1

Closed

relative mov in EntryPoint not handled

description

On WinXP64 SP2, the User32.dll code for GetWindowThreadProcessId starts as:
0000000077C40900 sub rsp, 28h (4 bytes: 48 83 EC 28)
0000000077C40904 mov rax, qword ptr [77CE69D8h] (7 bytes: 48 8B 05 CD 60 0A 00)
 
Those 2 instructions are copied as is in the relocated EntryPoint after the trampoline code, but the 2nd instruction is a relative mov and thus is not handled well (neither detected and forbidden, nor the relative offset modified).
 
This causes the hooked process to crash.
Closed Feb 15 at 6:04 AM by spazzarama
Fixed in changeset 73837

comments

wrote Feb 15 at 5:59 AM

Fixed on changeset 73837