[McAfee "buffer overflow protection]
If the shellcode in the stack calls the GetProcAddress, McAfee will abort the current process and alarm.
[Analysis principle]
McAfee intercepts the API functions such as LoadLibrarya, LoadLibraryw, getProcAddress, and the method similar to the API interception: Several bytes of these functions are changed to the Call Detectapiret, which is called an detection function in entapi.dll (DetectapiRet), which The function checks if the parent function of the function such as getProcAddress is in the heap or stack, if yes, the alarm and exit the current process; otherwise, return to the getProcAddress.
[Bypass method]
DetectapiRet is just a simply a value of [ESP 0x04] to make the return address of the parent function, so as long as it is a legal return address, it is possible to fake a function call environment.
For example, we have to call getProcaddress in Shellcode, which is like this when Call DetectapiRet is like this.
----------------
0x0013AAAA / / Return Address
Parameter 1
Parameter 2
----------------
Need to construct such an environment
----------------
0x7c9231db //ntdll.dll Address, content is 0xc3 (RET)
Parameter 1
Parameter 2
0x0013AAAA // Real return address
----------------
Therefore, when shellcode calls getProcadDress, first push 0x0013AAAA, then push two parameters, and finally Push 0x7c9231db, then JMP getProcaddress.
Here 0x0013AAAA is clearly required to be drawn by calculating the relative offset address.
