Closed riesha closed 1 year ago
Idov31
commented
1 year ago Thank you for your suggestion :)
While finding offsets dynamically is better for forward compatibility, given that the offset didn't change much in the last couple of Windows versions (last change was from version 1909 to 2004 which is more than 3 years ago) and that using hardcoded offsets is more efficient I will probably stick with hardcoded offsets for that specific offset.
Flerov
commented
1 year ago How about a pdb parser? If you dont have one you can use mine. Would go along the line of
...
// Symbol offset
DWORD64 symbolOffsetPlaceholder;
LPCSTR str = "_EPROCESS";
symbolOffsetPlaceholder = GetSymbolOffset(sym_ctx, str);
printf("Symbol at: 0x%llx\n", symbolOffsetPlaceholder);
// Field Offset from a Symbol
DWORD64 fieldOffsetPlaceholder;
LPCWSTR str2 = L"ActiveProcessLinks";
fieldOffsetPlaceholder = GetFieldOffset(sym_ctx, str, str2);
printf("Symbol at: 0x%llx\n", fieldOffsetPlaceholder);@Flerov PDB parser isn't a suitable idea for this case since you would need to: A. Know the windows version of the target machine and in that case you wouldn't need to fetch it dynamically. B. Download the PDB to the target's machine, parse it and delete it in the end - a thing that will take both space and more time than binary searching or constant offset.
However, I appreciate your suggestion and if you have other suggestions feel free to submit a PR / create another feature request :)
More of a QoL change than anything but instead of hardcoding offsets and choosing them from the windows version you can get it dynamically by getting the base addr of
PsGetProcessSignatureLeveland looking at these bytes