Search found 38 matches

by evelyette
Thu Feb 23, 2017 7:55 am
Forum: Kernel-Mode Development
Topic: Integrity check of DLL from Driver
Replies: 3
Views: 9948

Re: Integrity check of DLL from Driver

My plan is to support versions from Windows 7 (including) upwards; however if this is considerably easier in Windows 8.1+ I might not bother with Windows 7. Can you provide a link to BCrypt? So all other AV vendors out there are also doing this manually, which makes this a likely issue where they ge...
by evelyette
Wed Feb 22, 2017 11:26 pm
Forum: Kernel-Mode Development
Topic: Integrity check of DLL from Driver
Replies: 3
Views: 9948

Integrity check of DLL from Driver

Hi, I'm interested in knowing how one can verify the integrity of the DLL from a kernel-mode driver prior to DLL being injected into the application. I'm basically looking for a kernel-mode WinVerifyTrustEx. I've seen the https://msdn.microsoft.com/en-us/library/aa376210(v=vs.85).aspx , but it doesn...
by evelyette
Mon Feb 13, 2017 6:50 pm
Forum: Kernel-Mode Development
Topic: Mapping ntdll.dll into kernel-mode memory
Replies: 2
Views: 8609

Re: Mapping ntdll.dll into kernel-mode memory

Hello, Yes, you can retrieve the system service indexes from a mapped view of the already existing KnownDlls\ntdll.dll section. You have to open the section first with SECTION_MAP_READ then map the view into kernel space with PAGE_READONLY, locate the export directory (RtlImageDirectoryEntryToData)...
by evelyette
Fri Feb 10, 2017 11:01 pm
Forum: Kernel-Mode Development
Topic: Mapping ntdll.dll into kernel-mode memory
Replies: 2
Views: 8609

Mapping ntdll.dll into kernel-mode memory

Hi, The http://www.rohitab.com/discuss/topic/42451-mapping-ntdll-into-kernel-memory-and-read-the-ssdt-index-of-system-service-functions/ article obtains the indexes of SSDT entries by doing the following: 1. ZwOpenFile : Open the "\SystemRoot\System32\ntdll.dll" file. 2. ZwQueryInformationFile : Obt...
by evelyette
Wed Jul 20, 2016 5:48 pm
Forum: User-Mode Development
Topic: Monitoring Processes on Windows NT from Usermode (x86 & x64)
Replies: 19
Views: 46253

Re: Monitoring Processes on Windows NT from Usermode (x86 &

I realize this is an old thread, but I've been experimenting with AppCertDlls technique on Windows 7 and Windows 10 and while the DLL library is injected into some processes, it isn't injected into others. The library is injected into session 0 processes like the following: - svchost.exe: only one o...
by evelyette
Sun May 22, 2016 9:25 am
Forum: General Discussion
Topic: Internals of file integrity checking
Replies: 11
Views: 20537

Re: Internals of file integrity checking

@evelyette, Have you tried running something like Rohitab's API Monitor on SFC.exe and SysInspector.exe? You might try doing this in order to track down dynamic API calls. http://www.rohitab.com/apimonitor Best Regards, Brock Yeah, I'm using it constantly, it's a great application; however it doesn...
by evelyette
Wed May 18, 2016 8:09 pm
Forum: General Discussion
Topic: Internals of file integrity checking
Replies: 11
Views: 20537

Re: Internals of file integrity checking

Hi, I've enabled loader snaps and the following is displayed in WinDbg; note that when IE is running under ESET's protected mode, the IE is unable to load the DLL, regardless of whether a debugger is attached or not. 0810:0704 @ 53652843 - LdrpResolveFileName - ENTER: DLL name: C:\Windows\system32\t...
by evelyette
Tue May 17, 2016 10:41 pm
Forum: General Discussion
Topic: Internals of file integrity checking
Replies: 11
Views: 20537

Re: Internals of file integrity checking

One more thing. When starting IE in protected mode - provided by ESET, we can attach to iexplore.exe with WinDbg, but IE will fail to load any DLL. WinDbg will display a number of messages like this, where it wants to load the titan.dll, which is available in the system32 folder, but WinDbg fails to...
by evelyette
Sun May 15, 2016 7:37 am
Forum: General Discussion
Topic: Internals of file integrity checking
Replies: 11
Views: 20537

Re: Internals of file integrity checking

I've set a breakpoint on WinVerifyTrust in WinDbg, which can be seen on the picture below, but the breakpoint wasn't hit when starting ESET SysInspector or sfc.exe, so I'm assuming that function isn't being used to check the integrity of files. winverify.png I've also run the sfc.exe command like th...
by evelyette
Sat May 14, 2016 5:08 pm
Forum: General Discussion
Topic: Internals of file integrity checking
Replies: 11
Views: 20537

Re: Internals of file integrity checking

Hi, I've used the following program (obtained from https://msdn.microsoft.com/en-us/library/windows/desktop/aa382384(v=vs.85).aspx ), which calls the WinVerifyTrust manually. //------------------------------------------------------------------- // Copyright (C) Microsoft. All rights reserved. // Exa...