This project is read-only.


relative mov in EntryPoint not handled


On WinXP64 SP2, the User32.dll code for GetWindowThreadProcessId starts as:
0000000077C40900 sub rsp, 28h (4 bytes: 48 83 EC 28)
0000000077C40904 mov rax, qword ptr [77CE69D8h] (7 bytes: 48 8B 05 CD 60 0A 00)
Those 2 instructions are copied as is in the relocated EntryPoint after the trampoline code, but the 2nd instruction is a relative mov and thus is not handled well (neither detected and forbidden, nor the relative offset modified).
This causes the hooked process to crash.
Closed Feb 15, 2014 at 7:04 AM by spazzarama
Fixed in changeset 73837


wrote Feb 15, 2014 at 6:59 AM

Fixed on changeset 73837

wrote Feb 15, 2014 at 7:04 AM