STrace icon indicating copy to clipboard operation
STrace copied to clipboard

Published 20 hours ago verified publisher icon mandiant

Harden against PEB stomping in UM

Open stevemk14ebr opened this issue 1 year ago • 1 comments

  • Usermode reads should use https://github.com/mandiant/STrace/blob/7e2d56c23ec89566fd82667b7f220037480a4e6b/C/STrace/DynamicTrace.cpp#L5 or at least ProbeForRead to restrict addresses we read to UM and catch with __try __except if they're invalid addresses.

  • Guard against PEB / Module lists stomping. Cycles can be created not including the list head/end causing infinite loops in the module walks

stevemk14ebr avatar Oct 29 '24 15:10 stevemk14ebr

https://github.com/mandiant/STrace/commit/58547f054933e81e7fb9bbef0f40cd23cb110af5 fixes the first issue by using Se api

stevemk14ebr avatar Oct 29 '24 19:10 stevemk14ebr