Comments on: Armadillo, Nanomites and vectored exception-handling http://www.ring3circus.com/rce/armadillo-nanomites-and-vectored-exception-handling/ Diary of a programmer, journal of a hacker. Tue, 23 Feb 2010 06:23:21 -0800 http://wordpress.org/?v=2.8 hourly 1 By: v3n http://www.ring3circus.com/rce/armadillo-nanomites-and-vectored-exception-handling/comment-page-1/#comment-214 v3n Mon, 16 Feb 2009 11:37:45 +0000 http://www.ring3circus.com/rce/armadillo-nanomites-and-vectored-exception-handling/#comment-214 thanks for explaining some obscure things. thanks for explaining some obscure things.

]]> By: Greg http://www.ring3circus.com/rce/armadillo-nanomites-and-vectored-exception-handling/comment-page-1/#comment-75 Greg Thu, 31 Jan 2008 01:15:06 +0000 http://www.ring3circus.com/rce/armadillo-nanomites-and-vectored-exception-handling/#comment-75 Bill, Can I ask where you got that address from? I searched for a little while but I can't find any documentation on the implementation of VEH on any version of Windows. Judging from the results of ten minutes poking around in OllyDbg (I really should be using a kernel debugger for this) I get the impression that VEH is implemented as a doubly-linked list on the process's main heap (with an index being stored in ntdll's .data section: 0x77BF0180). All pointers to VEHs are encoded using RtlEncodePointer. This doesn't sound too compatible with what you described. Could you shed some light on the situation? My findings are derived using WoW32 under 64-bit Vista, so there may well be significant differences from XP. I'll set up a multi-boot system at some point so I can investigate these matters further. Greg Bill,

Can I ask where you got that address from? I searched for a little while but I can’t find any documentation on the implementation of VEH on any version of Windows. Judging from the results of ten minutes poking around in OllyDbg (I really should be using a kernel debugger for this) I get the impression that VEH is implemented as a doubly-linked list on the process’s main heap (with an index being stored in ntdll’s .data section: 0×77BF0180). All pointers to VEHs are encoded using RtlEncodePointer. This doesn’t sound too compatible with what you described. Could you shed some light on the situation?

My findings are derived using WoW32 under 64-bit Vista, so there may well be significant differences from XP. I’ll set up a multi-boot system at some point so I can investigate these matters further.

Greg

]]> By: Bill Stevens http://www.ring3circus.com/rce/armadillo-nanomites-and-vectored-exception-handling/comment-page-1/#comment-72 Bill Stevens Wed, 30 Jan 2008 19:07:41 +0000 http://www.ring3circus.com/rce/armadillo-nanomites-and-vectored-exception-handling/#comment-72 Is the pointer to the first VEH located in the same place in XP SP2 as it is documented to be in SP1? (0x....3210) Is the pointer to the first VEH located in the same place in XP SP2 as it is documented to be in SP1? (0x….3210)

]]> By: Rolf http://www.ring3circus.com/rce/armadillo-nanomites-and-vectored-exception-handling/comment-page-1/#comment-44 Rolf Fri, 21 Dec 2007 20:10:46 +0000 http://www.ring3circus.com/rce/armadillo-nanomites-and-vectored-exception-handling/#comment-44 Nicely done :-) Nicely done :-)

]]> By: upb http://www.ring3circus.com/rce/armadillo-nanomites-and-vectored-exception-handling/comment-page-1/#comment-40 upb Mon, 17 Dec 2007 18:05:19 +0000 http://www.ring3circus.com/rce/armadillo-nanomites-and-vectored-exception-handling/#comment-40 great idea, love your blog :) You could also implement the same strategy by hooking KiUserExceptionDispatcher instead of adding a VEH, but that is more dirty great idea, love your blog :)

You could also implement the same strategy by hooking KiUserExceptionDispatcher instead of adding a VEH, but that is more dirty

]]>