Yes, get the current EIP with call then pop to EAX be sure to push eax back on the stack before return so the processor knows where to return to. The like I said, move eax to say ESI and do a search for the sting that you are looking for.


pop eax
push eax

Call GetEIP
mov esi,eax
mov ecx,(no. of bytes to scan)
inc esi
mov al,
cmp al,(first byte?)
jnz (back up to "inc esi")

from here do the same until you verify you have found the string you are lookinf for.
Posted on 2003-03-05 16:05:47 by mrgone
Ok Thomas, looking forward to it anyway! Please hurry. ;)

And mrgone, you don't have to search for anything, you can access it immediately since you have the exact offsets between the code and the data readily available, they will never change.
Posted on 2003-03-05 19:07:24 by dELTA


pop eax
push eax

...why not

mov eax, [esp]

Posted on 2003-03-06 01:46:40 by f0dder
You could use the VectoredExceptionHandler API, hook an exception handler, then generate an exception (like divide by zero or something) and in the exception handler proc you'd get EIP from the PEXCEPTION_POINTERS struct passed to the proc. The EIP element will have the address of the instruction that caused the exception and then you can just calculate the offset from there.

That's all I can think of. That's overdoing it a bit though and it wouldn't work on 95/98/ME, but AV software might not catch it.
Posted on 2003-03-06 03:05:55 by iblis
if using exceptions, why not the standard SEH that will work on all win32?
Posted on 2003-03-06 03:36:27 by f0dder

call XXXX
mov eax,

except I would varify that no exceptions or any form of house cleaning occured in between that time. Like this:

mov ebx,esp
add ebx,04h
call xxxx
cmp esp,ebx
jz (to mov eax,

That is probably the best way because I wasn't aware that virus protection searched for instructions like that. I thought they compared long strings of code to known viruses.
Posted on 2003-03-06 15:10:29 by mrgone
Most well-known anti-virus products have an option to perform various degrees of heuristic analysis, and that's where the problems will be if any. They perform pure signature scans too, on top of that, like you mention.
Posted on 2003-03-06 15:42:49 by dELTA
Don't get me involved in any analysis of viruses I like this message board and don't want to get kicked off.
I beleive it was Fodder that suggested generating an exception. I'm sure that works but it seems rather sloppy and your asking Windows in a round about way to give you the pointer. Besides I'm sure the exception handler uses the stack.
Posted on 2003-03-06 19:46:48 by mrgone