Quote:
Originally Posted by Carbon
I am more interested in how your plugin works. How do you resolve the functions?
GetProcAddress points to function rva FFF6 from apphelp.dll and this function address is NOT exported by apphelp.dll. This is my problem.
|
There're many way.
1.trace into the apphelp.dll function code then you'll get the correct api function by watching some special call,jmp such as call eax, call [eax+const], call [ecx+const], jmp eax.
2. Using debuging symbol of apphelp then we'll get the simillar correct name of api.
I got the same problem with aclayers.dll, but seem it's hard to make a tracer for that. Seem the best way is to hard-code the address value for these dll.