Page 1 of 1

HideLeak(const AStack: UnicodeString) Invalid under 64bits

Posted: Sun May 17, 2020 5:47 pm
by advwang
Hideleak doesn't work with 64 bits.

In 32 bits, you use EBP to find the address of the call to return the next instruction. That's right.
In 64 bit, you use the undocumented function RtlGetCallerAddress, but you get the wrong argument.
The first out pointer of this function is to return the address of the next instruction,
and the second argument is the address of the caller's caller.
You should use the first pointer instead of the second.

After the above modifications, hideleak works normally

Re: HideLeak(const AStack: UnicodeString) Invalid under 64bi

Posted: Tue May 19, 2020 11:32 am
by madshi
Thanks, not sure how that happened. Should be fixed in the next build.