Search found 12 matches

by raiden
Mon Apr 24, 2017 11:09 am
Forum: Kernel-Mode Development
Topic: How to link with ntoskrnl.lib?
Replies: 4
Views: 9750

Re: How to link with ntoskrnl.lib?

Add extern "C" __declspec(dllimport) and calling convention to your definition, something like this:

Code: Select all

extern "C"
NTSYSAPI
NTSTATUS
NTAPI
PsSuspendProcess (
  PEPROCESS Process
);
by raiden
Mon Mar 13, 2017 2:46 pm
Forum: Kernel-Mode Development
Topic: MM code bug check for vad erase
Replies: 5
Views: 10828

Re: MM code bug check for vad erase

It's a typical sign of stack buffer overflow (Bug check 0xF7 and nt!_report_gsfailure in your stack trace).
by raiden
Wed Feb 15, 2017 6:48 pm
Forum: Reverse Engineering and Debugging
Topic: Looking for appinfo.dll 7600 x64
Replies: 2
Views: 9190

Re: Looking for appinfo.dll 7600 x64

Hello,

I extracted this from Win7 x64 SP0 (RTM).
by raiden
Sat May 14, 2016 7:36 pm
Forum: General Discussion
Topic: Internals of file integrity checking
Replies: 11
Views: 20766

Re: Internals of file integrity checking

First off, the MSDN code handles embedded digital signatures only, not security catalog signatures. It can't differentiate between not signed and signed by catalog executable. I have added some extra piece of code to the MSDN example to make it work. I had to add some definitions because visual stud...
by raiden
Thu May 12, 2016 8:39 am
Forum: General Discussion
Topic: Internals of file integrity checking
Replies: 11
Views: 20766

Re: Internals of file integrity checking

Hi,

I have no idea about ESET internals, but you should have checked dynamic imports as well. Process Explorer dynamically uses the same API (WinVerifyTrust) to check the integrity of an executable file.
by raiden
Tue Aug 18, 2015 10:46 am
Forum: Completed Malware Requests
Topic: Looking for CVE-2015-2590
Replies: 4
Views: 6336

Re: Looking for CVE-2015-2590

https://www.virustotal.com/en/file/3f2d ... /analysis/

Edit: @Stylo: I know you have encountered this! Just thought that maybe someone will find this useful.
by raiden
Fri Jun 05, 2015 12:49 pm
Forum: Kernel-Mode Development
Topic: How to convert string mode IP address to a ULONG in driver?
Replies: 2
Views: 4029

Re: How to convert string mode IP address to a ULONG in driv

Use RtlIpv4StringToAddress (exported by ntoskrnl).
by raiden
Sun May 24, 2015 3:52 pm
Forum: General Discussion
Topic: MS15-010
Replies: 1
Views: 5635

MS15-010

Hi,

This is my proof-of-concept exploit for CVE-2015-0003 (MS15-010).

Regards,

Skylake (raiden)