Hey thanks again guys,
0x16 the trick is simple, just unload avipbb.sys from memory, and then call NtCreatePagingFile which then returns 0 gracefully
No, I don't think protection mecanisms are efective only by hooking, i'm just very curious to know how they made it, and yes it can be useful in malicious code, but it's not my case i hate malware stuff
Finally i've made it work with avira doing a trick, But i don't understand how avira protects itself from te trick(it was returning STATUS_DENIED), i've restored SSDT, ShadowSSDT, i've seen 3 notify callbacks for createprocess, createthread and loadimage, nothing hooked with ntfs major handlers or n...
just found out the answer of my own question, in case anyone gets interested: "On Vista, If your .exe already have embedded manifest, the external manifest will be ignored and embedded manifest is used. (This is opposite from XP case.. on XP, external manifest is used on this case.)" http://social.m...
Amazing idea 0x16/7ton, I just tested in winxp sp3 32 bits and works like a charm, but it doesn't in win 7 x64, can someone please explain to me the internals of the idea? why it doesn't run? is it the PEloader that checks .manifest invalid configs and refuses to run the .exe? Anyone know why it doe...
anyone got CVE-2012-5076 ?
thanks EP_X0FF, it looks like it really is the best solution checking for prologue at file and compare with the one mmaped in memory, could you please send me, or tell me were can i find all versions from at least kernel32.dll and ntdll.dll?
Hello, I'm trying to build a r3 unhooker and i'd like to know if it is possible for ntdll.dll or any other microsoft dll change it's prologue signature from version to version? can it change? Example: 776B0B12 > 8BFF MOV EDI,EDI 776B0B14 55 PUSH EBP 776B0B15 8BEC MOV EBP,ESP
anyone got CVE-2012-1723 and CVE-2012-0507 ?
no metasploit shit please