Fix egghunter for win10 wow64

corelan / mona

Corelan Repository for mona.py

BSD 3-Clause "New" or "Revised" License

1.71k stars 564 forks source link

Fix egghunter for win10 wow64 #43

Closed phra closed 4 years ago

phra commented 5 years ago

the current egghunter for win10 wow64 fails to loop through the pages. this is due to some missing PUSH EBX (0) before NtAccessCheckAndAuditAlarm. without them, the syscall always fails and last error is set to INVALID_NAME. tested on QuickZip 4.60 SEH exploit on win10.

after fixing the page loop, we noticed that this was not enough. the egghunter has to reset EBX every loop with XOR EBX, EBX otherwise it will stop at offset 1 of the current page.

phra commented 4 years ago

any updates? :)

corelanc0d3r commented 4 years ago

hey - sorry for the feedback, I have not forgotten about this - I will look at the issue and your fix very soon - thank you for your help and contribution ! :)