Search found 48 matches

by listito
Sun Jun 23, 2013 1:48 pm
Forum: Tools/Software
Topic: AvLock Method
Replies: 19
Views: 30936

Re: AvLock Method

Hey thanks again guys,

0x16 the trick is simple, just unload avipbb.sys from memory, and then call NtCreatePagingFile which then returns 0 gracefully

:twisted:
by listito
Sun Jun 23, 2013 7:12 am
Forum: Tools/Software
Topic: AvLock Method
Replies: 19
Views: 30936

Re: AvLock Method

Hey EP_X0FF

No, I don't think protection mecanisms are efective only by hooking, i'm just very curious to know how they made it, and yes it can be useful in malicious code, but it's not my case i hate malware stuff
by listito
Sat Jun 22, 2013 5:53 am
Forum: Tools/Software
Topic: AvLock Method
Replies: 19
Views: 30936

Re: AvLock Method

Finally i've made it work with avira doing a trick, But i don't understand how avira protects itself from te trick(it was returning STATUS_DENIED), i've restored SSDT, ShadowSSDT, i've seen 3 notify callbacks for createprocess, createthread and loadimage, nothing hooked with ntfs major handlers or n...
by listito
Tue Jun 11, 2013 7:39 am
Forum: Tools/Software
Topic: AvLock Method
Replies: 19
Views: 30936

Re: AvLock Method

just found out the answer of my own question, in case anyone gets interested: "On Vista, If your .exe already have embedded manifest, the external manifest will be ignored and embedded manifest is used. (This is opposite from XP case.. on XP, external manifest is used on this case.)" http://social.m...
by listito
Tue Jun 11, 2013 7:30 am
Forum: Tools/Software
Topic: AvLock Method
Replies: 19
Views: 30936

Re: AvLock Method

Amazing idea 0x16/7ton, I just tested in winxp sp3 32 bits and works like a charm, but it doesn't in win 7 x64, can someone please explain to me the internals of the idea? why it doesn't run? is it the PEloader that checks .manifest invalid configs and refuses to run the .exe? Anyone know why it doe...
by listito
Tue Dec 04, 2012 1:42 pm
Forum: Malware
Topic: Zero Day Java Exploits(All Java Exploits goes here)
Replies: 68
Views: 285741

Re: Zero Day Java Exploits(All Java Exploits goes here)

anyone got CVE-2012-5076 ?
by listito
Thu Nov 08, 2012 9:08 pm
Forum: Newbie Questions
Topic: Portable ring3 hooks
Replies: 6
Views: 5868

Re: Portable ring3 hooks

thanks EP_X0FF, it looks like it really is the best solution checking for prologue at file and compare with the one mmaped in memory, could you please send me, or tell me were can i find all versions from at least kernel32.dll and ntdll.dll?
by listito
Mon Nov 05, 2012 8:15 pm
Forum: Newbie Questions
Topic: Portable ring3 hooks
Replies: 6
Views: 5868

Re: Portable ring3 hooks

ok thanks for reply wacked, the api's im going to unhook are just a very few ones, so i'm thinking about restoring the first 6 bytes :)
by listito
Mon Nov 05, 2012 5:46 pm
Forum: Newbie Questions
Topic: Portable ring3 hooks
Replies: 6
Views: 5868

Portable ring3 hooks

Hello, I'm trying to build a r3 unhooker and i'd like to know if it is possible for ntdll.dll or any other microsoft dll change it's prologue signature from version to version? can it change? Example: 776B0B12 > 8BFF MOV EDI,EDI 776B0B14 55 PUSH EBP 776B0B15 8BEC MOV EBP,ESP
by listito
Thu Aug 30, 2012 1:29 pm
Forum: Malware
Topic: Zero Day Java Exploits(All Java Exploits goes here)
Replies: 68
Views: 285741

Re: Zero Day Java Exploits(All Java Exploits goes here)

anyone got CVE-2012-1723 and CVE-2012-0507 ?

no metasploit shit please