#1
|
|||
|
|||
How to hide debugger?
Hi my nice guys!
I'm working on a dumper and I cannot grab FS base via GetThreadSelectorEntry it returns TRUE but LDT_ENTRY is still NULL. and I tried use address of debugger becoz all PEB is in the same address this code works well mov eax, fs:[30h] inc eax inc eax call write_mem but if I code like these: mov edi, fsbase; grabbed lea eax, [edi+30h] call read_mem then ReadProcessMemory return 0, last Error is PARTIALLY_COPY I'm mad for such a strange problem regards |
#2
|
|||
|
|||
well fs is not same on all platforms (especially in xp-sp2 fs segment is mapped to random addres (it used to be constant uptill w2k -sp4 i think viz 0x7fffd000 )
you need to fetch the fs via a different mechanism viz ZwQueryInformationProcess() basic info class struct and look for *ppeb in there take a look here on a sample implementation http://www.openrce.org/blog/view/44 |
#3
|
|||
|
|||
Thx JuneMouse, nice stuff!
|
#4
|
|||
|
|||
Nice Post JuneMouse ..very usefull
bye NeO |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Cant not hide debugger for Themida/Winlicense 3.X | Turkuaz | General Discussion | 2 | 09-24-2020 17:15 |
how hide softice under w2k or xp | the_beginner | General Discussion | 3 | 09-06-2004 20:51 |