14 May
2025
14 May
'25
midnight
On Tue May 13 22:26:01 2025 +0000, Yuxuan Shui wrote:
oh, and calling `GetModuleHandle` and `GetProcAddress` from winecrt0 is problematic, too. since they are from kernelbase/kernel32.
Yes, you need to use `LdrGetDllHandle` / `LdrGetProcedureAddress`.
I don't have anything concrete in mind for the hidden channel. It could be an unused slot in PEB/TEB, a hidden symbol, etc..