News:

Masm32 SDK description, downloads and other helpful links
Message to All Guests

Main Menu

found some DLL in process

Started by six_L, June 21, 2023, 02:26:02 AM

Previous topic - Next topic
Print
Go Down Pages 1 2
User actions

six_L

#15
June 25, 2023, 10:52:56 AM
Hi,Greenhorn
Thanks you. now i'v known the "   ULONG  Unknown[2];" -->"Unknown ULONG 2 dup (?)"

still the tested result is not right on 64bit system.
Code Select
DEBUG_BUFFER STRUCT
SectionHandle        HANDLE ?
        ViewBaseClient       PVOID ?
        ViewBaseTarget       PVOID ?
        ViewBaseDelta        ULONG_PTR ?
        EventPairClient      HANDLE ?
        EventPairTarget      HANDLE ?
        TargetProcessHandle  HANDLE ?
        TargetThreadHandle   HANDLE ?
       
Unknown              dq 14 dup(?)

        Flags      ULONG ?
        OffsetFree           SIZE_T ?
        CommitSize           SIZE_T ?
        ViewSize             SIZE_T ?
        ModuleInformation    DEBUG_MODULE_INFORMATION <>

        BackTraceInformation dq ?
        HeapInformation      dq ?
        LockInformation      dq ?
VerifierOptions      dq ?
ProcessHeap      dq ?
CriticalSectionHandle dq ?
CriticalSectionOwnerThread dq ?
        Reserved             dq ?
DEBUG_BUFFER ENDS
PDEBUG_BUFFER typedef ptr DEBUG_BUFFER

DEBUG_BUFFER_1 STRUCT
SectionHandle HANDLE  ? ;
SectionBase PVOID   ?
RemoteSectionBase PVOID   ?
SectionBaseDelta ULONG   ?
EventPairHandle HANDLE  ?
Unknown ULONG 2 dup (?)

RemoteThreadHandle HANDLE ?
InfoClassMask ULONG ?
SizeOfInfo ULONG ?
AllocatedSize ULONG ?
SectionSize ULONG ?

ModuleInformation PVOID ?   
BackTraceInformation PVOID ?   
HeapInformation PVOID ?   
LockInformation PVOID ?   
Reserved PVOID 8 dup (?)
DEBUG_BUFFER_1 ENDS
PDEBUG_BUFFER_1 typedef ptr DEBUG_BUFFER_1
...

Code Select
mov rbx,debug_buf
lea rsi,(DEBUG_BUFFER PTR [rbx]).ModuleInformation  ;right
lea rdi,(DEBUG_BUFFER_1 PTR [rbx]).ModuleInformation ;error
invoke  wsprintf,ADDR szTmp,CStr("STRUCT1= %016IXh, STRUCT2= %016IXh",13,10),rsi,rdi

QuoteSTRUCT1= 0000029A05E900D0h, STRUCT2= 0000029A05E90048h
Say you, Say me, Say the codes together for ever.

HSE

#16
June 25, 2023, 02:14:23 PM
Quote from: Greenhorn on June 23, 2023, 05:40:54 PM
Regarding _DEBUG_BUFFER structure this is maybe helpful:
https://doxygen.reactos.org/d0/ddb/struct__DEBUG__BUFFER.html

ReactOs is an Operative System unrelated to Windows!!

(perhaps some ideas  :biggrin: )
Equations in Assembly: SmplMath

jj2007

#17
June 25, 2023, 06:54:47 PM
Quote from: HSE on June 25, 2023, 02:14:23 PM
ReactOs is an Operative System unrelated to Windows!!

Yeah, it's completely unrelated :badgrin:
Print
Go Up Pages 1 2
User actions