waliedassar Posted July 28, 2012 Share Posted July 28, 2012 Here you can find my two posts about implementing system calls hooks from user-mode in Wow64 processes and native x86 processes:http://waleedassar.b...ls-hooking.htmlhttp://waleedassar.b...stem-calls.html Link to comment Share on other sites More sharing options...
BoB Posted July 28, 2012 Share Posted July 28, 2012 Interesting method to make compatible between sp2 and sp3, but couldn't you just use a short jump to the Mov ESP, [ESP] filler instructions following KiFastSystemCallRet and put long jump there?? Jmp+11 seems to be safe in both service packs Link to comment Share on other sites More sharing options...
waliedassar Posted July 28, 2012 Author Share Posted July 28, 2012 (edited) BoB, your method also works fine. I have also added it as a note to the blog post. Thanks for letting me know. Edited July 28, 2012 by waliedassar Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now