Member
Posted 31 August 2013 - 12:40 AM
In x86-64 how can I change the value of a segment register? Or how can I know the starting address of a memory segment?
For instance
compiles and runs without exceptions, but the value of the segment register fs is never changed, so how may I change it?
Or if i could make something like:
And make the last two instructions read from the same memory address. (rbx = rcx)
I'm using FASM btw
//DualCoder
Posted 31 August 2013 - 11:52 AM
Regards
Website & blog 1366x.org
Linux is awesome but also time consuming hungry
Advanced Member
Posted 02 September 2013 - 05:58 PM
What are you trying to do? Changing SR can only be done in real mode... Doing it from protected mode will generate an exception.
(PGP ID 0xCC050E77)
ASM, C, C++, VB6... skilled [malware] developer
Member
Posted 02 September 2013 - 08:24 PM
you can have the starting address by using either an API such like VirtualQuery or you can do from asm (it's 32 bit code but you can port it to 64bit):
you clear the low bytes since memory blocks always starts on aligment for instance if you have 404543h after mask you get 400000h
you may also want to check if 400000h points to "MZ" signature, if not you have to go further by subtracting 10000h until you reach the MZ header.
ps.: you don't need to access segment register as everything is in "flat" mode, one big 4GB memory accesible for you (in 64bit it's even more)
Member
Posted 02 September 2013 - 09:07 PM
you can have the starting address by using either an API such like VirtualQuery or you can do from asm (it's 32 bit code but you can port it to 64bit):
you clear the low bytes since memory blocks always starts on aligment for instance if you have 404543h after mask you get 400000h
you may also want to check if 400000h points to "MZ" signature, if not you have to go further by subtracting 10000h until you reach the MZ header.
ps.: you don't need to access segment register as everything is in "flat" mode, one big 4GB memory accesible for you (in 64bit it's even more)
Yes, you are right.
I allready know about the call pop trick to get the address of the code, no problem there.
I'm not trying to get the address of my code (already done), and it doesn't have a PE header so searching for MZ wouldn't work.
And yes you can access any address without using segment registers, but on Windows the fs (32bit) or gs (64bit) registers points to the TEB (Thread Environment Block), I want to trick the system to use different information, but since I seem to be unable to modify the registers, I will atempt to patch the code instead.
So I still don't know how to modify the segment registers, but might have found a workaround.
//DualCoder
  |
help
Miscellaneous →
Web Mastering →
Need Help with a Hook!Started by CybRooT , 14 Jan 2014  help
|
|
|
|
|
Programming →
Basic →
Resources →
Request: Melt ShellcodeStarted by Limitless , 12 Jan 2014 help
|
|
|
|
|
Programming →
Programming (Un)Detection →
Gen:hur.MSIL.Krypt.3 (BitDefender)Started by blackshadowbutt , 12 Jan 2014 help
|
|
|
|
|
Programming →
Pascal/Delphi →
Resources →
SSH TunnelStarted by boglex , 26 Dec 2013 help
|
|
|
|
|
help
Programming →
.Net →
General Discussion →
Adding file to startup, melt and persistence (VB.Net)Started by Y45KUR , 24 Dec 2013 help
|
|
|
Contributor
