Hacking Windows CE

More documents

Recommendations

Info

System Call<strong>Windows</strong> <strong>CE</strong> APIs implement bysystem callThere is a formula to calculate thesystem call address0xf0010000-(256*apiset+apinr)*4The shellcode is more simple and itcan used by user modePart 6/8
Buffer Overflow Demo(1)hello.cpp -the vulnerable programReading data from the "binfile" of the root directory tostack variable "buf" by fread()Then the stack variable "buf" will be overflowedARM assembly language uses bl instruction to callfunction"str lr, [sp, #-4]! " -the first instruction of thehello() function"ldmia sp!, {pc} " -the last instruction of the hello()functionOverwriting lr register that is stored in the stack willobtain control when the function returnedPart 7/8
Page 1 and 2: Hacking Windows CEsan@nsfocus.comsa
Page 4 and 5: Windows CE Overview(2)ARM Architect
Page 6 and 7: Memory Management(2)
Page 8 and 9: Memory Management(4)Slot 0 layout
Page 10 and 11: Processes and Threads(2)When a proc
Page 12 and 13: API Address Search(1)Locate the loa
Page 14 and 15: API Address Search(3)Export Directo
Page 16 and 17: Shellcode(2)Something to attention
Page 20 and 21: Buffer Overflow Demo(2)The variable
Page 22 and 23: Buffer Overflow Demo(4)A failed exp
Page 24 and 25: About Decoding Shellcode(1)Why need
Page 26 and 27: About Decoding Shellcode(3)A succes
Page 28 and 29: ConclusionThe codes talked above ar
Page 30: Thank You!san@nsfocus.comsan@xfocus

Hacking Windows CE

Create successful ePaper yourself

Delete template?

Save as template?