|
|
#6
04-03-2019, 20:17
|
|||
|
|||
|
I found a way to kill import table redirection!
Breakpoint on write to code section (.text section) doesn't work on some cases At this point we can watch how imports are restored! Next will check for Import Redirection magic jump: that jump should jump The script may log more then one jump location: obviously only one location is right First that sheet gets the kernel32.GetModuleHandleA RVA = B741 (41B70000) Export table address: 7C802C2C 41 B7 00 00 So set breakpoint on read to 7C802C2C, after breakpoint and continue execution (step in) you will see that will compare ndll base address with kernel32.GetModuleHandleA The jump after should jump and imports will be no more redirected (clean import table)! 
|
|
|
Similar Threads
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| Obsidium Olly Scripts | CodeCracker | Community Tools | 3 | 06-02-2025 18:54 |
| simpleJumpLogger and OutsideLogger - Olly debugger scripts | CodeCracker | Community Tools | 0 | 12-19-2022 20:45 |
Threaded Mode