Search found 69 matches

by Cr4sh
Mon Jan 18, 2016 8:00 pm
Forum: Newbie Questions
Topic: Peeking the Memory of Another Process
Replies: 3
Views: 5213

Re: Peeking the Memory of Another Process

p1nk wrote: Does this technique still work in Windows 8 / 10 ?
I think that technique itself can work on any operating system.
by Cr4sh
Sun Jan 17, 2016 5:24 pm
Forum: Newbie Questions
Topic: Peeking the Memory of Another Process
Replies: 3
Views: 5213

Re: Peeking the Memory of Another Process

I did similar work with hijaking existing code page via PDE/PTE manipulations, probably you'll find it useful.
Code: https://github.com/Cr4sh/PTBypass-PoC
Article (rus): https://translate.google.com/translate? ... -post.html
by Cr4sh
Mon Sep 07, 2015 9:14 am
Forum: Kernel-Mode Development
Topic: W8.1/W10 Bootkit
Replies: 10
Views: 14603

Re: W8.1/W10 Bootkit

No one will going to leak any decent and well-coded malware source code to public. If you're interested in learning about bootloaders, kernels and other low-level stuff -- check WRK source code and open source implementations of EFI firmware (http://www.tianocore.org/edk2/ for example).
by Cr4sh
Sun Aug 09, 2015 5:31 pm
Forum: Kernel-Mode Development
Topic: Clear WP Bit on x64
Replies: 11
Views: 11574

Re: Clear WP Bit on x64

For user mode pages you should use NtProtectVirtualMemory instead of WP bit reset.
by Cr4sh
Thu Aug 06, 2015 9:28 pm
Forum: Kernel-Mode Development
Topic: Clear WP Bit on x64
Replies: 11
Views: 11574

Re: Clear WP Bit on x64

Oh, and by the way, you can get x64 version of common.cpp and other r0 stuff from my more recent project: https://github.com/Cr4sh/ioctlfuzzer/blob/master/src/driver/src/r0_common/common.cpp https://github.com/Cr4sh/ioctlfuzzer/blob/master/src/driver/src/asm/common_asm.h https://github.com/Cr4sh/ioc...
by Cr4sh
Thu Aug 06, 2015 7:11 pm
Forum: Kernel-Mode Development
Topic: Clear WP Bit on x64
Replies: 11
Views: 11574

Re: Clear WP Bit on x64

On SMP enabled systems you also need to be sure that WP clear and WP set routines will be run on the same CPU, it's very common mistake, add KeSetAffinityThread() call to your code.
by Cr4sh
Mon Jun 22, 2015 5:51 pm
Forum: Malware
Topic: Duqu 2.0
Replies: 18
Views: 33944

Re: Duqu 2.0

Can anyone share a full sample including VFS image? I'm interested mostly in two files that called “CTwoPENC.dll" and “KMART.dll” (unfortunately don't know it's MD5 hashes, idiots from Kaspersky can't even write an adequate analysis report).
by Cr4sh
Sat Jun 13, 2015 8:06 pm
Forum: Malware
Topic: Duqu 2.0
Replies: 18
Views: 33944

Re: Duqu 2.0

r3shl4k1sh wrote:I believe that the Duqu 2.0 team where those who wrote the "report" from Kaspersky...
Probably there is a cease-fire agreement now...
Image
by Cr4sh
Sat Jun 13, 2015 10:47 am
Forum: Malware
Topic: Duqu 2.0
Replies: 18
Views: 33944

Re: Duqu 2.0

My respect to Duqu 2.0 team, all these shitty snake oil sellers from AV companies are totally deserving to be burned into ashes.
by Cr4sh
Sun Mar 22, 2015 5:23 pm
Forum: Tools/Software
Topic: openreil
Replies: 2
Views: 6908

Re: openreil

Anyone who interested in OpenREIL also should check this blog post as well: Automated algebraic cryptanalysis with OpenREIL and Z3, it shows that it's relatively easy to use my lib for implementing advanced code analysis primitives like symbolic execution and SMT constrains generation.