"The function has no looping. It also has no exception throws, aborts, or other paths that could lead to process termination. There are numerous calls, as seen above. However, they are all calls to imported functions from GDI32.dll. In case of error conditions (which are highly likely, considering how badly we're abusing the code), GDI32 functions are likely to merely return with an error code, and not cause any critical stop (though, see my note below regarding stack alignment)."
"In one respect I was incredibly lucky here. Since the initial value of eax lacked 16-byte alignment (reliably so, it turns out), when transferring this value into rsp and then making numerous GDI calls, those calls could easily have resulted in processor exceptions that would have terminated the process. It was my good fortune that, throughout all those GDI calls, no processor instructions requiring correct 16-byte stack alignment were encountered."
The function contains no loops, no exception throws, aborts, or termination paths. The function makes numerous calls exclusively to imported GDI32.dll routines, which on error typically return error codes rather than terminating the process. The absence of stack-based buffers prevented the compiler from emitting a stack cookie check. The function lacks an epilog that restores rsp from rbp, so rsp modifications persist beyond the function. An unaligned initial eax value transferred into rsp creates a risky stack pivot that could trigger alignment-related exceptions during GDI calls. The loop can serve as a weird machine but requires preserving rbx and rdi and tolerating register modifications.
Read at Zero Day Initiative
Unable to calculate read time
Collection
[
|
...
]