Memory Base Allocation
Closed this issue · 8 comments
Could be user error or possible bug. When I go to the offset specified in the Base, IDA view > segments the base addr is only listed as the end of the allocated memory never at the start for the shellcode.
shellcode3_actual_meterpreter.zip
passwd - infected
Appreciated idiom
Tested and this works as expected. Can you try the following
- Run:
bloblrunner.exe shellcode3_actual_meterpreter.bin
This will display the offset of the allocated memory. Example:
[*] Entry: 0x000c0000
- Open your debugger and attach to the blobrunner.exe process.
- Navigate to the above address (ctrl-g if you are using x64dbg) and set a breakpoint (f2)
In your sample this should be
FC cld ; <-- Add Breakpoint here
E8 82 00 00 call C0088
60 pushad
4 Resume the process in the debugger.
5. Now press enter in the Blobrunner console window to resume execution.
This will break at the first instruction of the loaded shellcode where you placed the breakpoint.
@itripc Also here is a short video explaining using it - https://www.youtube.com/watch?v=q9q8dy-2Jeg
Funny I was using x64dbg and it seemed to work fine in x64 but the issue was with IDA remote dbg, I couldnt get the offset to line up in segments. The video is great watched it yesterday thanks.
Hey, I just tested with Ida - remote debugging and it should also work using the same method as above. When you navigate to the offset, you will need to convert it to code and then set the breakpoint, the shellcode should be written to the start of the allocated region.
Are you seeing it written at the end?
Here is an example where I renamed the region to shellcode and have it set as executable.
Great! If you have any questions feel free to reach out