Search found 21 matches

by 0xC0000022L
Tue Oct 18, 2011 10:33 pm
Forum: Newbie Questions
Topic: Inline patching problem.
Replies: 24
Views: 17016

Re: Inline patching problem.

@r2nwcnydc: good call. +1 rep ;)
by 0xC0000022L
Tue Oct 18, 2011 11:57 am
Forum: Newbie Questions
Topic: Inline patching problem.
Replies: 24
Views: 17016

Re: Inline patching problem.

If I understood correctly, he patches a near jump at the beginning of NtQuerysystemInformation. It only takes two bytes and would overwrite the usual mov edi, edi code sequence (the code sequence exists for that very reason). I'm aware of it. But I would still check up front whether the value is wh...
by 0xC0000022L
Mon Oct 17, 2011 9:41 pm
Forum: General Discussion
Topic: [Poll] What is your home OS?
Replies: 20
Views: 20040

Re: [Poll] What is your home OS?

deco11 wrote:windows 7 ultimate x64 ;)
Ditto.
by 0xC0000022L
Mon Oct 17, 2011 9:40 pm
Forum: Newbie Questions
Topic: Inline patching problem.
Replies: 24
Views: 17016

Re: Inline patching problem.

As you can see I correctly point it to 2 bytes after the beginning because at the original 2 bytes I have the short jump. What I can't understand is why this might be working when I do a SSDT hooking but when I do inline patching it doesn't? Also if you feel like it I'm willing to send you my sourc...
by 0xC0000022L
Mon Oct 17, 2011 3:32 pm
Forum: Newbie Questions
Topic: Inline patching problem.
Replies: 24
Views: 17016

Re: Inline patching problem.

Here is the code which hides a process and works perfectly fine if I perform SSDT hooking, but when I do a detour it makes the whole VM very sluggish Okay, here's what looks odd to me: myZwQuerySystemInformation is apparently your replacement function (right?), but inside it you call myNtQuerySyste...
by 0xC0000022L
Wed Oct 12, 2011 11:16 am
Forum: Kernel-Mode Development
Topic: NT Design Workbook
Replies: 6
Views: 4509

Re: NT Design Workbook

Thanks, that worked.
by 0xC0000022L
Tue Oct 11, 2011 10:25 pm
Forum: Kernel-Mode Development
Topic: NT Design Workbook
Replies: 6
Views: 4509

Re: NT Design Workbook

Does anyone have a mirror of that file? It appears to be down now. Gives 404.
by 0xC0000022L
Tue Oct 11, 2011 10:24 pm
Forum: Reverse Engineering and Debugging
Topic: Driver Signing
Replies: 5
Views: 7462

Re: Driver Signing

sorry to bump this post and correct me if I am wrong, but would this not require either; a. a hard disk modification of ntoskrnl or b. an in memory patch? The latter is done by TDL, for example. IIRC TDL will enable WinPE mode (see EP_X0FF's first reply) then does the patching and then turns it off...
by 0xC0000022L
Tue Oct 11, 2011 8:50 pm
Forum: Reverse Engineering and Debugging
Topic: Good resource for learning how to debug & reverse engineer?
Replies: 16
Views: 95709

Re: Good resource for learning how to debug & reverse engine

Giuseppe, your name certainly rings a bell, but where did your blog go meanwhile? You retired your old one, but the new one seems to be inaccessible (or gone) as well. Any ideas anyone ...? :?