Skip to content

Windows user-mode exploitation trick – refreshing the main process heap

Ten post nie jest dostępny w języku polskim!

{ 1 } Comments

  1. hansraj rai | 28-lip-17 at 08:28:54 | Permalink

    i know this is off topic but i didnt know how to contact you. Iam a big fan of yours and would love to learn from you and someday become an exploit dev pro in india. Ive been trying to create a rop chain for windows 8 but it seems like a really challenging task.

    They say that for a use after free i should create a string object of the size of the item freed, then put the address of a stack pivot instruction like xchg esp, eax etc.
    then put the arguments to virtualprotect to the saved stack pointer like
    mov [eax], edx; then decrement eax by 4. basically this is the method taught by
    dan rosenberg, but i dont know how to get the address of the heap (where my shellcode is) on the stack. Could you please help me understand this thing. May be you can point me in the right direction.

    Regards,
    Hansraj rai

Post a Comment

Your email is never published nor shared. Required fields are marked *