nino
February 27th, 2003, 13:12
While reversing a program I came up to a piece of code that uses the edx register value returned from a call to GetModuleHandle(NULL).
Apparently NT-like OSs do not use it but Windows-like (9x, Me) do.
The value is treated as a pointer to a structure where the 3rd dword field [edx+8] is expected to be a -1 and if so, the value of the 2nd dword field [edx + 4] is used as a pointer to some data.
Does somebody know what this structure the edx register points to is?
I suspect the code is used as an anti-debugging trick.
Apparently NT-like OSs do not use it but Windows-like (9x, Me) do.
The value is treated as a pointer to a structure where the 3rd dword field [edx+8] is expected to be a -1 and if so, the value of the 2nd dword field [edx + 4] is used as a pointer to some data.
Does somebody know what this structure the edx register points to is?
I suspect the code is used as an anti-debugging trick.