For those into RCE, you surely came across Themida and know it can be a bitch.
Here is the PEB hooking loader from ARteam :
- you will need to build fake_kernel32.dll and fake_advapi32.dllsolutions, and 2 dlls will be created in ..\..\fake\ folder.
- in ..\..\fake\ folder you have adjust_fake.exe which you MUST use onnewly created dlls to get valid import table for kernel32/advapid32.dll
- rebuild themida loader project, as fake_kernel32.dll and fake_advapi32.dllare stored in resources of themidaloader.exe
Addendum :in other news ARTeam is hooking Services .exe To Hide Softice