Exetools  

Go Back   Exetools > General > General Discussion
Reload this Page How can I hook DllMain ?
Register Forum Rules FAQ Calendar Mark Forums Read

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 01-18-2015, 16:59
ioannis ioannis is offline
Friend
  
Join Date: Jan 2015
Posts: 31
Rept. Given: 6
Rept. Rcvd 9 Times in 5 Posts
Thanks Given: 6
Thanks Rcvd at 19 Times in 11 Posts
ioannis Reputation: 9
Quote:
Originally Posted by DMichael View Post
at entrypoint?about memory you can just hook some kernel functions for memory allocation and follow it
If I hook at RtlImageNtHeaderEx, I can get the EntryPoint
0x0FD91154 e9 a7 19 00 00
which is a near relative jump to _DllMainCRTStartup

If i understand correctly i need a long jump (absolute address), which is a 2 byte op code, to enter the hook function in my module. So there is no space to add the additional op code...

__DllMainCRTStartup@12:
0x0FD91154 jmp _DllMainCRTStartup (0FD92B00h)
...
...
_CoGetMalloc@8:
0x0FD91276 jmp CoGetMalloc (0FD91518h)
0x0FD9127B int 3
0x0FD9127C int 3

Can i use the space after _CoGetMalloc@8 to make a near jump instruction there, and then a long jump to my module ?

Also is there any guarantee that there will always be space there to include an additional jump instruction ?
Reply With Quote
Reply

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Hybrid Mode Hybrid Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Windows Hook user1 Source Code 0 04-24-2021 05:23
SST Hook -> Bluescreen!? Cobi General Discussion 12 05-04-2005 09:37
SYSENTER hook niom General Discussion 13 08-12-2004 02:50


All times are GMT +8. The time now is 21:04.

Aaron's homepage - Top

Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( Since 1998 )