Search found 4252 matches

by EP_X0FF
Mon Sep 03, 2018 1:41 pm
Forum: Tools/Software
Topic: UACMe - Defeating Windows User Account Control
Replies: 136
Views: 369628

Re: UACMe - Defeating Windows User Account Control

UACMe 3.0.0 released This release focuses on reimplementing several parts of program and adding more methods based on autoelevated COM interfaces. These newly discovered undocumented interfaces included as methods: #49 - based on ICreateNewLink, allows privileged copy function via method "CreateNewL...
by EP_X0FF
Sat Sep 01, 2018 7:37 am
Forum: Malware
Topic: Backdoor Andromeda (waahoo, alias Gamarue)
Replies: 129
Views: 162124

Re: Backdoor Andromeda (waahoo, alias Gamarue)

Microsoft teams up with law enforcement and other partners to disrupt Gamarue (Andromeda) ~ https://blogs.technet.microsoft.com/mmpc/2017/12/04/microsoft-teams-up-with-law-enforcement-and-other-partners-to-disrupt-gamarue-andromeda/ Mastermind behind sophisticated, massive botnet outs himself ~ htt...
by EP_X0FF
Sat Sep 01, 2018 6:30 am
Forum: Reverse Engineering and Debugging
Topic: MmMapIoSpace on Page Tables (1803/Redstone 4)
Replies: 4
Views: 2074

Re: MmMapIoSpace on Page Tables (1803/Redstone 4)

No way. This behavior is now by _design_. You may try to experiment with something different like MmCopyMemory.
by EP_X0FF
Fri Aug 31, 2018 1:46 pm
Forum: Reverse Engineering and Debugging
Topic: Autoelevated COM objects, list (win7-win10)
Replies: 5
Views: 18437

Re: Autoelevated COM objects, list (win7-win10)

Windows 10 x64, 18219 (19H1) EditionUpgradeHelper Class EditionUpgradeHelper \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{01776DF3-B9AF-4E50-9B1C-56E93116D704} CEIPLuaElevationHelper wercplsupport.dll Customer Experience Improvement Program \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{01D0A625-782D-4777-8...
by EP_X0FF
Fri Aug 31, 2018 1:46 pm
Forum: Reverse Engineering and Debugging
Topic: Autoelevated COM objects, list (win7-win10)
Replies: 5
Views: 18437

Re: Autoelevated COM objects, list (win7-win10)

Windows 10 x64, 17134 (RS4) EditionUpgradeHelper Class EditionUpgradeHelper \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{01776DF3-B9AF-4E50-9B1C-56E93116D704} CEIPLuaElevationHelper wercplsupport.dll Customer Experience Improvement Program \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{01D0A625-782D-4777-8D...
by EP_X0FF
Thu Aug 30, 2018 8:33 am
Forum: Reverse Engineering and Debugging
Topic: MmMapIoSpace on Page Tables (1803/Redstone 4)
Replies: 4
Views: 2074

Re: MmMapIoSpace on Page Tables (1803/Redstone 4)

I noticed that too (its from earlier insider builds of Rs4). This change have broke exploits based on bugged 3rd party drivers allowing access to physical memory (like cpu-z CVE-2017-15303 for example). Apparently this is now by design.
by EP_X0FF
Wed Aug 29, 2018 1:48 pm
Forum: Completed Malware Requests
Topic: Ransomwares Samples
Replies: 1
Views: 808

Re: Ransomwares Samples

Hello,

you have only 1 post on this forum and it is a request. This is not working this way.

http://www.kernelmode.info/forum/viewto ... =20&t=1950

Closed.
by EP_X0FF
Fri Aug 24, 2018 5:49 am
Forum: Tools/Software
Topic: MpEnum - dump all threat families from Windows Defender
Replies: 2
Views: 1565

Re: MpEnum - dump all threat families from Windows Defender

Windows Defender has a pure love to my WinObjEx64. MS schizophrenic automation sometimes cast various idiotic nonsense detection on it, because I use HDE/LDASM etc.
by EP_X0FF
Wed Aug 22, 2018 6:04 am
Forum: Kernel-Mode Development
Topic: Entry point for calling DriverEntry at ntoskrnl (Win10)
Replies: 3
Views: 1039

Re: Entry point for calling DriverEntry at ntoskrnl (Win10)

It should be still there. Look for 0xC0000365 STATUS_FAILED_DRIVER_ENTRY.
by EP_X0FF
Wed Aug 22, 2018 5:31 am
Forum: Newbie Questions
Topic: RtlUnicodeStringCat fails with 0x80000005
Replies: 2
Views: 960

Re: RtlUnicodeStringCat fails with 0x80000005

AFAIK STATUS_BUFFER_OVERFLOW comes from RtlWideCharArrayCopyWorker in this strsafe. Does this also fail? USHORT sz = (prefix.Length * sizeof(WCHAR)) + (path.Length * sizeof(WCHAR)) + 2; fullPathObjectName.Buffer = ExAllocatePoolWithTag(NonPagedPool, sz, 'tGAT'); RtlSecureZeroMemory(fullPathObjectNam...