:biggrin:
First, you make the assumption that everyone else is sensible (first mistake!)
And then, since everyone else is as sensible as you are, you expect they would have also started their procedure with the usual stack-frame preparation ("push ebp; mov ebp,esp").
Now you have your current stack pointer (esp), and a pointer to the base of your stack frame (ebp), and the top and bottom of the previous procedure's stack are equal to the previous values for esp and ebp (the previous ebp was pushed first, and previous esp pointed to 4 bytes below that location -- which should actually contain the return address for the previous call, so top of their stack would be after that.)
So, following those assumptions, you can iterate down the stack, noting the top and bottom of the stack frame for each procedure.
Unfortunately, this isn't entirely foolproof, as not all procedures are going to be sensible -- some either have no stack frame, or simply don't use ebp for that purpose. So you also need to do some basic sanity checking on the values and see whether they make sense (top should be above than bottom, and bottom probably shouldn't be 300MB below).
If you do find a hiccup, you're left with scan the remaining stack space until you find someone that at least looks sensible, but still it's only a guess.
:biggrin:
you can get top and bottom of stack from the TEB
if EBP isn't between those and 4-aligned, look at ESP :P
:biggrin:
:biggrin:
;###############################################################################################
.XCREF
.NoList
INCLUDE \Masm32\Include\Masm32rt.inc
.List
;###############################################################################################
.CODE
;***********************************************************************************************
_main PROC
int 3 ;comment this line out for testing
movzx eax,byte ptr [ebx+2]
print str$(eax),13,10,13,10
inkey
exit
_main ENDP
;###############################################################################################
END _main
...vicious,...
it detects the debugger :P
Nice find, Dave :t
Is that documented somewhere?
well - upon entry, a PE EXE has 2 registers of interest
EAX holds the entry point - that one might detect a virus or something - but probably too late
EBX holds the address of the PEB
they're not documented on MSDN
one of Russinovich's books "Microsoft Windows Internals" has them documented, though
I am a fan of later OS design that randomise the stack address to make life difficult for stack based exploits.
deleted
ouch !
what happens to the original stack :redface:
you can probe the original stack down and usually get something like 1 Gb
:biggrin:
> But,...then,...so is the registry
Now you know why I won't use the registry, a wide open security leak that any exploit can use to find your software. Portability takes the "phun" out of tracking your software and they have to search the drives and directories to find it and that is if they know its name. :icon_eek: