9 May
2005
9 May
'05
4:27 p.m.
Thomas Weidenmueller wrote:
Alex Ionescu wrote:
- How you knew that the third member of that structure (or that it even
exists) is an ACCESS_MASK called AccessesToAudit.
If you know, why shouldn't he know?
I DON'T know. That's the point. It's impossible to guess something that doesn't exist in the ntoskrnl.exe binary unless you have access to the Windows Source Code; that's my point.
From what I understand the entire structure is opaque, so my guess is that the names are just guessed, based on the obviously known layout.
The third member is not part of a known layout. It isn't referenced ANYWHERE in the binary. You could spend your life reversing the entire binary and only the first two members would appear.
Thomas
Best regards, Alex Ionescu