Reversing : The Hacker's Guide to Reverse Engineering
Sometimes calling or merely understanding a native API is crucial, in which case it is always possible to reverse its implementa ...
This is why operating systems use a special mechanism for switching from user mode to kernel mode. The general idea is that the ...
ntdll!ZwReadFile: 77f4302f mov eax,0xbf 77f43034 mov edx,0x7ffe0300 77f43039 call edx 77f4303b ret 0x24 This function calls into ...
loaded at a different virtual address each time they are loaded (but they can never be relocated after they have been loaded). R ...
Relocations are important for several reasons. First of all, they’re the reason why there are never absolute addresses in execut ...
is that an RVA is relative to the beginning of the image when it is mapped as an executable(meaning that distances are calculate ...
dynamic linking the program must manually load the right module in runtime and find the right function to call by searching thro ...
DWORD SizeOfInitializedData; DWORD SizeOfUninitializedData; DWORD AddressOfEntryPoint; DWORD BaseOfCode; DWORD BaseOfData; // NT ...
Imports and Exports Imports and exports are the mechanisms that enable the dynamic linking process of executables described earl ...
Figure 3.4 The dynamic linking process and how modules can be interconnected using their import and export tables. Table 3.1 lis ...
Table 3.1 The Optional Directories in the Portable Executable File Format. ASSOCIATED DATA NAME DESCRIPTION STRUCTURE Export Tab ...
Table 3.1 (continued) ASSOCIATED DATA NAME DESCRIPTION STRUCTURE Load Configuration Table Contains a variety of image IMAGE_LOAD ...
Input and Output I/O can be relevant to reversing because tracing a program’s communications with the outside world is much easi ...
I/O element such as a network interface, a high-level networking protocol, a file system, or a physical storage device. Of cours ...
Object Management Because USER and GDI are both old components that were ported from ancient versions of Windows, they don’t use ...
The exception handler list is stored in the thread information block(TIB) data structure, which is available from user mode and ...
A bare-bones exception handler set up sequence looks something like this: 00411F8A push ExceptionHandler 00411F8F mov eax,dword ...
The bottom line is that knowledge of operating systems can be useful to reversers at many different levels. First of all, unders ...
109 Reversing is impossible without the right tools. There are hundreds of differ- ent software tools available out there that c ...
Different Reversing Approaches There are many different approaches for reversing and choosing the right one depends on the targe ...
«
2
3
4
5
6
7
8
9
10
11
»
Free download pdf