I was recently reading an article on the Windows Metafile vulnerability (http://en.wikipedia.org/wiki/Windows_Metafile_vulnerability#Third-party_patch) and I was interested by one of the points made.
A third party patch[9] was released by Ilfak Guilfanov on 31 December 2005 to temporarily disable the vulnerable function call in gdi32.dll.
So this got me thinking as to how Ilfak Guilfanov actually went about disabling the function in gdi32.dll.
My theory got as far as opening dependency walker and finding the function entry point and then analysing that in a Hex editor, however Hex isn’t my native language unfortunately.
So would you require some form of expensive software to achieve something like this or would it be a case of a lot of trial and error ?
Note: This isn’t intended as a hacking question, but more to understand what I see as a very interesting and clever process
You could open up the dll with your favorite (dis)assembler, find the entrypoint of the function and put a ret assembler instruction to directly return from the function without doing anything else.