| DavidXanatos |
04-28-2022 01:09 |
Question about PE format (ARM64)
In various windows API files i see entries like this:
Code:
180084ee0 00 00 00 00 00 00 00 00 00 00 00 00 29 72 06 00 ............)r..
180084ef0 int64_t SetTimeZoneInformation()
180084ef0 7cabff17 b SetTimeZoneInformation
180084ef4 00 00 00 00 00 00 00 00 19 72 06 00 .........r..
180084f00 int64_t SetUnhandledExceptionFilter()
180084f00 e5acff17 b SetUnhandledExceptionFilter
180084f04 00 00 00 00 00 00 00 00 09 72 06 00 .........r..
180084f10 int64_t j_sub_1800b7eb0()
180084f10 e8cb0014 b #SetVolumeMountPointW
180084f14 00 00 00 00 00 00 00 00 f9 71 06 00 .........q..
180084f20 int64_t j_sub_180079884()
180084f20 59d2ff17 b #SetXStateFeaturesMask
180084f24 00 00 00 00 00 00 00 00 e9 71 06 00 .........q..
180084f30 int64_t SignalObjectAndWait()
180084f30 5aa8ff17 b SignalObjectAndWait
180084f34 00 00 00 00 00 00 00 00 d9 71 06 00 .........q..
180084f40 int64_t SizeofResource()
180084f40 7caaff17 b SizeofResource
180084f44 00 00 00 00 00 00 00 00 d1 6c 06 00 .........l..
180084f50 int64_t Sleep()
So we have here a jump table to somethign like this:
Code:
00007FFC7CCB0294 F00003F0 adrp xip0,__imp_aux_AppContainerFreeMemory (07FFC7CD2F000h)
00007FFC7CCB0298 F943F210 ldr xip0,[xip0,#0x7E0]
00007FFC7CCB029C D61F0200 br xip0
I'm wondering of the meaning of the
last DWORD after the 0's
the thing is I need 16 bytes to install a hook, but if i only overwrite the b and the 0's I'm a DWORD short,
so I wonder is it safe to overwrite this?
what is it for anyways?
Does anyone here has an idea? |
