Search found 211 matches

by Brock
Fri Mar 24, 2017 3:36 am
Forum: General Discussion
Topic: Cybellum - another pseudo security company from Israel
Replies: 9
Views: 22153

Re: Cybellum - another pseudo security company from Israel

They're calling this a post-breach attack. You know, the kind that aren't practical unless your system is actually breached and the compromised user account is in the Administrators group :lol:
by Brock
Thu Mar 23, 2017 8:20 pm
Forum: General Discussion
Topic: Cybellum - another pseudo security company from Israel
Replies: 9
Views: 22153

Re: Cybellum - another pseudo security company from Israel

@aionescu, Yes, Cybellum is a joke. As soon as any of us saw them claiming "0-day" it became a comical matter. A grab your popcorn and soda type of event for the masses in the security industry. My point about your post is if you've based your Appverifier example on another's work cite the source/re...
by Brock
Thu Mar 23, 2017 8:28 am
Forum: General Discussion
Topic: Cybellum - another pseudo security company from Israel
Replies: 9
Views: 22153

Re: Cybellum - another pseudo security company from Israel

Look at Yang's example hook within his verifier module here https://blogs.msdn.microsoft.com/reiley/2012/08/17/a-debugging-approach-to-application-verifier/ and then at Ionescu's example, 3 years later! https://github.com/ionescu007/HookingNirvana/blob/master/verif.dll/verif.c Ionescu shouldn't be c...
by Brock
Thu Mar 16, 2017 2:19 am
Forum: General Discussion
Topic: TCPView Source Code
Replies: 25
Views: 37753

Re: TCPView Source Code

[1] Yes, as a matter of fact in Vista the Windows Firewall itself is built on WFP. [2] Almost anything is certainly *possible* to circumvent security mechanisms, always a cat and mouse game. I focus more on probability and not so much possibility. If malware has clever tricks, locates a bug in said ...
by Brock
Wed Mar 15, 2017 7:25 am
Forum: General Discussion
Topic: TCPView Source Code
Replies: 25
Views: 37753

Re: TCPView Source Code

As Vrtule mentioned in his post, you can use ALE with WFP and identify things such as the process information you seek. It's a layer that makes it possible to identify the application associated with the network operation(s). Refer to WDK's WFP layered samples under \src\network\trans. "inspect" sam...
by Brock
Tue Mar 14, 2017 5:03 am
Forum: General Discussion
Topic: TCPView Source Code
Replies: 25
Views: 37753

Re: TCPView Source Code

Windows Filtering Platform (WFP) is what you want to be using. WFP is supported on Vista SP2+ and supports callout drivers as well as usermode API to filter and inspect network data. Microsoft designed WFP to replace NDIS, TDI, LSP etc. It's why I mentioned in my previous post that Microsoft is "pus...
by Brock
Sat Mar 11, 2017 2:45 am
Forum: General Discussion
Topic: TCPView Source Code
Replies: 25
Views: 37753

Re: TCPView Source Code

GetExtendedTcp/UdpTable() is usermode API only. There is a subset of IP helper APIs for kernel mode drivers though, see here https://msdn.microsoft.com/en-us/windows/hardware/drivers/network/ip-helper - you might also look into NDIS, TDI (supposedly phased out since Vista and no longer supported by ...
by Brock
Fri Mar 10, 2017 5:29 am
Forum: General Discussion
Topic: TCPView Source Code
Replies: 25
Views: 37753

Re: TCPView Source Code

Yes, that is the code used in TCPView, but not all of it as it's missing some modules and from what I see supported < XP but doesn't show the code to handle process names in Windows 2000 and NT. Anyhow, on XP+ it uses the IP Helper APIs GetExtendedTcpTable and GetExtendedUDPTable to list connections...
by Brock
Mon Feb 27, 2017 10:46 am
Forum: Kernel-Mode Development
Topic: How can I distinguish shutdown or reboot in kernel mode?
Replies: 9
Views: 17084

Re: How can I distinguish shutdown or reboot in kernel mode?

vs2099,

You have to register with a call to IoRegisterShutdownNotification(), are you doing this?
by Brock
Thu Feb 23, 2017 1:55 am
Forum: Kernel-Mode Development
Topic: Integrity check of DLL from Driver
Replies: 3
Views: 9954

Re: Integrity check of DLL from Driver

Unfortunately (from what I know anyhow) BCrypt is only available on newer/modern versions of Windows. If you plan to support legacy OS then you'll likely have to implement this by hand I guess. I have a friend who did exactly this by writing his own authenticode/ASN parser, implementing his own SHA ...