9 May
2005
9 May
'05
4:27 p.m.
Thomas Weidenmueller wrote:
Alex Ionescu wrote:
I DON'T know. That's the point. It's impossible to guess something that
doesn't exist in the ntoskrnl.exe binary unless you have access to the
Windows Source Code; that's my point.
2) How you knew that the third member of that
structure (or that it even
exists) is an ACCESS_MASK called AccessesToAudit.
If you know, why shouldn't he know?
From what I understand the entire
structure is opaque, so my guess is that the names are just guessed,
based on the obviously known layout.
The third member is not part of a known layout. It isn't referenced
ANYWHERE in the binary. You could spend your life reversing the entire
binary and only the first two members would appear.
Thomas
Best regards,
Alex Ionescu