View Single Post
  #4  
Old 10-19-2015, 23:55
bilbo bilbo is offline
Friend
 
Join Date: Jul 2004
Posts: 103
Rept. Given: 36
Rept. Rcvd 15 Times in 12 Posts
Thanks Given: 15
Thanks Rcvd at 17 Times in 11 Posts
bilbo Reputation: 15
Hi Insid3Code,

IMHO, your source code is very useful to find the image base address and the image entrypoint, but I really do not understand the use of patching one byte inside NTDLL.DLL, at EntryPoint+64/7E!

In my Window7-64, for a 32bit application, EntryPoint is at start of RtlUserThreadStart() (inside SysWOW64\ntdll.dll), and EntryPoint+0x64/0x7E are inside the exports table!

Best regards, bilbo
Reply With Quote
The Following User Says Thank You to bilbo For This Useful Post:
niculaita (10-20-2015)