Figure 11.15 The layout of Defender’s memory copy of NTDLL.
The function is taking the +4 offset of the found entry (remember that offset
+4 contains the function’s RVA) and adding to that the address where
NTDLL’s code section was copied. Later in the function a call is made into the
function at that address. No doubt this is a call into a copied version of an
NTDLL API. Here’s what you see at that address:
7D03F0F2 MOV EAX,35
7D03F0F7 MOV EDX,7FFE0300
7D03F0FC CALL DWORD PTR [EDX]
7D03F0FE RET 20Copy of NTDLL Code SectionFunction Name
Checksum Function’s RVAFunction Name
Checksum Function’s RVACopy of NTDLL Code SectionFunction Name
Checksum Function’s RVABreaking Protections 393