ASMHeader::GetASMHeader BUG #6
Description
For the "CLR process", it is not KERNEL32 that comes after the NTDLL module, but rather "MSCOREE", and it is this that leads to the later execution error
Here is a fix for win86 and win64, by matching "KERNEL32", in the first "KERN" to determine whether you need to continue recursive
8B 48 28 81 39 4B 00 45 00 75 F3 81 79 04 52 00 4E 00 75 EA
079B0167 | 96 | xchg esi,eax |
079B0168 | AD | lodsd |
079B0169 | 8B48 28 | mov ecx,dword ptr ds:[eax+28] |
079B016C | 8139 4B004500 | cmp dword ptr ds:[ecx],45004B |
079B0172 | 75 F3 | jne 79B0167 |
079B0174 | 8179 04 52004E00 | cmp dword ptr ds:[ecx+4],4E0052 |
079B017B | 75 EA | jne 79B0167 |
48 8B 48 50 81 39 4B 00 45 00 75 F0 81 79 04 52 00 4E 00 75 E7
000001D9A0720095 | 48:96 | xchg rsi,rax |
000001D9A0720097 | 48:AD | lodsq |
000001D9A0720099 | 48:8B48 50 | mov rcx,qword ptr ds:[rax+50] |
000001D9A072009D | 8139 4B004500 | cmp dword ptr ds:[rcx],45004B |
000001D9A07200A3 | 75 F0 | jne 1D9A0720095 |
000001D9A07200A5 | 8179 04 52004E00 | cmp dword ptr ds:[rcx+4],4E0052 |
000001D9A07200AC | 75 E7 | jne 1D9A0720095 |