Mittwoch, 18. Januar 2012

Getting the address of next instruction using INT 2E

During some reversing process at the nullcon CTF i recognized, that an INT 2E call is loading the address of the next instructions into the EDX Register.


Address Hex dump Command
0040103E |. 33C0 XOR EAX,EAX
00401040 |. 33D2 XOR EDX,EDX
00401042 |. 68 A141761D PUSH 1D7641A1
00401047 |. 68 BEBAADDE PUSH DEADBABE
0040104C |. 6A 00 PUSH 0
0040104E |. 6A 00 PUSH 0
00401050 |. 6A 00 PUSH 0
00401052 |. 6A 00 PUSH 0
00401054 |. 6A 00 PUSH 0
00401056 |. 6A 00 PUSH 0
00401058 |. 6A 00 PUSH 0
0040105A |. 6A 00 PUSH 0
0040105C |. 6A 00 PUSH 0
0040105E |. CD 2E INT 2E
00401060 |. 83C2 1A ADD EDX,1A
00401063 |. FFD2 CALL EDX


After calling INT 2E at 0040105E, EDX will contain the address of the next instruction (00401060). The return value contains 0xC0000005, which means an access violation has occurred.

Registers at 00401063:
EAX C0000005
ECX 0012FEDC
EDX 0040107A HackIM.0040107A
EBX 00000001
ESP 0012FEDC
EBP 0012FF30
ESI 00000000
EDI FFFFFFFE
EIP 00401063 HackIM.00401063

The INT 2E Instruction is a call to KiSystemService, where EAX is containing the service number and EDX a pointer. The value in EAX will be lookedup in the KiServiceTable (Wiki Entry for SSDT). I found a KiServiceTable Dump at some forum here
In our Case EAX is 0 and it is calling NtAcceptConnectPort.

For completeness here are the registers before calling the INT 2E instruction and the stack before and after the call.
EAX 00000000
ECX 0000000A
EDX 00000000
EBX 00000001
ESP 0012FEDC
EBP 0012FF30
ESI 00000000
EDI FFFFFFFE
EIP 0040105E HackIM.0040105E
0012FEDC /00000000
0012FEE0 |00000000
0012FEE4 |00000000
0012FEE8 |00000000
0012FEEC |00000000
0012FEF0 |00000000
0012FEF4 |00000000
0012FEF8 |00000000
0012FEFC |00000000
0012FF00 |DEADBABE
0012FF04 |1D7641A1

1 Kommentar: