Search found 4223 matches

by EP_X0FF
Fri Jun 08, 2018 6:53 pm
Forum: Kernel-Mode Development
Topic: Is possible remove a file protected by a file system filter driver?
Replies: 13
Views: 4525

Re: Is possible remove a file protected by a file system filter driver?

You want me to close all your topics?

One more time -> RTFM.
by EP_X0FF
Fri Jun 01, 2018 5:24 pm
Forum: Newbie Questions
Topic: It is normal when i have unsigned driver loaded in my Kernel?
Replies: 9
Views: 1210

Re: It is normal when i have unsigned driver loaded in my Kernel?

Do you understand that everything (or 99.9%) of what this tool is capable to detect doesn't work on Windows 10 by design and 100% of TDSSKiller detected bootkits doesn't work with GPT? Why this BSOD generator doesn't work in normal mode is a question to the Kaspersky TDSSKiller support not here.
by EP_X0FF
Thu May 31, 2018 4:06 am
Forum: Newbie Questions
Topic: It is normal when i have unsigned driver loaded in my Kernel?
Replies: 9
Views: 1210

Re: It is normal when i have unsigned driver loaded in my Kernel?

You have EFI boot, GPT partition table, x64 Windows 10. I suppose SecureBoot is also present. You don't need Kaspersky BSOD generator at first and at second I suppose to keep it "working" on every new Windows release they need to push it update too.
by EP_X0FF
Wed May 30, 2018 4:13 am
Forum: Newbie Questions
Topic: It is normal when i have unsigned driver loaded in my Kernel?
Replies: 9
Views: 1210

Re: It is normal when i have unsigned driver loaded in my Kernel?

Monitor.sys is a part of Windows OS, it is installed via inf file monitor.inf located in windows\inf folder. This file has no embedded signature and signed via catalog file. Catalog file located in Windows\System32\CatRoot directory. For example for monitor.sys from Windows 2012 R2 catalog file is C...
by EP_X0FF
Sun May 27, 2018 3:29 am
Forum: Newbie Questions
Topic: It is normal when i have unsigned driver loaded in my Kernel?
Replies: 9
Views: 1210

Re: It is normal when i have unsigned driver loaded in my Kernel?

Please show this entry from the log, no telepaths here.
by EP_X0FF
Mon May 21, 2018 9:18 am
Forum: Kernel-Mode Development
Topic: why ExFreePool will blue screen
Replies: 3
Views: 563

Re: why ExFreePool will blue screen

Are you kidding or what?

You allocated 4 byte long buffer and passed it to function giving it size as 36 bytes long.

You don't need to allocate memory for PROCESS_DEVICEMAP_INFORMATION. It is structure with fixed size.
by EP_X0FF
Sat May 05, 2018 5:03 am
Forum: Newbie Questions
Topic: Dont know what this exe does
Replies: 1
Views: 766

Re: Dont know what this exe does

It is trojan downloader. Obfuscated strings from inside. "Software\\Microsoft" "\\Windows\\Currentversion\\Run" "Taskhst" "Environment" "Cq" "cmd /c start %Cq% " "&& exit" "ntuser" "toolsd.exe" "aday.primeservices.mobi" "/IXR/goprim.php" "Connection: keep-alive" "Content-type: application/x-www-form...
by EP_X0FF
Thu May 03, 2018 8:28 am
Forum: Kernel-Mode Development
Topic: need help Explain this code
Replies: 6
Views: 893

Re: need help Explain this code

This driver constructs shellcode in runtime in allocated from NonPaged pool memory, hooks IRP of some legitimate ms drivers and quits leaving shellcode work in callback routines. Later driver file can be removed by loader. That's why there is no "file" and "ark" won't detect it as "driver". However ...
by EP_X0FF
Wed May 02, 2018 4:15 am
Forum: Kernel-Mode Development
Topic: need help Explain this code
Replies: 6
Views: 893

Re: need help Explain this code

It is DriverEntry. That's all what you can get as an answer from posting raw IDA HexRays dump. If you want help seriously then you should attach actual file not useless HexRay dump.