#1
|
|||
|
|||
Question about PE format (ARM64)
In various windows API files i see entries like this:
Code:
180084ee0 00 00 00 00 00 00 00 00 00 00 00 00 29 72 06 00 ............)r.. 180084ef0 int64_t SetTimeZoneInformation() 180084ef0 7cabff17 b SetTimeZoneInformation 180084ef4 00 00 00 00 00 00 00 00 19 72 06 00 .........r.. 180084f00 int64_t SetUnhandledExceptionFilter() 180084f00 e5acff17 b SetUnhandledExceptionFilter 180084f04 00 00 00 00 00 00 00 00 09 72 06 00 .........r.. 180084f10 int64_t j_sub_1800b7eb0() 180084f10 e8cb0014 b #SetVolumeMountPointW 180084f14 00 00 00 00 00 00 00 00 f9 71 06 00 .........q.. 180084f20 int64_t j_sub_180079884() 180084f20 59d2ff17 b #SetXStateFeaturesMask 180084f24 00 00 00 00 00 00 00 00 e9 71 06 00 .........q.. 180084f30 int64_t SignalObjectAndWait() 180084f30 5aa8ff17 b SignalObjectAndWait 180084f34 00 00 00 00 00 00 00 00 d9 71 06 00 .........q.. 180084f40 int64_t SizeofResource() 180084f40 7caaff17 b SizeofResource 180084f44 00 00 00 00 00 00 00 00 d1 6c 06 00 .........l.. 180084f50 int64_t Sleep() Code:
00007FFC7CCB0294 F00003F0 adrp xip0,__imp_aux_AppContainerFreeMemory (07FFC7CD2F000h) 00007FFC7CCB0298 F943F210 ldr xip0,[xip0,#0x7E0] 00007FFC7CCB029C D61F0200 br xip0 I'm wondering of the meaning of the last DWORD after the 0's the thing is I need 16 bytes to install a hook, but if i only overwrite the b and the 0's I'm a DWORD short, so I wonder is it safe to overwrite this? what is it for anyways? Does anyone here has an idea? |
|
|