Injected Function Programming

Previous page
Table of content
Next page

This is a good place to point out the differences between application programming and injected function programming. If you take a close look at beforeEncode, you’ll notice that there are no calls to library functions. This is because the injected function has no idea what libraries were loaded by the underlying application. Ghost gets around this problem by finding the addresses of required functions during ZwMapViewOfSection and passing these addresses to the injected function in the IN_PROCESS_DATA structure. Unfortunately, the functions pointed to by IN_PROCESS_DATA will not be able to use the local variables defined within injected functions, so pass parameters must be by value; or if by reference, the reference must also be an address passed within the IN_PROCESS_DATA structure.



Previous page
Table of content
Next page
Professional Rootkits
Professional Rootkits (Programmer to Programmer)
ISBN: 0470101547
EAN: 2147483647
Year: 2007
Pages: 229
Authors: Ric Vieler
BUY ON AMAZON
The CISSP and CAP Prep Guide: Platinum Edition
Web Systems Design and Online Consumer Behavior
Lean Six Sigma for Service : How to Use Lean Speed and Six Sigma Quality to Improve Services and Transactions
Visual Studio Tools for Office(c) Using C# with Excel, Word, Outlook, and InfoPath
Java Concurrency in Practice
Special Edition Using FileMaker 8
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy