PDA

View Full Version : Get the "RtlDispatchException" address to be failed


six_L
December 18th, 2013, 20:18
Code:
GetApiAdd proc dllnameWORD,procnameWORD
Local hdll:HWND

invoke LoadLibrary,dllname
.if eax==0
ret
.else
mov hdll,eax
invoke GetProcAddress,hdll,procname
push eax
invoke FreeLibrary,hdll
pop eax
.endif
ret
GetApiAdd endp

Code:
invoke GetApiAdd,CTXT("ntdll.dll",CTXT("RtlDispatchException"
test eax, eax
jz HookKiUserExceptionDispatcher_Ret
mov cAddrRtlDispatchException, eax

Indy
December 18th, 2013, 20:22
RtlDispatchException is private api(internal), not exported. Address can be obtained from KiUserExceptionDispatcher(fixed).

But why do it. VEH enough for any purpose.

six_L
December 18th, 2013, 20:42
Quote:
Address can be obtained from KiUserExceptionDispatcher(fixed).

thanks.
i try to test.