We use OD debugging an exe, such as a button, the event is a messageboxA, we place a breakpoint, airspace into the system, the function of address is a pointer, as well as a virtual address. If we find the physical address messageboxA, dropped the address modification here, not just achievement the global hook?
How to obtain the physical address? I think whether can pass the CR3, register deposit base to find the page directory page directory, and then calculated the real physical addresses. Then modify the entrance, so as to realize hijacked?

Is speculation, I do not know reasonable or unreasonable?
Is there a great god to

CodePudding user response:

Ace is too bottom, is,,,

CodePudding user response:

See the function call is that the API file, and then by looking at the DLL function program (online), open the DLL file, it has practical function addresses, then can be replaced in the debug, but is not simple change, some can directly replace the, some not, because the original has returned, and the original stack data, the general first push call up and pos will not go wrong, it's experience, by the way,

CodePudding user response:

Is a global hook, but do well is can rewrite the MSG global parameters and type directly, but I can't

CodePudding user response:

First you need to have a certain understanding of DLL file formats, found messageboxA code to replace, such operations may affect the operation of other software, and to restore the original DLLS need to download, suggest don't do this operation, and the global hook will not affect the original DLLS, and exit after the hook procedure can continue to use the previous function

CodePudding user response:

You hijack DLL directly, or user32dll under analysis, and then memory into line, also seek what physical address

CodePudding user response:

Know what is called making his mark? Kernel mode is water, application state is the ship, you mark the location of the bottom of the river on board is meaningless,

Delving into that's right, but you poor basis, find a formal materials under study at the university of computer constitute principle,

CodePudding user response:

32-bit Windows and later, all is in protected mode rather than real mode, protection mode, whether you are a user mode application or kernel mode application, the access address is actually is a virtual address, virtual address through the segment registers and segment descriptor table is mapped to a linear address, linear addresses again through the paging mechanism is mapped to a physical address, so either way using the kernel mode or user mode application mode, you can't directly access or modify the physical address,

CodePudding user response:

refer to 7th floor caozhy response:

know what is called making his mark? Kernel mode is water, application state is the ship, you mark the location of the bottom of the river on board is meaningless,

Delving into that's right, but you poor basis, find a formal materials under study at the university of computer composition principle,

This metaphor is very fierce, suddenly see, ill