1) you need inject your code in target process
2) you must check if CFG presents in your target module. It seems that MS linker has a bug - DataDirectory[IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG].Size eq 0x40. but IMAGE_LOAD_CONFIG_DIRECTORY.Size contains right value
3) you must just patch pointer in *(IMAGE_LOAD_CONFIG_DIRECTORY.GuardCFCheckFunctionPointer) to your handler. Prototype of handler:
void __fastcall my_check_icall(PBYTE addr)
4) now you can check
addr
parameter. One possible check - just see if this addr
located in some loaded module, so you can traverse on PEB_LDR_DATAHave fun !
CFG is also available in Win8.1 (November 2014 Update)
ОтветитьУдалить