A forum for reverse engineering, OS internals and malware analysis 

Discussion on reverse-engineering and debugging.
 #15318  by fire_the_hole
 Thu Aug 23, 2012 6:53 am
i use this to find the hooker:
kd> !chkimg -db nt
5 errors : nt (8053e621-8053e625)
8053e620 87 *e9 *6a *ce *6e *01 8b fc 3b 35 d4 99 55 80 0f 83 ..j.n...;5..U...

now i want to fix the address "e9 6a ce 6e 01" .
how can i know the original bytes?
 #15326  by SomeUnusedName
 Thu Aug 23, 2012 1:15 pm
Quote from the Debugging Tools help:
-f
Fixes errors in the image. Whenever the scan detects differences between the file on the symbol store and the image in memory, the contents of the file on the symbol store are copied over the image. If you are performing live debugging, you can create a dump file before you execute the !chkimg -f extension.
Ninja edit: Try ".hh !chkimg", it launches the WinDbg help which is immensely useful and detailed.