EggHunter

The egghunter needs to be able to scan memory for our egg without triggering an access violation. Two methods of doing this include:

    Call NtAccessCheckAndAuditAlarm (alternatively NtDisplayString):
        returns an error code (0xc0000005) if the memory is not mapped or if we don't have appropriate access.
        For 32bit check https://j00ru.vexillium.org/syscalls/nt/32/ , 64 bit: https://j00ru.vexillium.org/syscalls/nt/64/ for the relevant call number.
        
    Control SEH so that if an exception occurs we can redirect execution back to the egghunter:
        https://www.corelan.be/index.php/2019/04/23/windows-10-egghunter/

PreviousEXP-301 Module 0x07 Notes NextROP Decoder

Last updated 2 years ago

Was this helpful?