Posted by shinigami at 06:52
Read our previous post
When learning about bypass SafeSEH protection, often meet with command POP POP RETN.whether is POP POP RETN ?
based my knowledge, this commands are the popular method to bypass safeseh. Commonly, memory is contain memory 32bit or 4byte virtual file. POP command first will remove the value of the top from virtual file into other memory register, and then the second POP command will remove the value of the second virtual file into other memory, and finally the RETN command will be the first stack. So the system will be execute command based on memory address on RETN.
May be you will more understand about POP POP RETN after see the image above
No comments:
Post a Comment