BlueSkeye
BlueSkeye
The DUMPBIN & EDITBIN command line tools (available with all editions of Visual Studio when VC++ workload is installed) might be interesting references. The tools allows extensive dump/modification of many...
I don't understand what you mean by "cave between sections". As I understand, the PE loader allocates a memory block for each section. However these blocks are disjoint and it...
When you say "Create a Section" I assume you mean invoking Zw/NtCreateSection. This might be confusing for readers because the section concept has been introduced in module 1.2 as a...
It might be usefull for people not familiar with /Fa flag to clarify that it generates a listing of the assembly code default named .asm, otherwise readers may wonder where...
AFAIU WoW64 is an emulator not a subsystem. Microsoft itself defines WoW64 as an emulator : https://docs.microsoft.com/en-us/windows/win32/winprog64/wow64-implementation-details ... while it advertises WSL as a subsystem : https://docs.microsoft.com/en-us/windows/wsl/
At point 6 you states BaseProcessStart invokes EntryPoint which is right. However this might not be the very first user provided code that is executed. One of the well known...
Exercises code contains some error checking and leave aside a couple of cases. I understand we are in a lab and not seeking for bullet proof and "production ready" code...
I feel "decompiled code is identical to the assembly code that you wrote" is sligthly misleading. Both MASM and YASM support macros and equates that are inlined during compilation. Thus,...
Looks like someone forgot to translate from decimal to hexadecimal values. Cross-cheking with [MS-RAP] specification document version 28.0 (v20160714) section 2.5.5.4.2 and associated notes 12 and 13 from Appendix A,...
Null reference assignment to result at : https://github.com/AzureAD/SCIMReferenceCode/blob/d445ef901981fef684a220fe8cf6c97b588600fd/Microsoft.SystemForCrossDomainIdentityManagement/Service/HttpResponseExceptionFactory.cs#L20 is probably not what is expected. Consider replacing with : `message = null; `