A forum for reverse engineering, OS internals and malware analysis 

Search found 40 matches

 Go to advanced search

Re: Can the entire physical memory be read by kernel mode programs?

 by feryno ¦  Fri Jun 14, 2019 4:54 am ¦  Forum: Kernel-Mode Development ¦  Topic: Can the entire physical memory be read by kernel mode programs? ¦  Replies: 1 ¦  Views: 483

I found that when hyper-v running some areas of physical memory are protected (e.g. securekernel.exe). It must be done using virtualization features (AMD Nested paging / Intel EPT). In this case, it is not memory in RAM (machine memory = host physical memory) but the physical memory the kernelmode s...

Re: Breakpoints matters?

 by feryno ¦  Fri Jul 06, 2018 2:20 pm ¦  Forum: Kernel-Mode Development ¦  Topic: Breakpoints matters? ¦  Replies: 2 ¦  Views: 3239

Hi, on a breakpoint inside guest, the debugger may sanitize something which you did not set properly, e.g. tss, selector and its base/limit/access_rights etc - check guest state. Enable only as little features as possible in execution controls (no EPT, no exception in exception bitmap). If you have ...

Re: Understanding virtdbg

 by feryno ¦  Thu Jul 06, 2017 10:48 am ¦  Forum: Tools/Software ¦  Topic: Understanding virtdbg ¦  Replies: 3 ¦  Views: 14209

@dmr: pwl will read hundreds pages of manual for very long time until finding the answer @pwl: on successful vmlaunch, the RIP (x64) / EIP (x86) is obtained from VMCS (from guest RIP), also RSP (x64) / ESP (x86) (from guest RSP), also a lot of other things like selectors (CS, SS, DS, ES, FS, GS) and...

Re: Is it possible to write a hypervisor application ?

 by feryno ¦  Fri Jun 30, 2017 10:59 am ¦  Forum: General Discussion ¦  Topic: Is it possible to write a hypervisor application ? ¦  Replies: 7 ¦  Views: 18332

Hi Victor43, you can start hypervisor before OS as an efi executable or in a way similar to bios rootkit and then let OS to boot. But because you are interested in monitoring network, you can start it as early launched driver before network driver, this hypervisor is easier to write than previous on...

Re: How can I distinguish shutdown or reboot in kernel mode?

 by feryno ¦  Wed Mar 08, 2017 7:25 am ¦  Forum: Kernel-Mode Development ¦  Topic: How can I distinguish shutdown or reboot in kernel mode? ¦  Replies: 9 ¦  Views: 17294

I fill DriverObject->MajorFunction[IRP_MJ_POWER] to my dispatch function, But I can't get the call, could you tell me why. I had the same problem according IRP_MJ_POWER few years ago. This may be helpful: https://www.winvistatips.com/threads/majorfunction-irp_mj_power-does-not-get-called.182097/ I ...

Re: Code for making a core active without using Windows API

 by feryno ¦  Tue May 24, 2016 11:03 am ¦  Forum: Kernel-Mode Development ¦  Topic: Code for making a core active without using Windows API ¦  Replies: 5 ¦  Views: 12500

All CPUs/cores are already initialized and running, it is a task of kernel. When you boot via /onecpu switch, then OS lets application CPUs inactivated and runs only at bootstrap CPU. OS activates application CPUs by sending INIT-SIPI sequence (interprocessor interrupts). In APIC mode it is done via...

Re: Cannot call any API within hook?

 by feryno ¦  Wed Oct 21, 2015 8:30 am ¦  Forum: User-Mode Development ¦  Topic: Cannot call any API within hook? ¦  Replies: 2 ¦  Views: 8177

When you use ring3 debugger to obtain RSP, is it aligned at 16 at the time of calling API from your code? Thats at address of call qword [rdi + 78310h] ; LoadLibraryExW If not, then change your prologue to this start: push rcx ; this is my hook handler function, this is where the JMP lands push rdx ...

Re: What happened to North Security?

 by feryno ¦  Tue Sep 01, 2015 9:22 am ¦  Forum: Tools/Software ¦  Topic: What happened to North Security? ¦  Replies: 4 ¦  Views: 8017

Hm is the code somewhere around? Maybe I'm able to find binaries somewhere in my old archives (PM me if you need them and cannot be downloaded from anywhere), source code was not published. I played with their hypervisor about 7 years ago. That time it was for 32 bit platform, not x64. Intel only, ...

Re: I want to intercept RDMSR on WINDOWS X64

 by feryno ¦  Wed Apr 22, 2015 8:18 am ¦  Forum: Kernel-Mode Development ¦  Topic: I want to intercept RDMSR on WINDOWS X64 ¦  Replies: 6 ¦  Views: 8189

I want to "HOOK" RDMSR, when PATCHGUARD read MSR[0xC0000082], I return the original address of KiSystemCall64. Before this, I use WRMSR to set a new MSR[0xC0000082] value. Do you know my mean? It means I can "HOOK" functions on SSDT without disable PATCHGUARD. Yes such method you want to use is per...

Re: I want to intercept RDMSR on WINDOWS X64

 by feryno ¦  Tue Apr 21, 2015 8:46 am ¦  Forum: Kernel-Mode Development ¦  Topic: I want to intercept RDMSR on WINDOWS X64 ¦  Replies: 6 ¦  Views: 8189

Primary Processor-Based VM-Execution Controls bit 28 = Use MSR bitmaps set to 0 = all guest executions of RDMSR / WRMSR cause vm exits set to 1 = you need to enable corresponding bit in MSR bitmap to intercept MSR you like. Because you didn't intercept RDMSR, I'm only guessing that your bit 28 of th...