[DiscordArchive] now, as to why they are sending you ntdll... might be so that they are sure its not detoured in any
[DiscordArchive] now, as to why they are sending you ntdll... might be so that they are sure its not detoured in any
Original source
now, as to why they are sending you ntdll... might be so that they are sure its not detoured in any way?
rektbyfaith
06-30-2024, 06:57 PM #1Archived author: Warpten • Posted: 2024-06-30T18:57:58.346000+00:00
Original source
now, as to why they are sending you ntdll... might be so that they are sure its not detoured in any way?
Original source
Oh ye, I am well aware of that lol I meant like why the indexs are weird. They like index 1 / 2 /3 reading here :
https://hfiref0x.github.io/NT10_w32ksyscalls.html
rektbyfaith
06-30-2024, 06:58 PM #2Archived author: _mrfade_ • Posted: 2024-06-30T18:58:07.292000+00:00
Original source
Oh ye, I am well aware of that lol I meant like why the indexs are weird. They like index 1 / 2 /3 reading here :
https://hfiref0x.github.io/NT10_w32ksyscalls.html
Original source
since warden fingerprints the system
rektbyfaith
06-30-2024, 06:58 PM #3Archived author: Warpten • Posted: 2024-06-30T18:58:09.945000+00:00
Original source
since warden fingerprints the system
Original source
there is just the normal mapped ntdll and a manually mapped ntdll on client start.
rektbyfaith
06-30-2024, 06:58 PM #4Archived author: Fabian • Posted: 2024-06-30T18:58:32.362000+00:00
Original source
there is just the normal mapped ntdll and a manually mapped ntdll on client start.
Original source
that is not sent at any point later
rektbyfaith
06-30-2024, 06:58 PM #5Archived author: Fabian • Posted: 2024-06-30T18:58:39.554000+00:00
Original source
that is not sent at any point later
Original source
but that's the unpacker's doing then
rektbyfaith
06-30-2024, 06:58 PM #6Archived author: Warpten • Posted: 2024-06-30T18:58:57.795000+00:00
Original source
but that's the unpacker's doing then
Original source
Yes. the code that does the decrypting, init job on client launch is also mapping that yes
rektbyfaith
06-30-2024, 06:59 PM #7Archived author: Fabian • Posted: 2024-06-30T18:59:38.846000+00:00
Original source
Yes. the code that does the decrypting, init job on client launch is also mapping that yes
Original source
they use function calls to that dll instead of the windows loaded ntdll
rektbyfaith
06-30-2024, 06:59 PM #8Archived author: Fabian • Posted: 2024-06-30T18:59:50.257000+00:00
Original source
they use function calls to that dll instead of the windows loaded ntdll
Original source
Aye, and they also hooked the windows loaded one iirc
rektbyfaith
06-30-2024, 07:00 PM #9Archived author: _mrfade_ • Posted: 2024-06-30T19:00:10.810000+00:00
Original source
Aye, and they also hooked the windows loaded one iirc