waliedassar Posted July 28, 2012 Posted July 28, 2012 Here you can find my two posts about implementing system calls hooks from user-mode in Wow64 processes and native x86 processes:http://waleedassar.b...ls-hooking.htmlhttp://waleedassar.b...stem-calls.html
BoB Posted July 28, 2012 Posted July 28, 2012 Interesting method to make compatible between sp2 and sp3, but couldn't you just use a short jump to the Mov ESP, [ESP] filler instructions following KiFastSystemCallRet and put long jump there?? Jmp+11 seems to be safe in both service packs
waliedassar Posted July 28, 2012 Author Posted July 28, 2012 (edited) BoB, your method also works fine. I have also added it as a note to the blog post. Thanks for letting me know. Edited July 28, 2012 by waliedassar
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now