-3

There's an app that uses TLS callbacks to remap its memory using (NtCreateSection/NtUnmapViewOfSection/NtMapViewOfSection) using the SEC_NO_CHANGE flag.

Is there any way to hook NtCreateSection before the target app use it on its TLS callback?

kichik
  • 33,220
  • 7
  • 94
  • 114
Shahriyar
  • 1,483
  • 4
  • 24
  • 37

2 Answers2

0

You could use API Monitor to check if it is really that function call and if I understand you correctly you want to modify its invocation. API Monitor allows you to modify the parameters on the fly. If just "patching" the value when the application accesses the api is enough you could than use x64dbg to craft a persistent binary patch for your application. But this requires you to at least know or get familiar with basic x64/x86 assembler.

K. Frank
  • 1,325
  • 1
  • 10
  • 19
-2

I have no idea what you're trying to achieve exactly but if you're trying to execute setup code before the main() function is called (to setup hooks), you could use the constructor on a static object. You would basically construct an object before your main program starts.

// In a .cpp file (do not put in a header as that would create multiple static objects!)
class StaticIntitializer {
    StaticIntitializer(){
        std::cout << "This will run before your main function...\n";
        /* This is where you would setup all your hooks */
    }
};

static StaticInitializer staticInitializer;

Beware though, as any object constructed this way might get constructed in any order depending on compilers, files order, etc. Also, some things might not be initialized yet and you might not be able to achieve what you want to setup.

That might be a good starting point, but as I said, I'm not sure exactly what you're trying to achieve here, so good luck and I hope it helps a little.

user2888798
  • 688
  • 1
  • 6
  • 14