Search found 1101 matches

by rkhunter
Wed Aug 22, 2018 11:17 am
Forum: Kernel-Mode Development
Topic: Entry point for calling DriverEntry at ntoskrnl (Win10)
Replies: 3
Views: 1043

Re: Entry point for calling DriverEntry at ntoskrnl (Win10)

Thx. I've analyzed it without applying structures and Hex-Rays. Looked for call [register+offset] and forgot about _guard_dispatch_icall.
by rkhunter
Tue Aug 21, 2018 6:09 pm
Forum: Kernel-Mode Development
Topic: Entry point for calling DriverEntry at ntoskrnl (Win10)
Replies: 3
Views: 1043

Entry point for calling DriverEntry at ntoskrnl (Win10)

Hi all.

Does anyone remember what function at NT kernel in Win10 responds for calling DriverEntry for loading drivers? I can't find any footprints in IopLoadDriver.
by rkhunter
Sat Jan 13, 2018 7:14 am
Forum: Kernel-Mode Development
Topic: Undocumented structures for W2k-Win10
Replies: 21
Views: 66949

Re: Undocumented structures for W2k-Win10

Win10 RS3 (1709) + KB4056892 (Spectre/Meltdown update and KPTI) ntoskrnl pdb and structures
by rkhunter
Fri Jan 12, 2018 6:58 pm
Forum: Reverse Engineering and Debugging
Topic: Question about Spectre vulnerability mitigation
Replies: 0
Views: 4031

Question about Spectre vulnerability mitigation

Guys, I have little question about Spectre#1 mitigation in Win10 kernel.

For what Win10 kernel trap handlers were updated with LFENCE instructions? As I understand Spectre#1 can't allow Ring 3 code to read kernel memory or to be executed as Ring 0. Or I'm wrong?
by rkhunter
Mon Oct 30, 2017 11:08 am
Forum: Kernel-Mode Development
Topic: Undocumented structures for W2k-Win10
Replies: 21
Views: 66949

Re: Undocumented structures for W2k-Win10

Windows 10 Redstone 3 (1709) HAL (10.0.16299.15) pdb + extracted structures.
by rkhunter
Fri Oct 20, 2017 7:30 pm
Forum: Kernel-Mode Development
Topic: Undocumented structures for W2k-Win10
Replies: 21
Views: 66949

Re: Undocumented structures for W2k-Win10

Windows 10 Redstone 3 (1709) ntoskrnl (10.0.16299.15) pdb + extracted structures.
by rkhunter
Tue Sep 05, 2017 1:25 pm
Forum: Tools/Software
Topic: Enhanced Mitigation Experience Toolkit (EMET)
Replies: 12
Views: 39673

Re: Enhanced Mitigation Experience Toolkit (EMET)

EMET on Windows 10 Insider aka PayloadRestrictions.dll and how it is loaded into a process

https://github.com/deroko/payloadrestrictions
by rkhunter
Mon Aug 14, 2017 11:28 am
Forum: Reverse Engineering and Debugging
Topic: Articles
Replies: 32
Views: 90950

Re: Articles

Exploring Windows virtual memory management

http://www.triplefault.io/2017/08/explo ... emory.html
by rkhunter
Thu Aug 10, 2017 10:51 am
Forum: Tools/Software
Topic: Enhanced Mitigation Experience Toolkit (EMET)
Replies: 12
Views: 39673

Re: Enhanced Mitigation Experience Toolkit (EMET)

Moving Beyond EMET II – Windows Defender Exploit Guard

https://blogs.technet.microsoft.com/srd ... oit-guard/