Search found 29 matches

by tangptr
Thu Jan 10, 2019 2:38 pm
Forum: General Discussion
Topic: Use LGPL code in MIT project?
Replies: 1
Views: 114

Use LGPL code in MIT project?

Suppose I have a project open-sourced with MIT license. I want to use some code, not all of them, from another open-sourced software licensed under LGPL v3 in my project. Does this action violate the LPGL v3?
by tangptr
Tue Sep 18, 2018 12:33 pm
Forum: Kernel-Mode Development
Topic: PG check
Replies: 4
Views: 1822

Re: PG check

Whether PatchGuard is disabled or not can not be detected if malware has done manipulation. You cannot check by files because you cannot be sure if you are checking the manipulated one or the backup. In most cases, you are checking backup. You cannot check by dumping memory because the initializatio...
by tangptr
Tue Aug 14, 2018 3:35 am
Forum: Kernel-Mode Development
Topic: Probe kernel memory for read
Replies: 3
Views: 9859

Re: Probe kernel memory for read

Did you enclose an SEH block for your MmProbeAndLockPages invoking? This is essential for invoking it.
In addition, result of MmGetPhysicalAddress is only valid for system-session addresses. Result for memories of DMA, win32-subsystem, user-mode, etc. from MmGetPhysicalAddress are invalid.
by tangptr
Mon Aug 13, 2018 7:09 am
Forum: Kernel-Mode Development
Topic: Hooking the offical way?
Replies: 8
Views: 5143

Re: Hooking the offical way?

You may hook MSR-LSTAR (ecx=0xC0000082) and hide your hook using hardware-accelerated virtualization (Intel VT-x or AMD-V). This can be accomplished by rdmsr interception. It requires the least virtualization feature - no address-translation (Intel EPT or AMD NPT) required. HyperBone written by Dart...
by tangptr
Thu Jul 12, 2018 10:12 am
Forum: Kernel-Mode Development
Topic: Detecting Test Mode
Replies: 7
Views: 5170

Re: Detecting Test Mode

I shall emphasize that THERE IS DSE component on 32-bit Windows, albeit it is disabled at kernel initialization.
Therefore, you may enable DSE in 32-bit Windows by hacking "Code-Integrity driver". It can be done by ways in opposite of disabling DSE on Win64.
by tangptr
Wed Jul 11, 2018 5:57 am
Forum: Kernel-Mode Development
Topic: Detecting Test Mode
Replies: 7
Views: 5170

Re: Detecting Test Mode

The most "quick-and-dirty" way is to load a test-signed-only driver for detection.
In addition, 32-bit NT6 system do have DSE. It is disabled on default, but you may dynamically enable it by patching "Code-Integrity Driver".
by tangptr
Mon Jul 09, 2018 2:56 am
Forum: Kernel-Mode Development
Topic: Breakpoints matters?
Replies: 2
Views: 2324

Re: Breakpoints matters?

Hi, on a breakpoint inside guest, the debugger may sanitize something which you did not set properly, e.g. tss, selector and its base/limit/access_rights etc - check guest state. Enable only as little features as possible in execution controls (no EPT, no exception in exception bitmap). If you have...
by tangptr
Fri Jul 06, 2018 6:38 am
Forum: General Discussion
Topic: Hooking Memory Controller Routines
Replies: 4
Views: 5491

Re: Hooking Memory Controller Routines

Happy New Year ! If the memory controller was indeed hooked and an attempt to capture every read/write/execute is made then would it not be possible to know which thread is accessing which memory cell and every detail associated with the request such as Thread PID 00232 accessing Memory location x0...
by tangptr
Thu Jul 05, 2018 9:57 am
Forum: Kernel-Mode Development
Topic: Breakpoints matters?
Replies: 2
Views: 2324

Breakpoints matters?

I was writing a code of building a hyper-visor (based on Intel VT-x) in system. But something I don't understand occured: If I set a break-point at guest rip, or even some instructions after, the break-point would hit but continuing the execution is fine. Nothing bad happens. If I don't set any brea...
by tangptr
Thu Mar 22, 2018 8:43 pm
Forum: Kernel-Mode Development
Topic: Is possible remove a file protected by a file system filter driver?
Replies: 13
Views: 13461

Re: Is possible remove a file protected by a file system filter driver?

Well, you may analyze the file system by reading and writing disk directly. Writing disk sections via disk mini-port driver (scsi instructions) may penetrate disk recovery protection.