[Help] Trying to simulate ExitProcess

flat assembler
Message board for the users of flat assembler.

Index > Windows > [Help] Trying to simulate ExitProcess

Author

Thread

typedef

Joined: 25 Jul 2010
Posts: 2909
Location: 0x77760000

typedef 03 Oct 2011, 22:43

Solved.

Last edited by typedef on 15 May 2012, 08:04; edited 1 time in total

03 Oct 2011, 22:43

Overflowz

Joined: 03 Sep 2010
Posts: 1046

Overflowz 03 Oct 2011, 22:57

same topic that I was going to start.

03 Oct 2011, 22:57

movzx

Joined: 11 Sep 2011
Posts: 1

movzx 11 Oct 2011, 10:08

Code:

mov edi,esi
push ebp
mov ebp,esp

you can overwrite these first five bytes of the ExitProcess subroutine with;

Code:

jmp addr

maybe not the safest method but is is one way. another variation on this that i have thought but not tested is you could change the pointer value in the import table that points to ExitProcess!kernel32.dll to your new sub[/code]

11 Oct 2011, 10:08

r22

Joined: 27 Dec 2004
Posts: 805

r22 11 Oct 2011, 16:35

There's a few threads on the forum about detouring DLL functions.
This one has code...
http://board.flatassembler.net/topic.php?t=10306

I was under the impression that Windows PEs would always load Kernel32.dll

11 Oct 2011, 16:35

f0dder

Joined: 19 Feb 2004
Posts: 3175
Location: Denmark

f0dder 11 Oct 2011, 18:51

r22 wrote:

I was under the impression that Windows PEs would always load Kernel32.dll

On all Windows versions I know of, an executable can't work without kernel32 for various reasons. Some versions automatically inject kernel32, other versions require you to import from it (directly, or indirectly via other DLL's imports).

_________________

- carpe noctem

11 Oct 2011, 18:51

< Last Thread | Next Thread >

Forum Rules:

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum