Robert Baruch autophile@starband.net writes:
Well, reliably because you just scan the code section of the executable for the sequence of bytes representing that procedure, since it will always be the same and always be in the code section.
But then it's tied to a very specific Shrinker version, and will need changing basically every time the Shrinker guys touch something. Or you make it less specific and risk triggering it on other apps that have similar code sequences.
That is a nifty idea. Unfortunately it obfuscates the code a little bit. Instead of calling the handler, we'd have to code it in assembly with "call ecx" at the end. Shrinker looks for the next instruction after that to be something like mov eax,fs:[00000000], so we'd have to do that as well.
Yes, it's a bit ugly, but the exception code is already quite obfuscated as it is ;-)