A forum for reverse engineering, OS internals and malware analysis 

Search found 21 matches

 Go to advanced search

Re: Inline patching problem.

 by 0xC0000022L ¦  Tue Oct 18, 2011 10:33 pm ¦  Forum: Newbie Questions ¦  Topic: Inline patching problem. ¦  Replies: 24 ¦  Views: 18033

@r2nwcnydc: good call. +1 rep ;)

Re: Inline patching problem.

 by 0xC0000022L ¦  Tue Oct 18, 2011 11:57 am ¦  Forum: Newbie Questions ¦  Topic: Inline patching problem. ¦  Replies: 24 ¦  Views: 18033

If I understood correctly, he patches a near jump at the beginning of NtQuerysystemInformation. It only takes two bytes and would overwrite the usual mov edi, edi code sequence (the code sequence exists for that very reason). I'm aware of it. But I would still check up front whether the value is wh...

Re: [Poll] What is your home OS?

 by 0xC0000022L ¦  Mon Oct 17, 2011 9:41 pm ¦  Forum: General Discussion ¦  Topic: [Poll] What is your home OS? ¦  Replies: 20 ¦  Views: 20674

deco11 wrote:windows 7 ultimate x64 ;)
Ditto.

Re: Inline patching problem.

 by 0xC0000022L ¦  Mon Oct 17, 2011 9:40 pm ¦  Forum: Newbie Questions ¦  Topic: Inline patching problem. ¦  Replies: 24 ¦  Views: 18033

As you can see I correctly point it to 2 bytes after the beginning because at the original 2 bytes I have the short jump. What I can't understand is why this might be working when I do a SSDT hooking but when I do inline patching it doesn't? Also if you feel like it I'm willing to send you my sourc...

Re: Inline patching problem.

 by 0xC0000022L ¦  Mon Oct 17, 2011 3:32 pm ¦  Forum: Newbie Questions ¦  Topic: Inline patching problem. ¦  Replies: 24 ¦  Views: 18033

Here is the code which hides a process and works perfectly fine if I perform SSDT hooking, but when I do a detour it makes the whole VM very sluggish Okay, here's what looks odd to me: myZwQuerySystemInformation is apparently your replacement function (right?), but inside it you call myNtQuerySyste...

Re: NT Design Workbook

 by 0xC0000022L ¦  Wed Oct 12, 2011 11:16 am ¦  Forum: Kernel-Mode Development ¦  Topic: NT Design Workbook ¦  Replies: 6 ¦  Views: 4901

liangtong wrote:Check this:
http://kruglinski.googlepages.com/NT_De ... rkbook.rar
Thanks, that worked.

Re: NT Design Workbook

 by 0xC0000022L ¦  Tue Oct 11, 2011 10:25 pm ¦  Forum: Kernel-Mode Development ¦  Topic: NT Design Workbook ¦  Replies: 6 ¦  Views: 4901

Does anyone have a mirror of that file? It appears to be down now. Gives 404.

Re: Driver Signing

 by 0xC0000022L ¦  Tue Oct 11, 2011 10:24 pm ¦  Forum: Reverse Engineering and Debugging ¦  Topic: Driver Signing ¦  Replies: 5 ¦  Views: 8096

sorry to bump this post and correct me if I am wrong, but would this not require either; a. a hard disk modification of ntoskrnl or b. an in memory patch? The latter is done by TDL, for example. IIRC TDL will enable WinPE mode (see EP_X0FF's first reply) then does the patching and then turns it off...

Re: Good resource for learning how to debug & reverse engine

 by 0xC0000022L ¦  Tue Oct 11, 2011 8:50 pm ¦  Forum: Reverse Engineering and Debugging ¦  Topic: Good resource for learning how to debug & reverse engineer? ¦  Replies: 16 ¦  Views: 100888

Giuseppe, your name certainly rings a bell, but where did your blog go meanwhile? You retired your old one, but the new one seems to be inaccessible (or gone) as well. Any ideas anyone ...? :?

Re: GetProcAddress in Kernel Mode

 by 0xC0000022L ¦  Tue Oct 11, 2011 8:08 pm ¦  Forum: Newbie Questions ¦  Topic: GetProcAddress in Kernel Mode ¦  Replies: 3 ¦  Views: 5449