Injected Function Programming


This is a good place to point out the differences between application programming and injected function programming. If you take a close look at beforeEncode, you’ll notice that there are no calls to library functions. This is because the injected function has no idea what libraries were loaded by the underlying application. Ghost gets around this problem by finding the addresses of required functions during ZwMapViewOfSection and passing these addresses to the injected function in the IN_PROCESS_DATA structure. Unfortunately, the functions pointed to by IN_PROCESS_DATA will not be able to use the local variables defined within injected functions, so pass parameters must be by value; or if by reference, the reference must also be an address passed within the IN_PROCESS_DATA structure.




Professional Rootkits
Professional Rootkits (Programmer to Programmer)
ISBN: 0470101547
EAN: 2147483647
Year: 2007
Pages: 229
Authors: Ric Vieler

Similar book on Amazon
Rootkits: Subverting the Windows Kernel
Rootkits: Subverting the Windows Kernel
A Guide to Kernel Exploitation: Attacking the Core
A Guide to Kernel Exploitation: Attacking the Core
Reversing: Secrets of Reverse Engineering
Reversing: Secrets of Reverse Engineering
Malware Analyst's Cookbook and DVD: Tools and Techniques for Fighting Malicious Code
Malware Analyst's Cookbook and DVD: Tools and Techniques for Fighting Malicious Code

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net