View previous topic :: View next topic |
Author |
Message |
movss Cheater Reputation: 0
Joined: 10 Feb 2018 Posts: 38
|
Posted: Tue Mar 20, 2018 2:12 am Post subject: dll loaded from memory,can hooked? |
|
|
Memory loaded dll, can not see the module list, how should i hook it?
_________________
A wild programmer |
|
Back to top |
|
|
Dark Byte Site Admin Reputation: 458
Joined: 09 May 2003 Posts: 25288 Location: The netherlands
|
Posted: Tue Mar 20, 2018 2:22 am Post subject: |
|
|
Do an AOB scan for the code you're interested in
Tip: this groupscan can give a clue on where it might be located:
Code: |
BA:4096 4:0x00905a4d
|
or even faster, if it follows the windows granularity for module allocs:
Code: |
BA:65536 4:0x00905a4d
|
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
Back to top |
|
|
movss Cheater Reputation: 0
Joined: 10 Feb 2018 Posts: 38
|
Posted: Tue Mar 20, 2018 3:01 am Post subject: |
|
|
Dark Byte wrote: | Do an AOB scan for the code you're interested in
Tip: this groupscan can give a clue on where it might be located:
Code: |
BA:4096 4:0x00905a4d
|
or even faster, if it follows the windows granularity for module allocs:
Code: |
BA:65536 4:0x00905a4d
|
|
thk DB,You provide a good idea
_________________
A wild programmer |
|
Back to top |
|
|
atom0s Moderator Reputation: 198
Joined: 25 Jan 2006 Posts: 8517 Location: 127.0.0.1
|
Posted: Tue Mar 20, 2018 11:51 pm Post subject: |
|
|
Assuming that the headers are intact, you scan for the various regions of memory and look for typical PE headers. If a region has a PE header, check if that matches a known module loaded. If not, then its probably a manually mapped module.
In that event, you can manually relink the module to the lists within the PEB of the process.
_________________
- Retired. |
|
Back to top |
|
|
|