C3 icon indicating copy to clipboard operation
C3 copied to clipboard

Published 20 hours ago verified publisher icon WithSecureLabs

GetLdrpHandleTlsOffsetData for 21H1?

Open rohybnol opened this issue 3 years ago • 0 comments

I cannot seem to find new pattern for recent windows version 21H1, thats what I've tried:

std::pair<std::string, size_t> GetLdrpHandleTlsOffsetData()
{
        return { "\x74\x33\x44\x8d\x43\x09", 0x2C };
}
DWORD LdrpHandleTlsData(void* baseAddress)
{
        auto ldrpHandleTlsData = GetLdrpHandleTlsData();
	printf("ldrpHandleTlsData : %p \r\n", ldrpHandleTlsData);
	LDR_DATA_TABLE_ENTRY ldrDataTableEntry{};
	ldrDataTableEntry.DllBase = baseAddress;
	return ((LdrpHandleTlsData_t)ldrpHandleTlsData)(&ldrDataTableEntry);
}
auto TlsData = FSecure::Loader::UnexportedWinApi::LdrpHandleTlsData((void*)baseAddress);
printf("TlsData : %d \r\n", TlsData);

Results into this on 21H1 Windows OS:

ldrpHandleTlsData : 00007FFDF0137C14
TlsData : -1073741819

Thanks

rohybnol avatar Jul 12 '21 15:07 rohybnol