Closed waawaa closed 2 years ago
Some functions are hooked from user-mode, but it seems the DLL is not injected in all processes. Some are with a JMP instruction, for example NtAllocateVirtualMemory:
Others are hooked using a PUSH; RET approach, for example NtMapViewOfSection
Some functions are hooked from user-mode, but it seems the DLL is not injected in all processes. Some are with a JMP instruction, for example NtAllocateVirtualMemory:
Others are hooked using a PUSH; RET approach, for example NtMapViewOfSection