MemoryModulePP icon indicating copy to clipboard operation
MemoryModulePP copied to clipboard
verified publisher icon bb107

想用之前没有MmpTls的版本来加载版本号为21H1的win10

Open xtayaitak opened this issue 3 years ago • 5 comments

最新的版本依赖很多HOOK来达到处理tls相关函数的效果。 我使用HOOK会有问题,想用之前没有MmpTls的版本来在win10 21H1平台下的dll。

是不是我只需要补充LdrpHandleTlsData的特征码就能达到我想要的效果了。谢谢。

xtayaitak avatar Feb 21 '22 14:02 xtayaitak

是的,你需要手动提取LdrpHandleTlsData和LdrpReleaseTlsEntry的特征码。

bb107 avatar Feb 21 '22 23:02 bb107

How to extract feature code? Any guidance?

jackyuke avatar May 15 '23 06:05 jackyuke

Hi there! If you want to extract feature codes (or patterns), you'll need a PE editor or debugger like x64dbg first. Next, select some consecutive machine code within the function and calculate the distance between its start address and the first byte of your choice. It's important to choose complex instructions to ensure the patterns you pick are unique within the module's segment.

IMG

bb107 avatar May 15 '23 08:05 bb107

Trying to load more dll at once. It it exceeds InvertedTable->MaxCount. Can we increase it?

jackyuke avatar May 24 '23 05:05 jackyuke

As far as I know, INVERTED_FUNCTION_TABLE is a fixed size struct and is not dynamically allocated, so we cannot increase its size.

bb107 avatar May 24 '23 06:05 bb107