|
How to hide debugger?
Hi my nice guys!
I'm working on a dumper and I cannot grab FS base via GetThreadSelectorEntry it returns TRUE but LDT_ENTRY is still NULL. and I tried use address of debugger becoz all PEB is in the same address this code works well mov eax, fs:[30h] inc eax inc eax call write_mem but if I code like these: mov edi, fsbase; grabbed lea eax, [edi+30h] call read_mem then ReadProcessMemory return 0, last Error is PARTIALLY_COPY I'm mad for such a strange problem regards |
well fs is not same on all platforms (especially in xp-sp2 fs segment is mapped to random addres (it used to be constant uptill w2k -sp4 i think viz 0x7fffd000 )
you need to fetch the fs via a different mechanism viz ZwQueryInformationProcess() basic info class struct and look for *ppeb in there take a look here on a sample implementation http://www.openrce.org/blog/view/44 |
Thx JuneMouse, nice stuff!
|
Nice Post JuneMouse ..very usefull
bye NeO |
| All times are GMT +8. The time now is 18:17. |
Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2026, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX