Chapter 8: Windows Overflows

Overview

If you're reading this chapter, we assume that you have at least a basic understanding of the Windows NT or later operating system, and that you know how to exploit buffer overflows on this platform. This chapter deals with more advanced aspects of Windows overflows, such as defeating the stack-based protection built into Windows 2003 Server, an in-depth look at heap overflows, and so on. You should already be familiar with key Windows concepts such as the Thread Environment Block (TEB), the Process Environment Block (PEB), and such things as process memory layout, image files, and the PE header. If you are not familiar with these concepts, I recommend looking at and understanding them before embarking upon this chapter. We provide a number of resources on the Shellcoder's Handbook Web site ( www. wiley .com/compbooks/koziol) to help you.

The tools used in this chapter come with Microsoft's Visual Studio 6, particularly MSDEV for debugging, the command line compiler (cl), and dumpbin. dumpbin is a great tool for working from a command shellit can dump all sorts of useful information about a binary, imports and exports, section information, disassembly of the codeyou name it, dumpbin can probably do it. For those who are more comfortable working with a GUI, Datarescue's IDA Pro is a great disassembly tool. Most might prefer to use Intel syntax, while others may prefer to use AT&T syntax. You should use what you feel most comfortable with.