DataPtrHookWin11

A .data pointer hook with communication for windows 11

since windows 11, the data pointer is not in the .data section. the fuction pointer store in buffer pool, here code find the pool with pattern, is form 32GetSessionState(). then, we can get function pointer form the pool.

origin function in IDA

__int64 (__fastcall *__fastcall NtUserSetGestureConfig(__int64 a1, unsigned int a2, unsigned int a3, __int64 a4, int a5))(__int64, _QWORD, _QWORD, __int64, int)
{
  __int64 (__fastcall *result)(__int64, _QWORD, _QWORD, __int64, int); // rax

  result = *(__int64 (__fastcall **)(__int64, _QWORD, _QWORD, __int64, int))(*(_QWORD *)(*(_QWORD *)(W32GetSessionState() + 136)
                                                                                       + 336i64)
                                                                           + 3120i64);
  if ( result )
    result = (__int64 (__fastcall *)(__int64, _QWORD, _QWORD, __int64, int))result(a1, a2, a3, a4, a5);
  return result;
}

Name		Name	Last commit message	Last commit date
Latest commit History 7 Commits
DataPtrHookWin11		DataPtrHookWin11
Test		Test
.gitignore		.gitignore
DataPtrHookWin11.sln		DataPtrHookWin11.sln
LICENSE		LICENSE
README.md		README.md

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Repository files navigation

DataPtrHookWin11

origin function in IDA

About

Uh oh!

Releases

Packages

Uh oh!

Languages

License

oakboat/DataPtrHookWin11

Folders and files

Latest commit

History

Repository files navigation

DataPtrHookWin11

origin function in IDA

About

Resources

License

Uh oh!

Stars

Watchers

Forks

Releases

Packages 0

Uh oh!

Languages

Packages