TEB Fun
Been doing a bit of research on the layout of the TEB and PEB, so I wrote the following to see if my understanding of the key parts of those structures is correct.
The TEB gives us 520 bytes of scratch space that appears to always be 0xC00 (3072) bytes away from the base address of the current thread environment's base address. I tested this in Windows XP and Win 7 and it appears to be consistent in both.
In situations where we can't execute code on the stack, this scratch space saves us the trouble of having to find or allocate space to copy our shellcode. It's not executable by default, but that's nothing that a call to VirtualProtect can't fix. Also, 520 bytes is not a huge area, but it should be more than enough for a bind/reverse shell or stager code.
teb.c
#include <stdio.h>
#include <windows.h>
/* TEB Fun...
dijital1
*/
int main()
{
int oldprot;
VirtualProtect(0x7FFDF000, 1, 0x40, &oldprot);
__asm {
mov eax, dword ptr fs:[0x18] //TEB
mov ebx, dword ptr[eax+0x30] //PEB
mov ecx, dword ptr[ebx+0xc] //Module Ldr Struct
push dword ptr[ecx+0x1c]
push dword ptr[ebx+0xc]
push ebx
push eax
}
printf("\nThread's TEB is at: 0x%p\n"
"Thread's PEB is at: 0x%p\n"
"Pointer to Module Ldr Struct: 0x%p\n"
"Pointer to Module Init List : 0x%p\n");
__asm {
add esp,0x10 // Clean up the stack
cld
mov edi, dword ptr fs:[0x18]
lea edi, [edi+0xc00]
mov ebx, edi
mov ecx, 0x82 //130 iterations
mov eax, 0x41414141
rep stosd
push ebx
}
printf("\nWriting and Reading 520 bytes \nfrom TEB internal buffer: \n\n%s\n");
__asm {
add esp, 0x4
}
return 0;
}
