MalwareSourceCode/Win32/Proof of Concepts/GetKernel32Addressx64/ReadMe.txt

15 lines
343 B
Plaintext
Raw Normal View History

2022-04-12 01:00:13 +00:00
in x64
1.get peb from fs:[0x60] by asm file
2.get Ldr by peb
3.get kernel32 module in the third module
ntdll->kernelbase->kernel32
in x86
1.get peb from fs:[0x30] by inline asm
2.get Ldr by peb
3.get kernel32 module in the second module
ntdll->kernel32
the offset in the PEB is different from x64 and x86
This demo is only Test on Win7 x64