[framework] Metasploit vs ANI
H D Moore
hdm at metasploit.com
Wed Apr 4 08:41:56 CDT 2007
Use the NASM shell (if you have nasm and ndisasm installed, or use the
Windows version):
$ msf3/tools/nasm_shell.rb
nasm > jmp [ebx+4]
00000000 FF6304 jmp near [ebx+0x4]
nasm > call [ebx+4]
00000000 FF5304 call near [ebx+0x4]
So we need to find one of those two, using msfpescan:
$ msf3/msfpescan -r "\xff[\x53\x63]\x04" /path/to/some/loaded.dll
[/path/to/some/loaded.dll]
0x77d7d207 ff5304
-HD
On Wednesday 04 April 2007 02:35, Thomas Werth wrote:
> How can i use msfpescan to find an ebx+4 in user32.dll ?
> ./msfpescan -j ebx+4 /path/to/user32.dll
> raises ( no surprise) syntax error,
>
> ./msfpescan -j ebx /path/to/user32.dll
> just lists ebx calls-
More information about the framework
mailing list