Re: Inline patching problem.

 Re: Inline patching problem.
by 0xC0000022L ¦ Tue Oct 18, 2011 10:33 pm

@r2nwcnydc: good call. +1 rep ;)

Re: Inline patching problem.

 Re: Inline patching problem.
by 0xC0000022L ¦ Tue Oct 18, 2011 11:57 am

If I understood correctly, he patches a near jump at the beginning of NtQuerysystemInformation. It only takes two bytes and would overwrite the usual mov edi, edi code sequence (the code sequence exists for that very reason). I'm aware of it. But I would still check up front whether the value is wh...

Re: [Poll] What is your home OS?

 Re: [Poll] What is your home OS?
by 0xC0000022L ¦ Mon Oct 17, 2011 9:41 pm

deco11 wrote:windows 7 ultimate x64 ;)

Re: Inline patching problem.

 Re: Inline patching problem.
by 0xC0000022L ¦ Mon Oct 17, 2011 9:40 pm

As you can see I correctly point it to 2 bytes after the beginning because at the original 2 bytes I have the short jump. What I can't understand is why this might be working when I do a SSDT hooking but when I do inline patching it doesn't? Also if you feel like it I'm willing to send you my sourc...

Re: Inline patching problem.

 Re: Inline patching problem.
by 0xC0000022L ¦ Mon Oct 17, 2011 3:32 pm

Here is the code which hides a process and works perfectly fine if I perform SSDT hooking, but when I do a detour it makes the whole VM very sluggish Okay, here's what looks odd to me: myZwQuerySystemInformation is apparently your replacement function (right?), but inside it you call myNtQuerySyste...

Re: NT Design Workbook

 Re: NT Design Workbook
by 0xC0000022L ¦ Wed Oct 12, 2011 11:16 am

liangtong wrote:Check this:
http://kruglinski.googlepages.com/NT_De ... rkbook.rar
Thanks, that worked.

Re: NT Design Workbook

 Re: NT Design Workbook
by 0xC0000022L ¦ Tue Oct 11, 2011 10:25 pm

Does anyone have a mirror of that file? It appears to be down now. Gives 404.

Re: Driver Signing

 Re: Driver Signing
by 0xC0000022L ¦ Tue Oct 11, 2011 10:24 pm

sorry to bump this post and correct me if I am wrong, but would this not require either; a. a hard disk modification of ntoskrnl or b. an in memory patch? The latter is done by TDL, for example. IIRC TDL will enable WinPE mode (see EP_X0FF's first reply) then does the patching and then turns it off...

Re: Good resource for learning how to debug & reverse engine

 Re: Good resource for learning how to debug & reverse engine
by 0xC0000022L ¦ Tue Oct 11, 2011 8:50 pm

Giuseppe, your name certainly rings a bell, but where did your blog go meanwhile? You retired your old one, but the new one seems to be inaccessible (or gone) as well. Any ideas anyone ...? :?

Re: GetProcAddress in Kernel Mode

 Re: GetProcAddress in Kernel Mode
by 0xC0000022L ¦ Tue Oct 11, 2011 8:08 pm