New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Kernel32.dll vs Kernelbase.dll - reasons behind a design choice #639
Comments
/cc @zodeak |
@Necroxys77 It may be one of the problems described in #669. Most probably the DLL is not entirely mapped inside the memory (Windows is doing some kind of lazy-loading per 4 kB pages) and some essential information is not available, thus you can not properly hook this DLL. The I'm already working on these problems in #675, if you are still interested. |
Thanks for the reply @icedevml. A stranger fact is the following one: I manually put a breakpoint on |
@Necroxys77 The When you put the address "by hand" - it works, because the above problems don't apply. |
Hi,
I'm trying to create a plugin that is able to inject breakpoints not only on the entry point of some API calls - like
envom
plugin already does - but also in specific addresses inside the trapped function - i.e. onret
instructions ofSleep
.Studying the code, I noticed that
kernel32.dll
acts like a stub/trampoline for the actual implementation of its functions - that reside insidekernelbase.dll
.Is there any reason why a plugin like
envmon
is designed to trap usingkernel32.dll
instead ofkernelbase.dll
? I don't want to miss something important before proceeding with the design.Thank you.
EDIT:
Considering again
Sleep
function, I noticed that trapping it throughkernelbase.dll
doesn't work. On the other hand, trapping it throughkernel32.dll
is OK. Why?EDIT2:
To better explain the problem, see the following graph:
Basically I would like to take control in
0x0DCE1809
address, but even if DRAKVUF successfully calculates the address (kernelbase base + Sleep offset from Rekall profile) and injects the bp, this breakpoint is never hit. The only function that I was able to trap withkernelbase.dll
was GetComputerNameExW - indeed, it's already managed insideenvmon
.The text was updated successfully, but these errors were encountered: