Mon Mar 22 20:25:00 GMT 2004
> Can you believe that the address appears 5 times on the stack on Win95,
> twice on ME, once on NT4.0?
> Now that the method is stable (after 1.5.10 is released), couldn't we
> the offsets in wincap, keeping the adaptive method as a backup in the
> unknown case? Or are there many variations?
I can tell you from the perspective of writing shellcode and rootkits on
windows that assuming offsets will be the same is not a good idea if you are
going for something that is to be widely deployed. Not only can they vary
between service packs/patches, but also between language editions of the OS.
More information about the Cygwin-patches