Search found 994 matches

by iconic
Wed Apr 07, 2021 10:36 pm
Forum: madCodeHook
Topic: using RestoreCode with NtHookEngine
Replies: 12
Views: 206

Re: using RestoreCode with NtHookEngine

Bevan, They both (x86 and x64) exceed the byte limits (10 and 14 bytes, respectively) , since the original author already states this and you had mentioned this in a previous post. This means we'd have a worst case scenario of 10 bytes on x86 and of 14 bytes on x64. In this hook engine I'm using onl...
by iconic
Wed Apr 07, 2021 7:49 pm
Forum: madCodeHook
Topic: using RestoreCode with NtHookEngine
Replies: 12
Views: 206

Re: using RestoreCode with NtHookEngine

Yes, that would make complete sense. If the hook was just a relative jmp (0xE9 and 5 bytes) it would be restored along with some other 6 byte methods such as absolute jump (0x25FF) and push address ret (0x68 <address> 0xC3) but since the function prologue is modified > 6 bytes RestoreCode() just ref...
by iconic
Tue Apr 06, 2021 11:49 pm
Forum: madCodeHook
Topic: using RestoreCode with NtHookEngine
Replies: 12
Views: 206

Re: using RestoreCode with NtHookEngine

Bevan,

What does GetLastError() return for you immediately after RestoreCode() is called? Seems something is amiss. Call SetLastError(0) before the call to RestoreCode() just to be extra sure that the hook code didn't set any error internally via the OS.

--Iconic
by iconic
Thu Apr 01, 2021 1:42 am
Forum: madCodeHook
Topic: Fastest way to IPC from a DLL to an EXE
Replies: 23
Views: 399

Re: Fastest way to IPC from a DLL to an EXE

No problem, good luck :D

--Iconic
by iconic
Wed Mar 31, 2021 9:11 am
Forum: madCodeHook
Topic: Fastest way to IPC from a DLL to an EXE
Replies: 23
Views: 399

Re: inter-process callback possible?

No worries :D Only certain (very few) APIs can interrupt a thread, causing an alertable state, where pending APCs enqueued are executed.

--Iconic
by iconic
Wed Mar 31, 2021 9:03 am
Forum: madCodeHook
Topic: Fastest way to IPC from a DLL to an EXE
Replies: 23
Views: 399

Re: inter-process callback possible?

That would be a blunder on Microsoft. Every APC's dream :wink:

--Iconic
by iconic
Wed Mar 31, 2021 8:54 am
Forum: madCodeHook
Topic: Fastest way to IPC from a DLL to an EXE
Replies: 23
Views: 399

Re: inter-process callback possible?

PostMessage() doesn't touch the alertable state of any thread, the request sits in the queue of the target window that received it until it's processed asynchronously.

--Iconic
by iconic
Wed Mar 31, 2021 8:28 am
Forum: madCodeHook
Topic: Fastest way to IPC from a DLL to an EXE
Replies: 23
Views: 399

Re: inter-process callback possible?

You've reworded your initial question, so that led to confusion. My response was solely based on how to remotely "execute" code without any other library assistance. Now that we have a better context of what you mean, it seems to be you may want to simply "notify" your EXE of a f...
by iconic
Wed Mar 31, 2021 3:25 am
Forum: madCodeHook
Topic: Fastest way to IPC from a DLL to an EXE
Replies: 23
Views: 399

Re: inter-process callback possible?

the other process can only load a DLL but can not handle pointers/addresses If the other process can load a DLL which exports a function it needs no knowledge of what is going on, it's only loaded some .dll file that exports an API, "remotely" callable from any other process. That's why W...
by iconic
Tue Mar 30, 2021 8:34 pm
Forum: madCodeHook
Topic: Fastest way to IPC from a DLL to an EXE
Replies: 23
Views: 399

Re: inter-process callback possible?

Simple/Easiest steps: Export your callback from your DLL Inject your DLL into whichever processes you need to have callback execute remotely In your process (which executes code in other processes) enumerate modules in the target process(es) and add the module base address (HMODULE), if your module ...
by iconic
Tue Mar 30, 2021 5:58 am
Forum: madCodeHook
Topic: Fastest way to IPC from a DLL to an EXE
Replies: 23
Views: 399

Re: inter-process callback possible?

Why not simply export your “callback”? That would make the most sense to be honest. You can calculate the address rather easily, relative virtual address (RVA) of exported callback + load address (HMODULE) in the other process to call it. In general though each process has a separate address space (...
by iconic
Fri Mar 19, 2021 6:57 am
Forum: madCodeHook
Topic: Intel's CET Shadow Stack issue
Replies: 22
Views: 1029

Re: Intel's CET Shadow Stack issue

Thanks Jakeads, And also thanks for pointing out that Windows only cares about RET with Intel’s CET, it’s a relief. If Windows adopted the full IBT enforcement at the hardware level both jumps and calls would also be under scrutiny. Luckily, MS likely realized that their own hotpatching/detours/DLL ...
by iconic
Wed Mar 10, 2021 8:25 pm
Forum: madCodeHook
Topic: Intel's CET Shadow Stack issue
Replies: 22
Views: 1029

Re: Intel's CET Shadow Stack issue

not Indirect Branch Tracking of CET
That's good news as it was my primary worry :D
Indirect branch tracking – free branch protection to defend against Jump/Call Oriented Programming
--Iconic
by iconic
Tue Mar 09, 2021 11:10 pm
Forum: madCodeHook
Topic: Intel's CET Shadow Stack issue
Replies: 22
Views: 1029

Re: Intel's CET Shadow Stack issue

Absolutely, let's wait and see what is considered a "violation" via CET terms, in the meanwhile I'll also be "cautiously" optimistic :D
it still needs carefully written assembler stubs
Yes, very.

--Iconic
by iconic
Tue Mar 09, 2021 10:27 pm
Forum: madCodeHook
Topic: Intel's CET Shadow Stack issue
Replies: 22
Views: 1029

Re: Intel's CET Shadow Stack issue

Hopefully that article mostly pertains to the context of that one API but when the real stack and shadow are compared, but a CALL instruction automatically (behind the scenes) pushes the return address onto the stack for you before jumping to the target region, so if the 2 stacks are compared fully,...