12 June 2012

cari kernel32.dll dalam virtual memory

TEB -> PEB -> kernel32


xor eax, eax               ;    nape la nak zero kan eax tu?
mov eax, [fs:eax+0x30]     ;    eax =7ffdf000
mov eax, [eax + 0x0c]      ;    eax =774a7880
mov esi, [eax + 0x1c]      ;    esi  = 000b1bc0
lodsd                      ;    eax = 000b2000
                            ;    esi  = 000b1bc4
mov eax, [eax + 8]          ;    eax = 75600000  << lokasi kernel32.dll dlm va



Kalau faham,
1) apa value pada lokasi 0x000b1bc4?
2) apa value pada lokasi 0x000b2004?


ref : Practical Malware Analysis(ms/414)
1)774a789c
2)000b1bc0
Posted by at
Labels: , ,

No comments:

Post a Comment

Terima kasih

Subscribe to: Post Comments (Atom)