Thread: Get real address of api not nt version
View Single Post
  #3  
Old 05-22-2018, 04:40
ioannis ioannis is offline
Friend
  
Join Date: Jan 2015
Posts: 31
Rept. Given: 6
Rept. Rcvd 9 Times in 5 Posts
Thanks Given: 6
Thanks Rcvd at 19 Times in 11 Posts
ioannis Reputation: 9
win32u.dll exists in Win10 (dont know about Win 8)

Quote:
user32.dll+30B00
NtUserShowWindow:
00007FFEFF490B00 FF 25 72 46 05 00 jmp qword ptr [__imp_NtUserShowWindow (07FFEFF4E5178h)]
Address 07FFEFF4E5178h holds the address to the real function NtUserShowWindow in win32u.dll

Quote:
0x00007FFEFF4E5178 50 1b 27 fe fe 7f 00 00 P.'ώώ...
In such case it all depends at which point you expect to find a hook, here there are 3 places where a hook might be applied.
1. at address 00007FFEFF490B00 in user32.dll
2. at address 00007FFEFF4E5178 in user32.dll
3. at address 00007FFEFE271B50 in win32u.dll
Reply With Quote
The Following 2 Users Say Thank You to ioannis For This Useful Post:
Mahmoudnia (05-23-2018), niculaita (05-22-2018)