Click here to Skip to main content
16,021,293 members

Comments by WOLF 2018 (Top 56 by date)

WOLF 2018 12-Aug-24 4:20am View    
You are correct but I kinda planned to make two DLL for this project.

Hook64.dll and Hook32.dll. then the main program chooses what one to load depending on the process architecture. This kinda makes things easier to maintain. But this is mostly seeing what I can do. As I'm learning I wanted to explore hooking and next I will be learning about IAT hooking. So it all part of a process to become more knowledgeable in ASM and C++ as well as understanding hooking.
WOLF 2018 9-Aug-24 13:00pm View    
I'm trying to do using ASM as its a little low level
WOLF 2018 7-May-23 17:36pm View    
Yes your suggestion worked perfectly and thanks for clearing that up about the access fault. I guess im still learning. Tho thanks for letting me know that the TEB is at 30h i always thought from things i read it was 60h
WOLF 2018 7-May-23 14:09pm View    
Thank you for your answer. But does this not just return the TEB? Because i thought the TEB was at offset gs:[00000060h]. But the peb is 0x60 after the TEB hence why i did mov rax, [rax + 60h]

But Im using Windows headers but I dont call any functions. Because if i did i would have got an linker error because i removed all librarys with /NODEFAULTLIB and removed everything from Input from my linker setting in Visual Studio
WOLF 2018 7-May-23 4:06am View    
Because it does not import any librarys as i said in the questions i want to find the functions dynamically. So I need to find the PEB without using functions that windows header provides. Like i had to make my own strcmp to compaire string and everything leads to a binaries that have no imports.

Now I have tested my code with __readgsbytes to get the peb and it works great. I just want to remove my depends on that function. So I wrote the asm to try and give me another way to get access to it. But as i said in the question the mov rax, [rax + 60h] some reason wipes the rax register to null