A forum for reverse engineering, OS internals and malware analysis 

Search found 3 matches

 Go to advanced search

I am implementing dll hollowing code by modifying Stephen Fewer's reflective dll injection. First, it loads a system library using LoadLibraryA. Then it sets RWX permissions, and overwrites that dll with the new dll payload. Originally, it uses virtualalloc to allocate memory to write the dll payloa...

Re: Avoid undocumented API calls (RtlImageNtHeader)?

 by j4ck ¦  Wed Dec 19, 2018 4:12 am ¦  Forum: User-Mode Development ¦  Topic: Avoid undocumented API calls (RtlImageNtHeader)? ¦  Replies: 2 ¦  Views: 1640

Ah I see. That's a much better way. Thanks

Avoid undocumented API calls (RtlImageNtHeader)?

 by j4ck ¦  Wed Dec 19, 2018 3:17 am ¦  Forum: User-Mode Development ¦  Topic: Avoid undocumented API calls (RtlImageNtHeader)? ¦  Replies: 2 ¦  Views: 1640

I am developing code to hook a function in a remote process and I need to search for an unexported function. To get the search space, I need to get the size of the module. The usual way I've seen people do this is by RtlImageNtHeader. But I'm thinking, why not just use the documented function GetMod...