#1
|
||||
|
||||
[C/C++] Memory patcher to deal with (ASLR)
Memory patcher (loader) to deal with Address Space Layout Randomization (ASLR)
PHP Code:
__________________
Computer Forensics |
#2
|
|||
|
|||
better way is to use the NtQueryInformationProcess - process_basic_information method to obtain the peb address for the process, its much more reliable than using register values which might change with a service pack / os update etc..
|
The Following User Says Thank You to evlncrn8 For This Useful Post: | ||
giv (10-21-2015) |
#3
|
||||
|
||||
Yes, it's more safe to use Win/Native Api to get Base Address than using hard coded offsets (can be altered or modified between os version) especially if you plane to use it in production tools, MS recommendations.
__________________
Computer Forensics |
#4
|
|||
|
|||
Hi Insid3Code,
IMHO, your source code is very useful to find the image base address and the image entrypoint, but I really do not understand the use of patching one byte inside NTDLL.DLL, at EntryPoint+64/7E! In my Window7-64, for a 32bit application, EntryPoint is at start of RtlUserThreadStart() (inside SysWOW64\ntdll.dll), and EntryPoint+0x64/0x7E are inside the exports table! Best regards, bilbo |
The Following User Says Thank You to bilbo For This Useful Post: | ||
niculaita (10-20-2015) |
#5
|
||||
|
||||
Hi bilbo,
To add support for WOW64 (32bit application on 64bit system) you need to use (Wow64GetThreadContext and WOW64_CONTEXT structure) and some system check to retrieve running environment info (32bit or 64bit).
__________________
Computer Forensics |
The Following User Says Thank You to Insid3Code For This Useful Post: | ||
giv (10-21-2015) |
#6
|
|||
|
|||
Thanks for your answer, Insid3Code,
Quote:
Quote:
Best regards bilbo |
#7
|
||||
|
||||
Quote:
Quote:
__________________
Computer Forensics |
#8
|
||||
|
||||
Code snippet updated to support Wow64 for 64bit patcher to patch 32bit target...
PHP Code:
__________________
Computer Forensics |
The Following 12 Users Say Thank You to Insid3Code For This Useful Post: | ||
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
IDA can't properly deal with RUST strings | WhoCares | General Discussion | 3 | 07-08-2021 10:46 |
How to deal with threads ? | bcl25 | General Discussion | 4 | 03-29-2003 06:22 |