Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

i have some question for the hook code #2

Open
MULE2002 opened this issue Oct 29, 2022 · 2 comments
Open

i have some question for the hook code #2

MULE2002 opened this issue Oct 29, 2022 · 2 comments

Comments

@MULE2002
Copy link

The first figure is a physical machine test, the function address pointer before the selected line of unhook is 00000, and the output statement corresponds to line 12 of the source code
ATFTM64L)3VAHYF@(U)SE
NO$NX82V{~N@BP{A7D2R1X3
CE~3DUJ$WT09__PFRMR B
The third figure is a virtual machine, the hook is successful, and the unhook address value is normal.
0x2b3c90 is also not an offset from NtUserSetSysColors.
HQ 9GJOMXAEB2O7UC9)6JDD
RCV}D WAA)12B5X$PLOK$%T
I was very confused by the piece of code, I wanted to know how 0x2b3c90 this offset was found and what it was for, I tried to change its value to 0x2b3c91, and not surprisingly, bosd
@MULE2002
Copy link
Author

I would very much like to know, which has puzzled me for three days, and I would appreciate it if you could answer it.

@Oxygen1a1
Copy link

我很想知道,这个问题困扰了我三天,如果您能解答,我将不胜感激。

他用的data ptr通信 这个0x2b3c90 是win11 win32kbase.sys 的win32freepool的硬编码地址

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Oxygen1a1 @MULE2002