所有,
我试图通过无休止地调试应用程序来弄清楚这一点,但我似乎无法找到我的答案。
在我的32位PE注入中,我最终用注入PE的新EntryPoint更改了EAX,然后重新开始线程。 我读过内核在最后运行调用EAX以进入入口点(我在调试应用程序时没有看到这一点,所以不知道这是否真的如此)。
但是,我似乎无法找到这是否可能在x64(尝试关于所有寄存器:))。
所有这两个问题:
内核是否真的调用了EAX,因为在调试时我看不到那个调用 是否可以使用相同的方法来更改寄存器以使新入口点在x64中运行,还是需要依赖例如CreateRemoteThread?PS:我是一名安全研究员:)
All,
I'm trying to figure this out by endlessly debugging applications, but I can't seem to find my answer.
In my 32bit PE injection I eventually change EAX with the new EntryPoint of the injected PE, then resume the thread. I've read that the kernel runs a call EAX at the end to get to the entrypoint(I did not see this when debugging applications, so no idea if that is really the case).
However, I can't seem to find if this is possible in x64 (Tried about all registers :)).
So all in all two questions:
Does the kernel actually call EAX, because I can't see that call when debugging Is the same method usable of changing a register to get the new entrypoint to run in x64 or do I need to rely on e.g. CreateRemoteThread?P.S.: I'm a security researcher :)
最满意答案
在x64 RCX寄存器中用作应用程序定义的线程入口点。 在x86中 - 使用EAX寄存器。 而不是内核调用这个地址。 但是kernel32.dll
in x64 RCX register used as application defined entry point of thread. in x86 - EAX register used. and not kernel call this address. but kernel32.dll
更多推荐
发布评论