Apologies if this is a silly question, but I’m confused. I’m working on a reverse engineering assignment. While looking at a disassembled dll of possibly malicious code, I found these lines:
push nsize ; makes sense push offset Security_Attr ; makes sense push 80h ; this address does not make sense push offset read_buf ; makes sense call CreatePipe ; makes sense
This is calling a Windows function called CreatePipe. “80h” should point to a buffer that the pipe writes to. The value just seems way too small! Is this address pointing to the user_interrupt section of the vector table? If so, is this pipe overwriting user_interrupt handlers in the vector table?
Any pointers are appreciated.