icisc2007 ruo ando

Windows® hacking DLL injectionICISC 2007

Windows® hacking 2 Improving exception handler

ICISC 2007

Block detection exampleWindows API hook module

822822--23739772373977--0396bf20 5f 63 70 6c 75 73 70 6c 75 73 0d 0a 7d 0d 0a 23 |_cp0396bf20 5f 63 70 6c 75 73 70 6c 75 73 0d 0a 7d 0d 0a 23 |_cplusplus..}..#|lusplus..}..#|

823823--23739782373978--0396bf30 65 6e 64 69 66 0d 0a 0d 0a 0d 0a 5a 57 5f 4f 50 |end0396bf30 65 6e 64 69 66 0d 0a 0d 0a 0d 0a 5a 57 5f 4f 50 |endif......ZW_OP|if......ZW_OP|

824:2373979824:2373979--0396bf40 45 4e 5f 50 52 4f 43 45 53 53 20 4f 6c 64 5a 77 |EN_0396bf40 45 4e 5f 50 52 4f 43 45 53 53 20 4f 6c 64 5a 77 |EN_PROCESS OldZw|PROCESS OldZw|

825825--2373980:0396bf50 4f 70 65 6e 50 72 6f 63 65 73 73 20 3d 20 4e 2373980:0396bf50 4f 70 65 6e 50 72 6f 63 65 73 73 20 3d 20 4e 55 |OpenProcess = NU|55 |OpenProcess = NU|

826826--23739812373981--0396bf60 4c 4c 3b 0d 0a 0d 0a 4e 54 53 54 41 54 55 53 20 |LL;0396bf60 4c 4c 3b 0d 0a 0d 0a 4e 54 53 54 41 54 55 53 20 |LL;....NTSTATUS |....NTSTATUS |

827827--2373982:0396bf70 4e 65 77 5a 77 4f 70 65 6e 50 72 6f 63 65 73 2373982:0396bf70 4e 65 77 5a 77 4f 70 65 6e 50 72 6f 63 65 73 73 |NewZwOpenProcess|73 |NewZwOpenProcess|

828828--23739832373983--0396bf80 28 50 48 41 4e 44 4c 45 20 50 72 6f 63 65 73 73 |(PH0396bf80 28 50 48 41 4e 44 4c 45 20 50 72 6f 63 65 73 73 |(PHANDLE Process|ANDLE Process|

829829--23739842373984--0396bf90 48 61 6e 64 6c 65 2c 20 0d 0a 20 20 20 20 20 20 |Han0396bf90 48 61 6e 64 6c 65 2c 20 0d 0a 20 20 20 20 20 20 |Handle, .. |dle, .. |

830830--23739852373985--0396bfa0 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 | 0396bfa0 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 | ||

831831--23739862373986--0396bfb0 20 20 20 20 41 43 43 45 53 53 5f 4d 41 53 4b 20 | 0396bfb0 20 20 20 20 41 43 43 45 53 53 5f 4d 41 53 4b 20 | ACCESS_MASK |ACCESS_MASK |

832832--23739872373987--0396bfc0 44 65 73 69 72 65 64 41 63 63 65 73 73 2c 0d 0a |Des0396bfc0 44 65 73 69 72 65 64 41 63 63 65 73 73 2c 0d 0a |DesiredAccess,..|iredAccess,..|

833833--23739882373988--0396bfd0 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 | 0396bfd0 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 | ||

834834--23739892373989--0396bfe0 20 20 20 20 20 20 20 20 20 20 50 4f 42 4a 45 43 | 0396bfe0 20 20 20 20 20 20 20 20 20 20 50 4f 42 4a 45 43 | POBJEC|POBJEC|

ICISC 2007

icisc2007 ruo ando

Technology

windows hacking dll

process oldzw

phandle process

exception handler