Search found 211 matches

by Brock
Thu May 26, 2011 1:21 am
Forum: User-Mode Development
Topic: Assembler Disassembler Engines
Replies: 16
Views: 71935

Re: Assembler Disassembler Engines

Disassembler written in Delphi for x86 platform written by Rllibby who frequents the experts exchange website. It's a port from the libdisasm project. http://www.programmersheaven.com/download/32918/0/ZipView.aspx //////////////////////////////////////////////////////////////////////////////// // //...
by Brock
Wed May 25, 2011 3:32 pm
Forum: Tools/Software
Topic: DrvMon
Replies: 51
Views: 61977

Re: DrvMon

Agreed.
by Brock
Wed May 25, 2011 3:27 pm
Forum: Tools/Software
Topic: DrvMon
Replies: 51
Views: 61977

Re: DrvMon

I assume there are definitely more that could freeze the system up, this is exactly why I incorporate core system driver loading allowance. And yes, it seems that other drivers such as kmixer.sys denying can also potentially lock the system up too from what I noticed in my own testing. It seems lega...
by Brock
Wed May 25, 2011 5:04 am
Forum: Tools/Software
Topic: DrvMon
Replies: 51
Views: 61977

Re: DrvMon

I think r2nwcnydc is talking about TARGETTYPE=EXPORT_DRIVER which is a kernel mode DLL. It's like any other module loaded in kernel mode in respect to the fact that if it doesn't return STATUS_SUCCESS in its main routine it's immediately unmapped from memory, same rule applies to DriverEntry in stan...
by Brock
Tue May 24, 2011 7:36 pm
Forum: Tools/Software
Topic: DrvMon
Replies: 51
Views: 61977

Re: DrvMon

I achieve the same thing with a load image callback / notify routine and inside the callback after calculating OEP I deny drivers with a STATUS_UNSUCCESSFUL return as well. This is the most practical and logical thing to do in my honest opinion. Faking STATUS_SUCCESS could potentially be a bad thing...
by Brock
Sun May 22, 2011 6:32 pm
Forum: Tools/Software
Topic: DrvMon
Replies: 51
Views: 61977

Re: DrvMon

@EP_X0FF: To reproduce the Windows component blocking issue a simple test such as this works. Try this under Windows XP x86. Open DrvMon and deny all driver loading, then right click the desktop choosing "properties" and then the "settings" tab which will show your display settings. Hopefully, vga.d...
by Brock
Sun May 22, 2011 5:26 am
Forum: Tools/Software
Topic: DrvMon
Replies: 51
Views: 61977

Re: DrvMon

@EP_X0FF [1] I've compiled a quick PoC using a small c-written driver, it simply supports a standard DriverEntry and DriverUnload routines and prints debug messages proving it bypassed DrvMon and was loaded successfully even with DrvMon's "deny drivers loading" checked. The messages can be seen with...
by Brock
Sat May 21, 2011 9:28 pm
Forum: Tools/Software
Topic: DrvMon
Replies: 51
Views: 61977

Re: DrvMon

@EP_X0FF & Fyyre: I wrote something identical to this months back for the same purpose which is the collection of malware drivers so I decided to leave you some constructive criticism. This DrvMon tool's "concept" is great but the actual tool itself needs to address some major issues... ;) [1] DrvMo...
by Brock
Sat Nov 06, 2010 1:16 am
Forum: Tools/Software
Topic: Another ARK
Replies: 14
Views: 16925

Re: Another ARK

xqrzd - SoftWorkz Innovation is the activation partner, take it up with them and inquire as to why it would report disk full falsely. Check the dna.dll file, it's not copyrighted to NoVirusThanks Company.
by Brock
Fri Nov 05, 2010 1:17 am
Forum: Tools/Software
Topic: Another ARK
Replies: 14
Views: 16925

Re: Another ARK

Revisit http://novirusthanks.org, a fully unrestricted evaluation / 24 hour trial of NoVirusThanks Anti-Rootkit is now available. After you're done downloading the trial setup and you are prompted with a product activation screen click "Request Eval Code" and enter a valid email address. After you o...