Quote:
Originally Posted by ahmadmansoor
Hi Carbon
I have make some more check on x64 .
I keep get ((Warning wrong struct size 504 != 396))
or the HookLibraryx64.dll not been injected .
|
Did you compile it yourself? This is some alginment check, this should not be a problem in the release builds.
Quote:
if (specialPebFix)
{
StartFixBeingDebugged(ProcessId, false);
specialPebFix = false;
}
if (PLUG_CB_DEBUGEVENTx->DebugEvent->u.LoadDll.lpBaseOfDll == hNtdllModule)
{
StartFixBeingDebugged(ProcessId, true);
specialPebFix = true;
}
|
This is from the POISON source and to be honest I don't understand it completly but it works very well. It is something against Heap flag artifacts. Themida/WL looks for special artifacts on the process heaps and this little trick prevents the creation of these artifacts. I think other hide plugin use the same trick. I don't know who invented it originally, but it is a very clever way to solve this problem, so the author is probably some genius.