A forum for reverse engineering, OS internals and malware analysis 

Search found 48 matches

 Go to advanced search

Re: AvLock Method

 by listito ¦  Sun Jun 23, 2013 1:48 pm ¦  Forum: Tools/Software ¦  Topic: AvLock Method ¦  Replies: 19 ¦  Views: 38169

Hey thanks again guys,

0x16 the trick is simple, just unload avipbb.sys from memory, and then call NtCreatePagingFile which then returns 0 gracefully

:twisted:

Re: AvLock Method

 by listito ¦  Sun Jun 23, 2013 7:12 am ¦  Forum: Tools/Software ¦  Topic: AvLock Method ¦  Replies: 19 ¦  Views: 38169

Hey EP_X0FF

No, I don't think protection mecanisms are efective only by hooking, i'm just very curious to know how they made it, and yes it can be useful in malicious code, but it's not my case i hate malware stuff

Re: AvLock Method

 by listito ¦  Sat Jun 22, 2013 5:53 am ¦  Forum: Tools/Software ¦  Topic: AvLock Method ¦  Replies: 19 ¦  Views: 38169

Finally i've made it work with avira doing a trick, But i don't understand how avira protects itself from te trick(it was returning STATUS_DENIED), i've restored SSDT, ShadowSSDT, i've seen 3 notify callbacks for createprocess, createthread and loadimage, nothing hooked with ntfs major handlers or n...

Re: AvLock Method

 by listito ¦  Tue Jun 11, 2013 7:39 am ¦  Forum: Tools/Software ¦  Topic: AvLock Method ¦  Replies: 19 ¦  Views: 38169

just found out the answer of my own question, in case anyone gets interested: "On Vista, If your .exe already have embedded manifest, the external manifest will be ignored and embedded manifest is used. (This is opposite from XP case.. on XP, external manifest is used on this case.)" http://social.m...

Re: AvLock Method

 by listito ¦  Tue Jun 11, 2013 7:30 am ¦  Forum: Tools/Software ¦  Topic: AvLock Method ¦  Replies: 19 ¦  Views: 38169

Amazing idea 0x16/7ton, I just tested in winxp sp3 32 bits and works like a charm, but it doesn't in win 7 x64, can someone please explain to me the internals of the idea? why it doesn't run? is it the PEloader that checks .manifest invalid configs and refuses to run the .exe? Anyone know why it doe...

Re: Zero Day Java Exploits(All Java Exploits goes here)

 by listito ¦  Tue Dec 04, 2012 1:42 pm ¦  Forum: Malware ¦  Topic: Zero Day Java Exploits(All Java Exploits goes here) ¦  Replies: 68 ¦  Views: 320333

anyone got CVE-2012-5076 ?

Re: Portable ring3 hooks

 by listito ¦  Thu Nov 08, 2012 9:08 pm ¦  Forum: Newbie Questions ¦  Topic: Portable ring3 hooks ¦  Replies: 6 ¦  Views: 7049

thanks EP_X0FF, it looks like it really is the best solution checking for prologue at file and compare with the one mmaped in memory, could you please send me, or tell me were can i find all versions from at least kernel32.dll and ntdll.dll?

Re: Portable ring3 hooks

 by listito ¦  Mon Nov 05, 2012 8:15 pm ¦  Forum: Newbie Questions ¦  Topic: Portable ring3 hooks ¦  Replies: 6 ¦  Views: 7049

ok thanks for reply wacked, the api's im going to unhook are just a very few ones, so i'm thinking about restoring the first 6 bytes :)

Portable ring3 hooks

 by listito ¦  Mon Nov 05, 2012 5:46 pm ¦  Forum: Newbie Questions ¦  Topic: Portable ring3 hooks ¦  Replies: 6 ¦  Views: 7049

Hello, I'm trying to build a r3 unhooker and i'd like to know if it is possible for ntdll.dll or any other microsoft dll change it's prologue signature from version to version? can it change? Example: 776B0B12 > 8BFF MOV EDI,EDI 776B0B14 55 PUSH EBP 776B0B15 8BEC MOV EBP,ESP

Re: Zero Day Java Exploits(All Java Exploits goes here)

 by listito ¦  Thu Aug 30, 2012 1:29 pm ¦  Forum: Malware ¦  Topic: Zero Day Java Exploits(All Java Exploits goes here) ¦  Replies: 68 ¦  Views: 320333

anyone got CVE-2012-1723 and CVE-2012-0507 ?

no metasploit shit please