GET /api/techniques/218/?format=api
HTTP 200 OK
Allow: GET, PUT, PATCH, DELETE, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept
{
"id": 218,
"key": "change-module-base-address-at-runtime",
"unprotect_id": "U1239",
"name": "Change Module Base Address at Runtime",
"description": "It is possible to change the `DllBase` of a module at runtime. This can trick debugging and analysis tools such as IDA or Cheat Engine into thinking a module's base is actually at another address. \r\n\r\nThis is achieved by accessing the process PEB's member 'Ldr', in particular it has a member `InOrderMemoryLinks` which we can iterate through to get a list of the process's modules. On each iteration we get a `PLDR_DATA_TABLE_ENTRY` structure to work with which contains a member PVOID `DllBase`, that can be overwritten with the new module base address.",
"windows": "",
"linux": "",
"macos": "",
"resources": "",
"creation_date": "2022-07-18T07:01:37.901000Z",
"tags": "",
"modification_date": "2022-07-18T07:01:37.901000Z",
"category": [
4
],
"rules": [],
"attachments": [],
"featured_api": [],
"contributors": []
}
