Donghyun Lee

Thank you for the awesome project! I'm having a hard time fuzzing the 32 bit-program, so I just wonder when will this rework be done?

After long time of analysing Lighthouse and Tenet(infinite scrolling..), I found that the target program (which is 32bit-program) didn't invoke `ntdll!NtReadFile`. So I added some codes to hook `KERNEL32!ReadFile` directly....

[This attachment](https://github.com/0vercl0k/wtf/files/8997065/Lighthouse.and.Tenet.zip)(edited 220628) is Lighthouse log and Tenet log for the code before I added `KERNEL32!ReadFile` hook. I found that `nt!KiPageFault` is called (not `ntdll!NtReadFile`) when `KERNEL32!ReadFile` is invoked. -...

@y0ny0ns0n, thank you for your clear explanation. I should try to define my own custom mutator. But yet, any idea about `nt!KiPageFault`(not `ntdll!NtReadFile`) being called for `KERNEL32!ReadFile`?

You mean, `KERNELBASE!ReadFile+0x341d9`?   I already disabled pagefile as in #21,  I have no idea why `KERNELBASE!ReadFile+0x341d9` is not mapped.. Is there currently any...

I made two attempts, - lockmem - Increase memory 4GB -> 5GB and `KERNELBASE!ReadFile` was dumped normally (which was not when just disabling the pagefile -> idk why yet,) However,...

BTW, @y0ny0ns0n, did your target 32bit-program do a file read and `ntdll!NtReadFile` was hooked normally when fuzzing?

@0vercl0k thanks for looking at:) With reference to [this](https://docs.microsoft.com/en-us/windows/win32/fileio/opening-a-file-for-reading-or-writing#example-open-a-file-for-reading) doc, I made a 32-bit program that does a simple `ReadFile` to verify what you said. Code ```cpp #define _CRT_SECURE_NO_WARNINGS #include...

By the way, why did you use `ntdll` instead of the `nt` for fshook? @0vercl0k

Oh I think this is the clue,,, ```diff - static const uint64_t LastGuestHandle = 0x7ffffffffffffffeULL; + static const uint64_t LastGuestHandle = 0x7ffffffeULL; ```