Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 04-28-2022, 01:09
DavidXanatos DavidXanatos is offline
Family
 
Join Date: Jun 2018
Posts: 179
Rept. Given: 2
Rept. Rcvd 46 Times in 32 Posts
Thanks Given: 58
Thanks Rcvd at 350 Times in 116 Posts
DavidXanatos Reputation: 46
Question about PE format (ARM64)

In various windows API files i see entries like this:

Code:
180084ee0  00 00 00 00 00 00 00 00 00 00 00 00 29 72 06 00  ............)r..

180084ef0  int64_t SetTimeZoneInformation()

180084ef0  7cabff17   b       SetTimeZoneInformation

180084ef4              00 00 00 00 00 00 00 00 19 72 06 00      .........r..

180084f00  int64_t SetUnhandledExceptionFilter()

180084f00  e5acff17   b       SetUnhandledExceptionFilter

180084f04              00 00 00 00 00 00 00 00 09 72 06 00      .........r..

180084f10  int64_t j_sub_1800b7eb0()

180084f10  e8cb0014   b       #SetVolumeMountPointW

180084f14              00 00 00 00 00 00 00 00 f9 71 06 00      .........q..

180084f20  int64_t j_sub_180079884()

180084f20  59d2ff17   b       #SetXStateFeaturesMask

180084f24              00 00 00 00 00 00 00 00 e9 71 06 00      .........q..

180084f30  int64_t SignalObjectAndWait()

180084f30  5aa8ff17   b       SignalObjectAndWait

180084f34              00 00 00 00 00 00 00 00 d9 71 06 00      .........q..

180084f40  int64_t SizeofResource()

180084f40  7caaff17   b       SizeofResource

180084f44              00 00 00 00 00 00 00 00 d1 6c 06 00      .........l..

180084f50  int64_t Sleep()
So we have here a jump table to somethign like this:

Code:
00007FFC7CCB0294 F00003F0             adrp        xip0,__imp_aux_AppContainerFreeMemory (07FFC7CD2F000h)  
00007FFC7CCB0298 F943F210             ldr         xip0,[xip0,#0x7E0]  
00007FFC7CCB029C D61F0200             br          xip0

I'm wondering of the meaning of the
last DWORD after the 0's
the thing is I need 16 bytes to install a hook, but if i only overwrite the b and the 0's I'm a DWORD short,
so I wonder is it safe to overwrite this?
what is it for anyways?
Does anyone here has an idea?
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



All times are GMT +8. The time now is 16:43.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )