4 replies to this topic

[DualCoder]

In x86-64 how can I change the value of a segment register? Or how can I know the starting address of a memory segment?

 

For instance

Please Login or Register to see this Hidden Content

compiles and runs without exceptions, but the value of the segment register fs is never changed, so how may I change it?

 

Or if i could make something like:

Please Login or Register to see this Hidden Content

And make the last two instructions read from the same memory address. (rbx = rcx)

 

I'm using FASM btw

 

//DualCoder

[x58]

Have been reading this. The answer might is there

Please Login or Register to see this Hidden Content

See chapter 3.3

Maybe this will clear things up too. But MASM is different because labels are case sensitive in FASM.

Please Login or Register to see this Hidden Content

[karcrack]

What are you trying to do? Changing SR can only be done in real mode... Doing it from protected mode will generate an exception.

[poison2012]

you can have the starting address by using either an API such like VirtualQuery or you can do from asm (it's 32 bit code but you can port it to 64bit):

Please Login or Register to see this Hidden Content

you clear the low bytes since memory blocks always starts on aligment for instance if you have 404543h after mask you get 400000h

you may also want to check if 400000h points to "MZ" signature, if not you have to go further by subtracting 10000h until you reach the MZ header.

ps.: you don't need to access segment register as everything is in "flat" mode, one big 4GB memory accesible for you (in 64bit it's even more)

[DualCoder]

poison2012, on 02 Sept 2013 - 8:24 PM, said:

you can have the starting address by using either an API such like VirtualQuery or you can do from asm (it's 32 bit code but you can port it to 64bit):

Please Login or Register to see this Hidden Content

you clear the low bytes since memory blocks always starts on aligment for instance if you have 404543h after mask you get 400000h

you may also want to check if 400000h points to "MZ" signature, if not you have to go further by subtracting 10000h until you reach the MZ header.

ps.: you don't need to access segment register as everything is in "flat" mode, one big 4GB memory accesible for you (in 64bit it's even more)

 

Yes, you are right.

 

I allready know about the call pop trick to get the address of the code, no problem there.

I'm not trying to get the address of my code (already done), and it doesn't have a PE header so searching for MZ wouldn't work.

And yes you can access any address without using segment registers, but on Windows the fs (32bit) or gs (64bit) registers points to the TEB (Thread Environment Block), I want to trick the system to use different information, but since I seem to be unable to modify the registers, I will atempt to patch the code instead.

 

So I still don't know how to modify the segment registers, but might have found a workaround.

 

//DualCoder