A forum for reverse engineering, OS internals and malware analysis 

Search found 8 matches

 Go to advanced search

Re: Why Microsoft don't block elevation runas?

 by zer0cat ¦  Sun May 05, 2019 10:05 pm ¦  Forum: General Discussion ¦  Topic: Why Microsoft don't block elevation runas? ¦  Replies: 5 ¦  Views: 712

EP_X0FF wrote: You can always press ctrl+alt+del and logoff thus terminating any elevation requestors.
I don't know it. :love:

Why Microsoft don't block elevation runas?

 by zer0cat ¦  Sun Apr 28, 2019 6:47 pm ¦  Forum: General Discussion ¦  Topic: Why Microsoft don't block elevation runas? ¦  Replies: 5 ¦  Views: 712

As we all know, in the Windows there is an integrity level. But there is an opportunity to raise it, quite legally, without any exploits. Through the function ShellExecute Runas. Malware calls this functuin in a loop, and reaches admin privileges. The user can not cancel it, because malware call it ...

Re: Some code doesn't works with SYSTEM priv.

 by zer0cat ¦  Sat Mar 23, 2019 7:17 pm ¦  Forum: Newbie Questions ¦  Topic: Some code doesn't works with SYSTEM priv. ¦  Replies: 4 ¦  Views: 548

Yes, I have the source code, but the program is so large as to publish the code on the forum. The program is written in C, it searches for files by mask (and tracks the creation of new ones) and deletes / changes depending on the task. The problem is that it works from SYSTEM, but at the same time i...

Some code doesn't works with SYSTEM priv.

 by zer0cat ¦  Sat Mar 23, 2019 1:23 pm ¦  Forum: Newbie Questions ¦  Topic: Some code doesn't works with SYSTEM priv. ¦  Replies: 4 ¦  Views: 548

Hello
There is a program that runs with the SYSTEM privileges .
But it don't works with some actions in Windows, such as enumerate network shares, etc.

What I can do ?

Re: How to emulate LOW IL ?

 by zer0cat ¦  Fri Jan 25, 2019 11:39 am ¦  Forum: User-Mode Development ¦  Topic: How to emulate LOW IL ? ¦  Replies: 6 ¦  Views: 2154

EP_X0FF, thank you, your code works good.

I have one question, only for myself education. Microsoft tells, that Low Sid ID is - "S-1-16-1024";
But in book "Writing Secure Code for Windows Vista" (Howard,LeBlank) there is another string for low ID - "S-1-16-4096".

Why and where is it right?

Re: How to emulate LOW IL ?

 by zer0cat ¦  Thu Jan 24, 2019 4:58 pm ¦  Forum: User-Mode Development ¦  Topic: How to emulate LOW IL ? ¦  Replies: 6 ¦  Views: 2154

EP_X0FF I tried to compile this code, but i have error: all programms (what I try to run in LOW) crashed on call CreateProcessAsUserW with code 0xc0000022. This code, compiler is Pelles C: void WINAPI CreateLowProcess() { BOOL fRet; HANDLE hToken = NULL; HANDLE hNewToken = NULL; PSID pIntegritySid ...

How to emulate LOW IL ?

 by zer0cat ¦  Tue Jan 22, 2019 7:25 pm ¦  Forum: User-Mode Development ¦  Topic: How to emulate LOW IL ? ¦  Replies: 6 ¦  Views: 2154

I am writing my program, and I want it to work correctly in a low integrity level. But, how can I emulate it? I have tried three ways, and always different options come out (for example, in 1 case the program can create processes, in the second it cannot). Why is that? What is the correct way? 1)- P...

How i can use one Asm code to x86 and x64?

 by zer0cat ¦  Sat Nov 10, 2018 7:48 pm ¦  Forum: Newbie Questions ¦  Topic: How i can use one Asm code to x86 and x64? ¦  Replies: 3 ¦  Views: 2073

Hello I have some code in C++, which invokes Asm procedure. One procedure is 32 bit (asm x86), and other is 64 bit (asm x64). Example: x86 proc mov eax,dword ptr[edx] ret x86 proc x64 proc mov rax,qword ptr [rdx] ret x64 proc Can I compile the code into a 32-bit PE file that detects the architecture...