Didier Stevens posted an entry about some interesting stuff he found in a shellcode, so I thought that I share my little story:
I was analysing a Word exploit, when I cam over the following code (written in pseudocode, because I can't find the file right now):
HANDLE h = 0;
while (GetFileSize(h) != 1234) {
h += 4;
}
How does this code work? First of all, 1234 was the size of the .doc file. In windows handles are always multiples of 4. So this iterates over all possible handles until it find the handle it was opened with, and can read the next stage code from there.
Nifty!
I found the same handle brute-forcing technique in the second-stage shellcode of a malicious PDF document. But the malware author allowed for a certain size range, let's say the PDF document had to be between 10.000 and 10.100 bytes. It's hard to predict the final size of a PDF document if it's saved in the default way (/FlateDecode: compressed with zlib).
ReplyDelete