Can you believe that the address appears 5 times on the stack on Win95, twice on ME, once on NT4.0?
Now that the method is stable (after 1.5.10 is released), couldn't we
store
the offsets in wincap, keeping the adaptive method as a backup in the unknown case? Or are there many variations?
I can tell you from the perspective of writing shellcode and rootkits on windows that assuming offsets will be the same is not a good idea if you are going for something that is to be widely deployed. Not only can they vary between service packs/patches, but also between language editions of the OS.
What would you suggest doing instead?
Cheers, Nicholas
