(Length Disassembler Engine).
Determining the length of instructions the processor means. For example the opcode 0xFF0F(0F FF) - has ModR/M byte:
0F FF 05 DISP32 - 7 byte's.
[ATTACH]2505[/ATTACH]
http://indy-vx.narod.ru/Bin/LDE.zip
http://rootkits.su/index.php/topic,60.15.html
Welcome to the new Woodmann RCE Messageboards Regroupment
Please be patient while the rest of the site is restored.
To all Members of the old RCE Forums:
In order to log in, it will be necessary to reset your forum login password ("I forgot my password") using the original email address you registered with. You will be sent an email with a link to reset your password for that member account.
The old vBulletin forum was converted to phpBB format, requiring the passwords to be reset. If this is a problem for some because of a forgotten email address, please feel free to re-register with a new username. We are happy to welcome old and new members back to the forums! Thanks.
All new accounts are manually activated before you can post. Any questions can be PM'ed to Kayaker.
Please be patient while the rest of the site is restored.
To all Members of the old RCE Forums:
In order to log in, it will be necessary to reset your forum login password ("I forgot my password") using the original email address you registered with. You will be sent an email with a link to reset your password for that member account.
The old vBulletin forum was converted to phpBB format, requiring the passwords to be reset. If this is a problem for some because of a forgotten email address, please feel free to re-register with a new username. We are happy to welcome old and new members back to the forums! Thanks.
All new accounts are manually activated before you can post. Any questions can be PM'ed to Kayaker.
Real LDE.
It determines the actual length, even for non-existent instructions. No tables, run the instruction on a page boundary. Even the privileged.
Other engines use a opcode tables. This makes it impossible to determine the lengths of instructions that are in the tables are not described. For the kernel this engine is unnecessary, there should just handle faults, without adjustment Ss/Esp
To write to a different platform(eg. x64), no need composes new tables.
As example, determine(bea, z0mbie etc) the size 0F FF 05 =)
Other engines use a opcode tables. This makes it impossible to determine the lengths of instructions that are in the tables are not described. For the kernel this engine is unnecessary, there should just handle faults, without adjustment Ss/Esp
To write to a different platform(eg. x64), no need composes new tables.
As example, determine(bea, z0mbie etc) the size 0F FF 05 =)
The code is not dangerous, opcode does not matter. Code is reduced to the correction because of bugs in the kernel.
The problem with seh is only one - NX. Solved as follows: http://www.woodmann.com/forum/showthread.php?14007-PoC-Hiding-the-caller.&daysprune=365
The problem with seh is only one - NX. Solved as follows: http://www.woodmann.com/forum/showthread.php?14007-PoC-Hiding-the-caller.&daysprune=365
evlncrn8
sidt fword ptr ss:[esp + eax + 0x100]
0F 01 8C 04 00 01 00 00, returns 8
sgdt fword ptr ds:[edi + esi - 1]
0F 01 44 37 FF, returns 5.
Tracing is used to control the successful execution of instructions.
Give an example of dangerous code.
sidt fword ptr ss:[esp + eax + 0x100]
0F 01 8C 04 00 01 00 00, returns 8
sgdt fword ptr ds:[edi + esi - 1]
0F 01 44 37 FF, returns 5.
Tracing is used to control the successful execution of instructions.
Really ?executing 'unknown' code can be dangerous
Code: Select all
mov Seed,2
Next:
lea edi,Buffer
lea ebx,[esi + MAX_INSTRUCTION_LENGTH]
.repeat
invoke RtlRandom, addr Seed
mov eax,Seed
stosd
.until Edi >= Ebx
inc Iters
invoke LDE, RegionBase, Esi