It was a test I made time ago, it may be interesting for someone. It finds JMP ESP offsets in a DLL.
.386
.model flat, stdcall
option casemap :none
include \masm32\include\psapi.inc
include \masm32\include\masm32rt.inc
includelib \masm32\lib\kernel32.lib
includelib \masm32\lib\user32.lib
includelib \masm32\lib\masm32.lib
includelib \masm32\lib\psapi.lib
Main PROTO
MODULEINFO STRUCT
lpBaseOfDll DWORD ?
SizeOfImage DWORD ?
EntryPoint DWORD ?
MODULEINFO ENDS
.data?
HND HANDLE ?
MODL HMODULE ?
MINFO MODULEINFO <?>
.data
DLL db "msvcrt.dll", 0 ; Change DLL name
Err1 db "Error1", 13, 0
EspT db "JMP ESP -> ", 0
NL db 13, 10, 0
.code
start:
invoke Main
invoke ExitProcess, 0
Main PROC
invoke GetCurrentProcess
mov HND, eax
invoke LoadLibrary, offset DLL
mov MODL, eax
cmp eax, 0
je Fin
invoke GetModuleInformation, HND, MODL, OFFSET MINFO, 12
cmp eax, 0
je Fin
mov ebx, MINFO.lpBaseOfDll
mov edx, MINFO.SizeOfImage
xor ecx, ecx
Next:
inc ecx
cmp edx, ecx
je Fin
cmp byte ptr[ebx+ecx], 0FFh ; JMP ESP
jne Next
cmp byte ptr[ebx+ecx+1], 0E4h
jne Next
push ecx
add ecx, ebx
push ecx
invoke StdOut, addr EspT ;
pop ecx
invoke StdOut, uhex$(ecx)
invoke StdOut, addr NL
je Rest
Rest:
pop ecx
jmp Next
Fin:
ret
Main ENDP
end start
