A forum for reverse engineering, OS internals and malware analysis 

Search found 28 matches

 Go to advanced search

Re: Is possible remove a file protected by a file system filter driver?

 by Li Yong ¦  Fri Jun 08, 2018 11:52 am ¦  Forum: Kernel-Mode Development ¦  Topic: Is possible remove a file protected by a file system filter driver? ¦  Replies: 13 ¦  Views: 17417

Vrtule I tried follow what you suggested, but without success, see my last question.
Why i cannot delete a file protected by a FSD filter/minifilter?

Re: Is possible remove a file protected by a file system filter driver?

 by Li Yong ¦  Tue May 08, 2018 9:43 pm ¦  Forum: Kernel-Mode Development ¦  Topic: Is possible remove a file protected by a file system filter driver? ¦  Replies: 13 ¦  Views: 17417

EP_X0FF , thank you by link of reference. This text below (about IRP hooks) also confirm the suggestion of Vrtule (see part where explains how bypass), already that FSD's use IRP hooks to prevent exclusion of yours files by some Anti Rootkit tool :D IRP Major Function Hook Description The driver ob...

Re: Is possible remove a file protected by a file system filter driver?

 by Li Yong ¦  Thu May 03, 2018 12:53 pm ¦  Forum: Kernel-Mode Development ¦  Topic: Is possible remove a file protected by a file system filter driver? ¦  Replies: 13 ¦  Views: 17417

Vrtule, could direct me to file name and specific line of code (KSBinSword) where i can find this approach that you suggested please?
I'm not able to find :oops:, but in a fast analyse seems that is used the approach suggested by tangptr and here seems be a relative code.

thank

Re: how to delete driver file and still Keep communication

 by Li Yong ¦  Thu May 03, 2018 3:35 am ¦  Forum: Kernel-Mode Development ¦  Topic: how to delete driver file and still Keep communication ¦  Replies: 10 ¦  Views: 11672

If success, could provide a code example please? i also need of this functionality force delete . waiting... ;) I still do not understand, maybe close the kernel handle can be deleted, you can try. Only closing opened handles not will solve to files locked by a FSD (File System Driver) or Minifilte...

Re: how to delete driver file and still Keep communication

 by Li Yong ¦  Wed May 02, 2018 12:18 pm ¦  Forum: Kernel-Mode Development ¦  Topic: how to delete driver file and still Keep communication ¦  Replies: 10 ¦  Views: 11672

If success, could provide a code example please? i also need of this functionality force delete.

waiting... ;)

Re: how to delete driver file and still Keep communication

 by Li Yong ¦  Tue May 01, 2018 4:40 pm ¦  Forum: Kernel-Mode Development ¦  Topic: how to delete driver file and still Keep communication ¦  Replies: 10 ¦  Views: 11672

Starting from Windows 10 you cannot delete file of loaded driver as it locked on disk. If you want similar functionality from your screenshot you need to send IRP to filesystem device driver. Search for KSBinSword for "code". However conseqences of this is unknown for Windows 10. Good suggestion EP...

Re: c - How implement a realloc function in kernel mode?

 by Li Yong ¦  Fri Apr 20, 2018 9:25 pm ¦  Forum: Newbie Questions ¦  Topic: c - How implement a realloc function in kernel mode? ¦  Replies: 7 ¦  Views: 8354

Thank you VrTule and EP_X0FF. Really, linked list solved my trouble :D

Re: c - How implement a realloc function in kernel mode?

 by Li Yong ¦  Tue Apr 17, 2018 5:16 pm ¦  Forum: Newbie Questions ¦  Topic: c - How implement a realloc function in kernel mode? ¦  Replies: 7 ¦  Views: 8354

Based in your answer, here was my last attempt, but without success. ///////////////////////////////////// START ARRAYLIST ///////////////////////////////////////// typedef char* value_type; typedef struct arraylist{ size_t size; value_type* data; }arraylist; ////////////////////////////////////////...

Re: c - How implement a realloc function in kernel mode?

 by Li Yong ¦  Mon Apr 16, 2018 8:08 pm ¦  Forum: Newbie Questions ¦  Topic: c - How implement a realloc function in kernel mode? ¦  Replies: 7 ¦  Views: 8354

If you know the size of the buffer being "reallocated", you can use something like this: void *CustomRealloc(POOL_TYPE PoolType, const void *Buffer, size_t Size, size_t NewSize) { void *ret = NULL; ret = ExAllocatePoolWithTag(PoolType, NewSize), Tag); if (ret != NULL) { memcpy(ret, Buffer, Size); E...

c - How implement a realloc function in kernel mode?

 by Li Yong ¦  Mon Apr 16, 2018 12:07 pm ¦  Forum: Newbie Questions ¦  Topic: c - How implement a realloc function in kernel mode? ¦  Replies: 7 ¦  Views: 8354

I have search in several places on web some implementation of realloc function to kernel driver development in Windows and pratically nothing was found. But was found a talk between some driver programmers about this function (including malloc ) that can be see in this link and exists a code snnipet...