> >>Can you believe that the address appears 5 times on the stack on Win95, > >>twice on ME, once on NT4.0? > >> > >>Now that the method is stable (after 1.5.10 is released), couldn't we > > store > > > >>the offsets in wincap, keeping the adaptive method as a backup in the > >>unknown case? Or are there many variations? > > > > I can tell you from the perspective of writing shellcode and rootkits on > > windows that assuming offsets will be the same is not a good idea if you are > > going for something that is to be widely deployed. Not only can they vary > > between service packs/patches, but also between language editions of the OS. > > > > What would you suggest doing instead?
Um, I would stick to the adaptive method that is currently being used. Maybe the adaptive method could be sped up a bit, though? I'll see if I spot anything obvious in the code tomorrow.
