ReadWriteDriver icon indicating copy to clipboard operation
ReadWriteDriver copied to clipboard
verified publisher icon ryan-weil

i have some question for the hook code

Open MULE2002 opened this issue 3 years ago • 2 comments

The first figure is a physical machine test, the function address pointer before the selected line of unhook is 00000, and the output statement corresponds to line 12 of the source code ATFTM64L)3~VAH~YF@(U)SE NO$NX82V{~N@BP{A7D2R1X3 CE~3DUJ$WT09__PFRMR B The third figure is a virtual machine, the hook is successful, and the unhook address value is normal. 0x2b3c90 is also not an offset from NtUserSetSysColors. HQ 9GJOMXAEB2O7UC9)6JDD RCV}D WAA)12B5X$PLOK$%T I was very confused by the piece of code, I wanted to know how 0x2b3c90 this offset was found and what it was for, I tried to change its value to 0x2b3c91, and not surprisingly, bosd

MULE2002 avatar Oct 29 '22 12:10 MULE2002

I would very much like to know, which has puzzled me for three days, and I would appreciate it if you could answer it.

MULE2002 avatar Oct 29 '22 12:10 MULE2002

我很想知道,这个问题困扰了我三天,如果您能解答,我将不胜感激。

他用的data ptr通信 这个0x2b3c90 是win11 win32kbase.sys 的win32freepool的硬编码地址

Oxygen1a1 avatar Jul 17 '23 11:07 Oxygen1a1