A forum for reverse engineering, OS internals and malware analysis 

Search found 32 matches

 Go to advanced search

Re: Alternatives to service method of loading driver

 by kerpow1 ¦  Tue Jan 05, 2016 8:35 pm ¦  Forum: Kernel-Mode Development ¦  Topic: Alternatives to service method of loading driver ¦  Replies: 5 ¦  Views: 8278

I guess so if dependencies are resolved. As this will just map it straight into kernel memory and if your entrypoint can be called it could also easily be patched. I am going to try this approach I think, seems easier than debugging event logging or the usn journal just to erase sc logging.. @Vrtule...

Re: Monitoring Windows Services

 by kerpow1 ¦  Sun Jan 03, 2016 10:05 am ¦  Forum: Newbie Questions ¦  Topic: Monitoring Windows Services ¦  Replies: 6 ¦  Views: 7055

You could also parse the USN and Event Log.

Alternatives to service method of loading driver

 by kerpow1 ¦  Sun Jan 03, 2016 10:02 am ¦  Forum: Kernel-Mode Development ¦  Topic: Alternatives to service method of loading driver ¦  Replies: 5 ¦  Views: 8278

Hi, Wondering what other ways there are to load a driver which avoids using Service Control Manager. Currently I use a script which executes dsefix, creates a service, enables service, then dsefix -e to unload thus avoiding test mode. The problem with this is that is records events inside USN and Ev...

Re: NtXxx System Call Stub Change in Windows 10 525+

 by kerpow1 ¦  Sat Dec 26, 2015 7:23 pm ¦  Forum: Newbie Questions ¦  Topic: NtXxx System Call Stub Change in Windows 10 525+ ¦  Replies: 2 ¦  Views: 5933

It seems to be for compatibility, I thought this was added into 8?

Re: Invalid value of MMVAD.Subsection on WIN8.1X86 and WIN10

 by kerpow1 ¦  Sun Nov 15, 2015 1:42 pm ¦  Forum: Kernel-Mode Development ¦  Topic: Invalid value of MMVAD.Subsection on WIN8.1X86 and WIN10X86 ¦  Replies: 19 ¦  Views: 21825

typedef enum _WinVer { WINVER_7 = 0x0610, WINVER_7_SP1 = 0x0611, WINVER_8 = 0x0620, WINVER_81 = 0x0630, WINVER_10 = 0x0A00, } WinVer; PVOID GetVAD(HANDLE processID) { PVOID pVadRoot = NULL; PEPROCESS pEprocess = NULL; __try { if (!NT_SUCCESS(PsLookupProcessByProcessId(processID, &pEprocess))) retur...

Modifying/Intercepting IOCTL (SerialNumberOffset) x64

 by kerpow1 ¦  Mon Nov 09, 2015 5:18 pm ¦  Forum: Newbie Questions ¦  Topic: Modifying/Intercepting IOCTL (SerialNumberOffset) x64 ¦  Replies: 0 ¦  Views: 4576

Hello I am looking into creating a FS Filter to intercept IOCTL calls, say to; IOCTL_STORAGE_QUERY_PROPERTY. SMART_RCV_DRIVE_DATA. IOCTL_SCSI_PASS_THROUGH And return a fake SerialNumber. I have not seen this discussed here so though I would ask, this will be targeting x64 (7,8,8.1,10), there are som...

Re: All possible ways to find loaded drivers

 by kerpow1 ¦  Thu Nov 05, 2015 6:27 pm ¦  Forum: Newbie Questions ¦  Topic: All possible ways to find loaded drivers ¦  Replies: 9 ¦  Views: 10483

Thankyou, I managed to sort those issues in previous threads this is another project related to anti-anti tools (play on words).

All possible ways to find loaded drivers

 by kerpow1 ¦  Thu Nov 05, 2015 9:49 am ¦  Forum: Newbie Questions ¦  Topic: All possible ways to find loaded drivers ¦  Replies: 9 ¦  Views: 10483

Hi, I am trying to list all ways a driver could be located on the system, so far;

ZwQuerySystemInformation
EnumDeviceDrivers
QueryDosDevice
GetDeviceDriverFileName

Discuss

Re: Kernel - Handle Hiding (7,8,8.1,10) x64 (4 Methods)

 by kerpow1 ¦  Mon Nov 02, 2015 11:59 am ¦  Forum: Kernel-Mode Development ¦  Topic: Kernel - Handle Hiding (7,8,8.1,10) x64 (4 Methods) ¦  Replies: 5 ¦  Views: 6807

Yes, you are right. Hiding process on x64 without interfering with PG is difficult and un-necessary same as this method of hiding/removing your processes handle from all references and the methods covered here are not all methods so all that work for little benefit at the end however elements can be...

Re: Kernel - Handle Hiding (7,8,8.1,10) x64 (4 Methods)

 by kerpow1 ¦  Sun Nov 01, 2015 3:51 pm ¦  Forum: Kernel-Mode Development ¦  Topic: Kernel - Handle Hiding (7,8,8.1,10) x64 (4 Methods) ¦  Replies: 5 ¦  Views: 6807

As I said it will need work, I don't believe this method is a viable solution though which is why I posted it. And the try/excepts are just lazy amendments because it was stripped from a much larger framework, sorry for that.