Idea for replacing EAF with a different technique (Network Steve Forum)

Idea for replacing EAF with a different technique

Instead of using hardware breakpoints and dealing with the complications they cause, how about this? Replace the IMAGE_DIRECTORY_ENTRY_EXPORT on critical DLLs with a pointer to an empty export directory, then patch ntdll!LdrGetProcedureAddress to know where are the real export directories for those critical DLLs.

This would avoid needing hardware breakpoints, allow protecting more than four DLLs, and--as far as I can tell--be no worse with compatibility than the hardware breakpoint solution.

Melissa

March 25th, 2015 11:36pm

This topic is archived. No further replies will be accepted.

Other recent topics

Remote Administration For Windows. Easy remote access of Windows 7, XP, 2008, 2000, and Vista Computers

Click here to find out more

Reboot Hundreds of computers, disable flash drives, deploy power managements settings.

Click here to get your free copy of Network Administrator. Over 25 plugins to make your life easier