GetLoadedDLLFromPEB [FASM]
Started By
Jochen
, Mar 16 2014 03:36 PM
4 replies to this topic
#2
Posted 16 March 2014 - 04:49 PM
Looks good, thanks
#4
Posted 16 March 2014 - 06:56 PM
Nice Karcrack ! as usual
#5
Posted 16 March 2014 - 10:49 PM
"mov ebx, [ebx+LDR_MODULE.ListEntry+LIST_ENTRY.Flink]"
InLoadOrderModuleList is first structure in LDR_MODULE and Flink is first item of LIST_ENTRY structure, so why not just do "mov ebx, [ebx]" every time you wish to Flink? Pretty sure "mov ebx, [ebx+LDR_MODULE.ListEntry+LIST_ENTRY.Flink]" evaluates to "mov ebx, [ebx+0+0]"
Edited by Ntoskrnl, 16 March 2014 - 10:55 PM.
- kuupa likes this
https://twitter.com/MalwareTechBlog irc.malwaretech.com