A forum for reverse engineering, OS internals and malware analysis 

Search found 11 matches

 Go to advanced search

Re: why ExFreePool will blue screen

 by lwbkm ¦  Mon May 21, 2018 3:15 pm ¦  Forum: Kernel-Mode Development ¦  Topic: why ExFreePool will blue screen ¦  Replies: 3 ¦  Views: 4100

omg,i am first use this function,
I didn't look carefully about
ProcessInformationLength [in]
The size of the buffer pointed to by the ProcessInformation parameter, in bytes.

It was very careless of me.thank you! :D

why ExFreePool will blue screen

 by lwbkm ¦  Mon May 21, 2018 6:45 am ¦  Forum: Kernel-Mode Development ¦  Topic: why ExFreePool will blue screen ¦  Replies: 3 ¦  Views: 4100

easy code ,but ExFreePool will be blue screen.......why... :x how can i fix it .. #include <ntddk.h> #include <windef.h> PVOID pBuffer; NTSTATUS NTGetLogicalDrives(OUT DWORD *pDiskNumber); NTSTATUS WINAPI ZwQueryInformationProcess( _In_ HANDLE ProcessHandle, _In_ PROCESSINFOCLASS ProcessInformationC...

Re: need help Explain this code

 by lwbkm ¦  Thu May 03, 2018 10:04 am ¦  Forum: Kernel-Mode Development ¦  Topic: need help Explain this code ¦  Replies: 6 ¦  Views: 7276

thanks,verymuch,I understand. :D :D :D :D

Re: how to delete driver file and still Keep communication

 by lwbkm ¦  Thu May 03, 2018 2:19 am ¦  Forum: Kernel-Mode Development ¦  Topic: how to delete driver file and still Keep communication ¦  Replies: 10 ¦  Views: 11373

Li Yong wrote: Wed May 02, 2018 12:18 pm If success, could provide a code example please? i also need of this functionality force delete.

waiting... ;)
I still do not understand, maybe close the kernel handle can be deleted, you can try.

Re: need help Explain this code

 by lwbkm ¦  Thu May 03, 2018 2:17 am ¦  Forum: Kernel-Mode Development ¦  Topic: need help Explain this code ¦  Replies: 6 ¦  Views: 7276

thanks,As I understood before, but some functions I do not understand, there is a similar source code to refer to?

Re: need help Explain this code

 by lwbkm ¦  Wed May 02, 2018 7:29 am ¦  Forum: Kernel-Mode Development ¦  Topic: need help Explain this code ¦  Replies: 6 ¦  Views: 7276

EP_X0FF wrote: Wed May 02, 2018 4:15 am It is DriverEntry. That's all what you can get as an answer from posting raw IDA HexRays dump. If you want help seriously then you should attach actual file not useless HexRay dump.
I only have this file sys;i want to understand how he realized it,maybe you can help me,thanks.
sys.rar

Re: how to delete driver file and still Keep communication

 by lwbkm ¦  Wed May 02, 2018 1:41 am ¦  Forum: Kernel-Mode Development ¦  Topic: how to delete driver file and still Keep communication ¦  Replies: 10 ¦  Views: 11373

Starting from Windows 10 you cannot delete file of loaded driver as it locked on disk. If you want similar functionality from your screenshot you need to send IRP to filesystem device driver. Search for KSBinSword for "code". However conseqences of this is unknown for Windows 10. thank you. let me ...

need help Explain this code

 by lwbkm ¦  Wed May 02, 2018 1:35 am ¦  Forum: Kernel-Mode Development ¦  Topic: need help Explain this code ¦  Replies: 6 ¦  Views: 7276

I found a driver sys , it can hide and delete himself and can not enum by ARK, but I don't understand this code. it got it from ida. who Can explain it to me.thanks very much. char __fastcall sub_140001EF0(__int64 a1) { PVOID v1; // rax __int64 v2; // rcx PDRIVER_OBJECT v3; // rcx char v5; // [rsp+4...

Re: how to delete driver file and still Keep communication

 by lwbkm ¦  Sun Apr 29, 2018 12:20 am ¦  Forum: Kernel-Mode Development ¦  Topic: how to delete driver file and still Keep communication ¦  Replies: 10 ¦  Views: 11373

Brock wrote: Sat Apr 28, 2018 4:31 pm
Recently I am writing a rootkit software
This board doesn't support authoring of rootkits.
i sad error,i am write ark software,like this http://www.kernelmode.info/forum/viewto ... =11&t=1691

Re: how to delete driver file and still Keep communication

 by lwbkm ¦  Sun Apr 29, 2018 12:06 am ¦  Forum: Kernel-Mode Development ¦  Topic: how to delete driver file and still Keep communication ¦  Replies: 10 ¦  Views: 11373

Brock wrote: Sat Apr 28, 2018 4:31 pm This board doesn't support authoring of rootkits.
oh my god......