A forum for reverse engineering, OS internals and malware analysis 

Search found 64 matches

 Go to advanced search

Api hooking explained

 by lorddoskias ¦  Tue Jul 03, 2012 11:54 am ¦  Forum: Newbie Questions ¦  Topic: Api hooking explained ¦  Replies: 2 ¦  Views: 4402

A good tutorial on the idea behind API hooking. I found it very clear wihtout bogging into any detail as to how this can be applied to a rootkit.


Intercepting syscalls in wow64 processes.

 by lorddoskias ¦  Wed May 16, 2012 9:23 pm ¦  Forum: User-Mode Development ¦  Topic: Intercepting syscalls in wow64 processes. ¦  Replies: 1 ¦  Views: 2610

http://jbremer.org/intercepting-system- ... 4-windows/

Interesting read, any thoughts, comments?

Re: Device Driver Development for Beginners - Reloaded

 by lorddoskias ¦  Sun Apr 15, 2012 9:34 pm ¦  Forum: Kernel-Mode Development ¦  Topic: Device Driver Development for Beginners - Reloaded ¦  Replies: 24 ¦  Views: 108413

I don't know if this is the appropriate topics, but this link is very useful for explanation of some crucial windows structures. http://www.codemachine.com/article_kernelstruct.html

Although it doesn't go into detail it certainly can serve as a good reference.

Re: Perfect Windows Kernel Hooking

 by lorddoskias ¦  Fri Apr 13, 2012 5:11 pm ¦  Forum: Newbie Questions ¦  Topic: Perfect Windows Kernel Hooking ¦  Replies: 8 ¦  Views: 8045

I don;t think it is useless. It certainly raises the bar. Recently there hasn't been any rootkits which targeted patchguard explicitly, by explicitly I mean circumventing the actual DPCs etc, rather they all try to disabled it even before it has started so I'd say it is effective to a certain extent.

Re: Perfect Windows Kernel Hooking

 by lorddoskias ¦  Wed Apr 11, 2012 5:13 pm ¦  Forum: Newbie Questions ¦  Topic: Perfect Windows Kernel Hooking ¦  Replies: 8 ¦  Views: 8045

Just a note - Patchguard checks the MSRs

Re: Windows 8 -- SSDT Object

 by lorddoskias ¦  Mon Mar 05, 2012 1:50 pm ¦  Forum: Kernel-Mode Development ¦  Topic: Windows 8 -- SSDT Object ¦  Replies: 5 ¦  Views: 4278

I'd suggest instead of using MmMapLockedPages etc, to just use MmGetSystemAddressForMdlSafe macro which would either: a) call MmMapLockedPagesSpecifyCache OR b) give you the current address, since it is already mapped to system space. That is of course if you want to just have an MDL in kernel-space...

Re: binary image on the disk

 by lorddoskias ¦  Mon Mar 05, 2012 9:38 am ¦  Forum: Newbie Questions ¦  Topic: binary image on the disk ¦  Replies: 47 ¦  Views: 36946

Tigzy wrote:In some case I got BSoD due to read-only memory writing (tried to unhook Avast :D ).
I guess maybe Avast protects its hooks...

Is there a mean to not crash the system with that? maybe with a try ... catch ?

Disable Write protection from cr0?

Re: binary image on the disk

 by lorddoskias ¦  Thu Mar 01, 2012 10:19 am ¦  Forum: Newbie Questions ¦  Topic: binary image on the disk ¦  Replies: 47 ¦  Views: 36946

How so? In one case you will be exchanging atomically 8/16 bytes at a time and in the DPC case you can exchange however many you like, as long as you can guarantee that the code is nonpaged since the page fault handler won't be able to kick in if you incur a page fault? Now, if any of the cores was ...

Re: binary image on the disk

 by lorddoskias ¦  Thu Mar 01, 2012 9:42 am ¦  Forum: Newbie Questions ¦  Topic: binary image on the disk ¦  Replies: 47 ¦  Views: 36946

There is this very ugly hack where you can dispatch a DPC on every cpu core to spin in an empty while(custom-condition), do your patching and then set the custom-condition so that you can exit the DPC. But this is inherently unsafe :)

Re: POC: disable Load Image Notify routine

 by lorddoskias ¦  Mon Feb 13, 2012 2:58 pm ¦  Forum: Kernel-Mode Development ¦  Topic: POC: disable Load Image Notify routine ¦  Replies: 4 ¦  Views: 3993

I haven't looked at what exactly is at this offset but is there any chance that it basically tinkers with nt!PspCreateProcessNotifyRoutineCount ?

  • 1
  • 2
  • 3
  • 4
  • 5
  • 7