A forum for reverse engineering, OS internals and malware analysis 

Search found 60 matches

 Go to advanced search

Re: Developing a Sandbox for Windows

 by Victor43 ¦  Thu Jan 25, 2018 5:34 am ¦  Forum: General Discussion ¦  Topic: Developing a Sandbox for Windows ¦  Replies: 9 ¦  Views: 12723

I have another question about Sandbox design. Other than the avenues of interception of untrusted code what else is there involved in the overall design of a sandbox ?

Re: Developing a Sandbox for Windows

 by Victor43 ¦  Tue Jan 16, 2018 3:35 am ¦  Forum: General Discussion ¦  Topic: Developing a Sandbox for Windows ¦  Replies: 9 ¦  Views: 12723

@Vrtule thank you for follow-up. It's very much appreciated.

Re: Developing a Sandbox for Windows

 by Victor43 ¦  Wed Jan 10, 2018 11:54 pm ¦  Forum: General Discussion ¦  Topic: Developing a Sandbox for Windows ¦  Replies: 9 ¦  Views: 12723

You should really know the interfaces you are using. Although they might look really nicely in the documentation but they implementation might have certain drawbacks. For example, on Windows 7 and older, when filtering certain types of registry operations (e.g. registry value deletion), some data a...

Re: Developing a Sandbox for Windows

 by Victor43 ¦  Mon Jan 08, 2018 11:36 pm ¦  Forum: General Discussion ¦  Topic: Developing a Sandbox for Windows ¦  Replies: 9 ¦  Views: 12723

@Vrtule thank you. Since you had an opportunity to work with a sandbox can you tell me if a sandbox is done right what are the chances of exploits passing through the sandbox and able to make unauthorized changes to the system ? Second question what do you know of cloud based sandboxing ?

Re: Developing a Sandbox for Windows

 by Victor43 ¦  Sun Jan 07, 2018 11:01 pm ¦  Forum: General Discussion ¦  Topic: Developing a Sandbox for Windows ¦  Replies: 9 ¦  Views: 12723

@Vrtule thank you. Can you tell me one thing where can these special functions be placed ? Would they require to be placed inside a separate driver file just designed for the sandbox or could they be placed inside a WFP driver file (driver file designed to filter TCP traffic) ? I'm interested in san...

Developing a Sandbox for Windows

 by Victor43 ¦  Sun Jan 07, 2018 6:53 am ¦  Forum: General Discussion ¦  Topic: Developing a Sandbox for Windows ¦  Replies: 9 ¦  Views: 12723

Two questions to ask. 1. Does WFP have a Registry Callback which allows all registry calls at user and kernel level to be filtered and 2. How to intercept a thread from creating a thread or process ?

Re: Hooking Memory Controller Routines

 by Victor43 ¦  Sat Jan 06, 2018 5:27 am ¦  Forum: General Discussion ¦  Topic: Hooking Memory Controller Routines ¦  Replies: 4 ¦  Views: 6621

Happy New Year ! If the memory controller was indeed hooked and an attempt to capture every read/write/execute is made then would it not be possible to know which thread is accessing which memory cell and every detail associated with the request such as Thread PID 00232 accessing Memory location x02...

Re: Modify Incoming TCP Packet Sent to the Browser

 by Victor43 ¦  Sat Dec 30, 2017 4:32 am ¦  Forum: General Discussion ¦  Topic: Modify Incoming TCP Packet Sent to the Browser ¦  Replies: 7 ¦  Views: 9996

In the comments listed (see TLInspectALEConnectClassify function) within the inspect.c file has the following statements as seen below: Can anyone tell me what is re-auth in the inspect MSDN sample ? What is the meaning of this terminology ? // The classify is the re-authorization for an existing co...

Re: Modify Incoming TCP Packet Sent to the Browser

 by Victor43 ¦  Thu Dec 14, 2017 12:22 am ¦  Forum: General Discussion ¦  Topic: Modify Incoming TCP Packet Sent to the Browser ¦  Replies: 7 ¦  Views: 9996

Vrtule thank you again.

Re: Modify Incoming TCP Packet Sent to the Browser

 by Victor43 ¦  Mon Dec 11, 2017 9:41 pm ¦  Forum: General Discussion ¦  Topic: Modify Incoming TCP Packet Sent to the Browser ¦  Replies: 7 ¦  Views: 9996

For XP, you probably need to develop a TDI filter driver (attach over devices of the Tdx driver and filter/modify their communication). It also kind of works on newer versions of Windows (Vista+) but it is deprecated there so it is best not to rely on it. Thank you again. Would a NDIS intermediate ...