xct's notes
Search…
Introduction
Red Team
Active Directory
Host Enum
Payloads
Passwords
Privilege Escalation
Evasion & Bypasses
Concepts & Research
Binary Exploitation
Blog Posts & Research
Windows ASLR
Windows ROP
Windows SEH
Windows Stack
Windows Kernel
Windows Shellcode
Windbg
Linux Heap
Linux Kernel
Format String
GDB
Path Hijacking
Templates
Misc
Web
Cloud
Mobile
Hardware
Crypto
Templates
Misc
Blue Team
Active Directory
Malware Analysis
SIEM
Misc
Labs
Keys & Signing
Language & Framwork Specifics
Misc
HackTheBox
Crossfit
Luanne
APT
Attended
Delivery
Cereal
Powered By
GitBook
Windows ROP
General
VirtualAlloc Shellcode with RWX
Virtual Alloc can allocate memory or change the permissions on existing one.
1
LPVOID WINAPI VirtualAlloc(
2
_In_opt_ LPVOID lpAddress,
3
_In_ SIZE_T dwSize,
4
_In_ DWORD flAllocationType,
5
_In_ DWORD flProtect
6
);
Copied!
The function address in kernel32 can be fetched from a modules IAT at runtime
WriteProcessMemory
1
BOOL WriteProcessMemory(
2
HANDLE hProcess,
3
LPVOID lpBaseAddress,
4
LPCVOID lpBuffer,
5
SIZE_T nSize,
6
SIZE_T *lpNumberOfBytesWritten
7
);
Copied!
WriteProcessMemory will automatically make the target Page writeable - so it is possible to copy to a RX Page and then jump there.
Resources
​
https://h0mbre.github.io/Creating_Win32_ROP_Chains/#
​
Previous
Windows ASLR
Next
Windows SEH
Last modified
8mo ago
Copy link
Contents
General
VirtualAlloc Shellcode with RWX
WriteProcessMemory
Resources