• State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 19 subscribers
  • Views 733 views
  • Users 0 members are here
Options
Related
How was your experience today?
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

how to use AgsiRegisterExecCallBackEx in DP51.dll

fatalfeel

AgsiRegisterExecCallBackEx in DP51.dll

Agsi.RegisterExecCallBackEx    = (AgsiRegisterExecCallBackEx_t)    GetProcAddress(AgsiConfig.m_hInstance, "AgsiRegisterExecCallBackEx");

Agsi.RegisterExecCallBackEx(Execution);

How to make it work?

Parents
  • 0

    ex: ret &= Agsi.RegisterExecCallBackEx(1, 0x7a, 0x00005E5E, Execution);

    I use windows sdk 10 - windbg trace DP51.dll S8051.dll

    when caller id = 1

    DP51.dll
    .text:08E129F1 010                 jz      short loc_8E12A0E
    .text:08E129F3 010                 push    esi
    .text:08E129F4 014                 push    [ebp+arg_8]
    .text:08E129F7 018                 push    ebx
    .text:08E129F8 01C                 call    ecx //goto S8051.dll

    S8051.dll
    ...
    .text:1000C5CA 018                 call    dword_1048BEB0 //result in eax
    ...
    .text:1000C609 010                 mov     [eax+8], edi       //put 0x00005E5E in [eax+8]
    .text:1000C60C 010                 mov     [eax+0Ch], ecx //put Execution address in [eax+0Ch]


    then I set hardware r/w breakpoint at eax+8 and eax+0Ch
    there is no one read write at [eax+8] and [eax+0Ch]
    its mean no useful for callerid = 1

Reply
  • 0

    ex: ret &= Agsi.RegisterExecCallBackEx(1, 0x7a, 0x00005E5E, Execution);

    I use windows sdk 10 - windbg trace DP51.dll S8051.dll

    when caller id = 1

    DP51.dll
    .text:08E129F1 010                 jz      short loc_8E12A0E
    .text:08E129F3 010                 push    esi
    .text:08E129F4 014                 push    [ebp+arg_8]
    .text:08E129F7 018                 push    ebx
    .text:08E129F8 01C                 call    ecx //goto S8051.dll

    S8051.dll
    ...
    .text:1000C5CA 018                 call    dword_1048BEB0 //result in eax
    ...
    .text:1000C609 010                 mov     [eax+8], edi       //put 0x00005E5E in [eax+8]
    .text:1000C60C 010                 mov     [eax+0Ch], ecx //put Execution address in [eax+0Ch]


    then I set hardware r/w breakpoint at eax+8 and eax+0Ch
    there is no one read write at [eax+8] and [eax+0Ch]
    its mean no useful for callerid = 1

Children
No data