Search found 199 matches

by Brock
Wed May 23, 2018 11:32 pm
Forum: Kernel-Mode Development
Topic: why ExFreePool will blue screen
Replies: 3
Views: 589

Re: why ExFreePool will blue screen

@lwbkm,

When you graduate to better understanding kernel memory allocation and general management you might also strongly consider, on Windows 8+ anyhow, using ExAllocatePool(NonPagedPoolNx, ...); or the newer compiler's opt-in flag instead of the NonPagedPool type. It's just a best practice is all
by Brock
Sat Apr 28, 2018 4:31 pm
Forum: Kernel-Mode Development
Topic: how to delete driver file and still Keep communication
Replies: 10
Views: 1616

Re: how to delete driver file and still Keep communication

Recently I am writing a rootkit software
This board doesn't support authoring of rootkits.
by Brock
Thu Feb 22, 2018 10:27 pm
Forum: Kernel-Mode Development
Topic: ObRegisterCallbacks return 0xC0000022 error
Replies: 2
Views: 1357

Re: ObRegisterCallbacks return 0xC0000022 error

Vrtule's way should work fine for you. If you want a link-time option though you can simply just use the /INTEGRITYCHECK flag
by Brock
Wed Dec 20, 2017 5:58 pm
Forum: Kernel-Mode Development
Topic: How to redirect registry key in registry callback?
Replies: 4
Views: 5115

Re: How to redirect registry key in registry callback?

Microsoft's sample code doesn't work on Microsoft's Regedit? What do you mean it "cannot" work? Have you verified this with other registry editors/viewers?
by Brock
Wed Dec 20, 2017 8:26 am
Forum: Kernel-Mode Development
Topic: How to redirect registry key in registry callback?
Replies: 4
Views: 5115

Re: How to redirect registry key in registry callback?

This should help you override and redirect the operation but I haven't tested it.

http://joyasystems.com/sample-code%2FWi ... s%2Fpost.c

*see example CallbackPostNotificationOverrideError()*
by Brock
Wed Nov 22, 2017 1:28 pm
Forum: Kernel-Mode Development
Topic: Invalid ProcessId in LoadImageNotifyRoutine
Replies: 2
Views: 3459

Re: Invalid ProcessId in LoadImageNotifyRoutine

If you're attempting to use Load Image notify routines as a source of tracking newly created processes you're better off using PsSetCreateProcessNotifyRoutine since it was designed for this purpose solely. About your issue you're experiencing with PsSetLoadImageNotifyRoutine, any section created and...
by Brock
Mon Nov 13, 2017 3:13 pm
Forum: Newbie Questions
Topic: Pls help find malware
Replies: 3
Views: 5456

Re: Pls help find malware

@lili If you're using IDA Pro 6.2+ you can switch into the user friendly Proximity View which will disassemble a complete call graph for you. The data and function code is separated for easy browsing and is displayed via tree nodes for simplified exploration. If you're looking for an in-depth guide ...
by Brock
Mon Oct 02, 2017 9:29 pm
Forum: Kernel-Mode Development
Topic: Some create process notifications cannot be removed
Replies: 6
Views: 8086

Re: Some create process notifications cannot be removed

Very possible the function is hooked as indicated by tcxyqs, malware has done this to do as he said and that is to prevent the removal of a callback it has installed so it guards it if the 2nd param of the function is set to TRUE (Removal). Anyhow, where are you calling PsSetCreateProcessNotifyRouti...
by Brock
Mon Sep 11, 2017 3:27 pm
Forum: Newbie Questions
Topic: trouble: 2 threads accessing simultaneous the same item of a
Replies: 4
Views: 9993

Re: trouble: 2 threads accessing simultaneous the same item

Vrtule is right however if you want to use WinAPI directly it's only a few lines of code and you don't need classes or OO for it. var CritSec: RTL_CRITICAL_SECTION; procedure EnterLock; begin EnterCriticalSection(CritSec); end; procedure LeaveLock; begin LeaveCriticalSection(CritSec); end; procedure...
by Brock
Fri Sep 08, 2017 10:58 am
Forum: Kernel-Mode Development
Topic: WIN64 Driver Development Basic Tutorial
Replies: 19
Views: 35758

Re: WIN64 Driver Development Basic Tutorial

EP_X0FF has already answered your question, kernelmode.info is not affiliated with other forums or websites so we (members here) have no knowledge of another forum's rules and regulations, registration procedures etc. That would be like asking Microsoft for your forgotten Yahoo email password, they ...