------------------>        ntdll32!ExpInterlockedPopEntrySListFault
  25. 7ffe0358  ------------------>        ntdll32!ExpInterlockedPopEntrySListResume
  26. 7ffe035c  ------------------>        ntdll32!ExpInterlockedPopEntrySListEnd
  27. 7ffe0360  ------------------>        ntdll32!RtlUserThreadStart
  28. 7ffe0364  ------------------>        ntdll32!RtlpQueryProcessDebugInformationRemote
  29. 7ffe0368  ------------------>        ntdll32!EtwpNotificationThread
  30. 7ffe036c  ------------------>        BaseAddress of 32-bit ntdll.dll
  31.  
  32.  
  33.  
  34. This should be useful for writing shellcode since you have several functions
  35. entrypoints ready i.e. no need to go through GetProcAddress or LdrGetProcedureAddress.
  36.  
  37. In case this is useful for you, ping me @waleedassar, i am just curious to know.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!