[Patch]: Win95
Nicholas Wourms
nwourms@netscape.net
Tue Mar 23 01:12:00 GMT 2004
matt wrote:
>>Can you believe that the address appears 5 times on the stack on Win95,
>>twice on ME, once on NT4.0?
>>
>>Now that the method is stable (after 1.5.10 is released), couldn't we
>
> store
>
>>the offsets in wincap, keeping the adaptive method as a backup in the
>>unknown case? Or are there many variations?
>
>
> I can tell you from the perspective of writing shellcode and rootkits on
> windows that assuming offsets will be the same is not a good idea if you are
> going for something that is to be widely deployed. Not only can they vary
> between service packs/patches, but also between language editions of the OS.
>
What would you suggest doing instead?
Cheers,
Nicholas
More information about the Cygwin-patches
mailing list