Posted: Thu Feb 02, 2023 9:37 pm Post subject: Question about Stealth Edit
I've seen Dark Byte's posts and I wanted to do use them in my app.
From what I could gather stealth edit works by:
Enabling DEP on the remote process
Setting the VEH handler
Allocating a memory for the copy
Copying the contents from the module's start address up to its end address
And then finally, setting the module as read and write only.
But the result I got was the app crashing. I did extra checks on the app and it turns out there were stray relative calls. And so I installed capstone to disassemble and find the relative call, then fixing the copy version's call. I checked with CE and found that both the copy and original are calling the same address. But I still got a crash.
did you adjust the riprelative addresses in the copy to point to the old location
If you're referring to the call and jump opcodes, I did, for calls that were outside the executable, which were probably a patch or a hook of some kind since they were pointing towards an unallocated space.
Was I supposed to adjust the near calls/jumps too?
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum You cannot attach files in this forum You can download files in this forum