ollydbg

Many roads to IAT

Published December 1, 2011 |

A few days ago a friend approached me and asked how he could see the import address table under immunity debugger and if this could be done using the command line.

I figured this would be a good time to take a look at what the IAT is, how we can list the IAT and what common reversing hurdles could be with regards to the IAT.
Continue reading →

Posted in Malware and Reversing | Tagged corelan, iat, ida, immunity, import address directory, import address table, impre, lordpe, monaida-plugin, ollydbg, python, rebuild iat, reconstruct, resetsearchinindex-ps1, restore, reverse, reverse engineering, reversing, view names, windbg

Exploit writing tutorial part 6 : Bypassing Stack Cookies, SafeSeh, SEHOP, HW DEP and ASLR

Published September 21, 2009 |

By Peter Van Eeckhoutte (corelanc0d3r)

Introduction In all previous tutorials in this Exploit writing tutorial series, we have looked at building exploits that would work on Windows XP / 2003 server. The success of all of these exploits (whether they are based on direct ret overwrite or exception handler structure overwrites) are based on the fact that a reliable return […]

Posted in 001_Security, Exploit Writing Tutorials, Exploits | Tagged !aslrdynamicbase, 2003, 4141414, 8, access violation, add esp, address space layout randomization, adjust ebp, adjust esi, alwaysoff, alwayson, aslr, before function returns, buffer, buffer overflow, bypass, call, compiler, cookie, data execution prevention, dep, dword ptr, exception handler, exploit, gs, hack, handler, immdbg, immunity, jmp, jump, Kifastsystemcallret, ldrpchecknxcompatibility, linker, loaded module, mov al, moveimages, next seh, non exec, nseh, ntsetinformationprocess, nx, ollydbg, optin, optout, partial overwrite, plugin, prevention, processexecute, protection, protectvirtualmemory, pvefindaddr, pycommand, python, ret2libc, safeseh, saved ebp, saved eip, se handler, se structure, sehop, stack, stack overflow, switch, virtual function call, vista, windbg, windows 7, xd, xp

Exploit writing tutorial part 3b : SEH Based Exploits – just another example

Published July 28, 2009 |

By Peter Van Eeckhoutte (corelanc0d3r)

In the previous tutorial post, I have explained the basics of SEH based exploits. I have mentioned that in the most simple case of an SEH based exploit, the payload is structured like this : [Junk][next SEH][SEH][Shellcode] I have indicated that SEH needs to be overwritten by a pointer to “pop pop ret” and that […]

Posted in 001_Security, Exploit Writing Tutorials, Exploits | Tagged bof, buffer, corelan-be-seh, corelan-seh-tutorial, edx, eip, exploit, junk nseh, milw0rm, nseh, ollydbg, overflow, payload, perl, safeseh, seh, shellcode, stack, windbg, xcc

Exploit writing tutorial part 3 : SEH Based Exploits

Published July 25, 2009 |

By Peter Van Eeckhoutte (corelanc0d3r)

In the first 2 parts of the exploit writing tutorial series, I have discussed how a classic stack buffer overflow works and how you can build a reliable exploit by using various techniques to jump to the shellcode. The example we have used allowed us to directly overwrite EIP and we had a pretty large […]

Posted in 001_Security, Exploit Writing Tutorials, Exploits | Tagged !exploitable, buffer, buffer overflow, cygwin, dep, dll modload, exception, exception handler, exploit, exploit laboratory, fs:[0], handler, memdump, msec.dll, msfpescan, next seh, ollydbg, pop pop ret, safeseh, seh, shellcode, stack, stack overflow, teb, tib, windbg

Corelan Cybersecurity Research

:: Knowledge is not an object, it's a flow ::

Many roads to IAT

Exploit writing tutorial part 3b : SEH Based Exploits – just another example

Exploit writing tutorial part 3 : SEH Based Exploits

Corelan Training

Donate

Corelan Team Merchandise

Corelan on Slack

Actions

Categories

Hi there!

We have good news for you!