A forum for reverse engineering, OS internals and malware analysis 

Search found 29 matches

 Go to advanced search

Use LGPL code in MIT project?

 by tangptr ¦  Thu Jan 10, 2019 2:38 pm ¦  Forum: General Discussion ¦  Topic: Use LGPL code in MIT project? ¦  Replies: 1 ¦  Views: 790

Suppose I have a project open-sourced with MIT license. I want to use some code, not all of them, from another open-sourced software licensed under LGPL v3 in my project. Does this action violate the LPGL v3?

Re: PG check

 by tangptr ¦  Tue Sep 18, 2018 12:33 pm ¦  Forum: Kernel-Mode Development ¦  Topic: PG check ¦  Replies: 4 ¦  Views: 3216

Whether PatchGuard is disabled or not can not be detected if malware has done manipulation. You cannot check by files because you cannot be sure if you are checking the manipulated one or the backup. In most cases, you are checking backup. You cannot check by dumping memory because the initializatio...

Re: Probe kernel memory for read

 by tangptr ¦  Tue Aug 14, 2018 3:35 am ¦  Forum: Kernel-Mode Development ¦  Topic: Probe kernel memory for read ¦  Replies: 3 ¦  Views: 10988

Did you enclose an SEH block for your MmProbeAndLockPages invoking? This is essential for invoking it.
In addition, result of MmGetPhysicalAddress is only valid for system-session addresses. Result for memories of DMA, win32-subsystem, user-mode, etc. from MmGetPhysicalAddress are invalid.

Re: Hooking the offical way?

 by tangptr ¦  Mon Aug 13, 2018 7:09 am ¦  Forum: Kernel-Mode Development ¦  Topic: Hooking the offical way? ¦  Replies: 8 ¦  Views: 7803

You may hook MSR-LSTAR (ecx=0xC0000082) and hide your hook using hardware-accelerated virtualization (Intel VT-x or AMD-V). This can be accomplished by rdmsr interception. It requires the least virtualization feature - no address-translation (Intel EPT or AMD NPT) required. HyperBone written by Dart...

Re: Detecting Test Mode

 by tangptr ¦  Thu Jul 12, 2018 10:12 am ¦  Forum: Kernel-Mode Development ¦  Topic: Detecting Test Mode ¦  Replies: 7 ¦  Views: 7453

I shall emphasize that THERE IS DSE component on 32-bit Windows, albeit it is disabled at kernel initialization.
Therefore, you may enable DSE in 32-bit Windows by hacking "Code-Integrity driver". It can be done by ways in opposite of disabling DSE on Win64.

Re: Detecting Test Mode

 by tangptr ¦  Wed Jul 11, 2018 5:57 am ¦  Forum: Kernel-Mode Development ¦  Topic: Detecting Test Mode ¦  Replies: 7 ¦  Views: 7453

The most "quick-and-dirty" way is to load a test-signed-only driver for detection.
In addition, 32-bit NT6 system do have DSE. It is disabled on default, but you may dynamically enable it by patching "Code-Integrity Driver".

Re: Breakpoints matters?

 by tangptr ¦  Mon Jul 09, 2018 2:56 am ¦  Forum: Kernel-Mode Development ¦  Topic: Breakpoints matters? ¦  Replies: 2 ¦  Views: 3165

Hi, on a breakpoint inside guest, the debugger may sanitize something which you did not set properly, e.g. tss, selector and its base/limit/access_rights etc - check guest state. Enable only as little features as possible in execution controls (no EPT, no exception in exception bitmap). If you have...

Re: Hooking Memory Controller Routines

 by tangptr ¦  Fri Jul 06, 2018 6:38 am ¦  Forum: General Discussion ¦  Topic: Hooking Memory Controller Routines ¦  Replies: 4 ¦  Views: 6732

Happy New Year ! If the memory controller was indeed hooked and an attempt to capture every read/write/execute is made then would it not be possible to know which thread is accessing which memory cell and every detail associated with the request such as Thread PID 00232 accessing Memory location x0...

Breakpoints matters?

 by tangptr ¦  Thu Jul 05, 2018 9:57 am ¦  Forum: Kernel-Mode Development ¦  Topic: Breakpoints matters? ¦  Replies: 2 ¦  Views: 3165

I was writing a code of building a hyper-visor (based on Intel VT-x) in system. But something I don't understand occured: If I set a break-point at guest rip, or even some instructions after, the break-point would hit but continuing the execution is fine. Nothing bad happens. If I don't set any brea...

Re: Is possible remove a file protected by a file system filter driver?

 by tangptr ¦  Thu Mar 22, 2018 8:43 pm ¦  Forum: Kernel-Mode Development ¦  Topic: Is possible remove a file protected by a file system filter driver? ¦  Replies: 13 ¦  Views: 17236

Well, you may analyze the file system by reading and writing disk directly. Writing disk sections via disk mini-port driver (scsi instructions) may penetrate disk recovery protection.