Arcane

Interesting Kernel32 Constant

Rate this Entry
while i was doing some Research i stumpled on something which i found very interesting , i was attempting to Change the Location of Peb->ProcessHeap , which i did successfully , but the application still continued to use the Old Heap , which i dident want , so i startet digging and came across something ive never seen before.

in the Api LocalAlloc i found that it keeps a Constant copy of Peb->ProcessHeap inside Kernel32 itself.

7C809A63 FF35 A453887C PUSH DWORD PTR DS:[7C8853A4] -> contains copy of Peb->ProcessHeap

so modifying the PEB only had limited success , but changeing this Value aswell . fixed my problem.

i guess pretty clearly this Push ..should have been a call GetProcessHeap() instead , or somebody else has a view why windows would do like this ?

enjoy

Submit "Interesting Kernel32 Constant" to Digg Submit "Interesting Kernel32 Constant" to del.icio.us Submit "Interesting Kernel32 Constant" to StumbleUpon Submit "Interesting Kernel32 Constant" to Google

Updated October 11th, 2008 at 07:39 by Arcane

Categories
Uncategorized

Comments