A forum for reverse engineering, OS internals and malware analysis 

Search found 81 matches

 Go to advanced search

Re: WIN64 Driver Development Basic Tutorial

 by m5home ¦  Sun Nov 05, 2017 2:50 am ¦  Forum: Kernel-Mode Development ¦  Topic: WIN64 Driver Development Basic Tutorial ¦  Replies: 19 ¦  Views: 43286

myid wrote:Code of enumerate create process notification is outdated, could you update your code?
Could you tell me how to enumerate the process notifications created by PsSetCreateProcessNotifyRoutineEx2?
It is not so different between all systems. All process notifications are in the same array.

New Version Released!

 by m5home ¦  Sun Nov 05, 2017 2:40 am ¦  Forum: Tools/Software ¦  Topic: [2017-11-05]ARK for Windows X64: WIN64AST(Page10#96) ¦  Replies: 98 ¦  Views: 349330

WIN64AST 1.19 - Support WIN10-16299

Download URLs:
https://pan.baidu.com/s/1skNHd9r
https://pan.baidu.com/s/1hspJHOw (WITH .NET4 FRAMEWORK)
(If you do not have ID on this forum, you can download WIN64AST via these URLs)

Re: Reading pageable memory at HIGH_LEVEL

 by m5home ¦  Sat Sep 02, 2017 1:50 pm ¦  Forum: Kernel-Mode Development ¦  Topic: Reading pageable memory at HIGH_LEVEL ¦  Replies: 3 ¦  Views: 8007

I don't think anyone can read the pageable memory when IRQL is higher than APC_LEVEL.

Re: Very Simple Question: How to read any kernel address saf

 by m5home ¦  Sat Sep 02, 2017 1:42 pm ¦  Forum: Kernel-Mode Development ¦  Topic: Very Simple Question: How to read any kernel address safely? ¦  Replies: 7 ¦  Views: 14786

Use MmGetPhysicalAddress to get the physical address of the your virtual address, if it return a none-zero value, use MmMapIoSpace to get a NEW virtual address and read it.
If you want to know more details about verify a virtual address is valid or not, try to read the source code of Cheat Engine.

New Version Released!

 by m5home ¦  Sun May 14, 2017 2:34 am ¦  Forum: Tools/Software ¦  Topic: [2017-11-05]ARK for Windows X64: WIN64AST(Page10#96) ¦  Replies: 98 ¦  Views: 349330

WIN64AST 1.10 BETA8 - Support WIN10-15063

Download URLs:
http://pan.baidu.com/s/1qYyNgN6
http://pan.baidu.com/s/1dF7WXnb (WITH .NET4 FRAMEWORK)
(If you do not have ID on this forum, you can download WIN64AST via these URLs)

New Version Released!

 by m5home ¦  Wed Aug 31, 2016 12:14 pm ¦  Forum: Tools/Software ¦  Topic: [2017-11-05]ARK for Windows X64: WIN64AST(Page10#96) ¦  Replies: 98 ¦  Views: 349330

WIN64AST 1.10 BETA7 - Support WIN10-14393

Download URLs:
http://pan.baidu.com/s/1nvRfOdr
http://pan.baidu.com/s/1nvPJXxv (WITH .NET4 FRAMEWORK)
(If you do not have ID on this forum, you can download WIN64AST via these URLs)

New Version Released!

 by m5home ¦  Mon Dec 28, 2015 4:22 pm ¦  Forum: Tools/Software ¦  Topic: [2017-11-05]ARK for Windows X64: WIN64AST(Page10#96) ¦  Replies: 98 ¦  Views: 349330

WIN64AST 1.10 BETA6 - Support WIN10-10586

Download URLs:
http://pan.baidu.com/s/1dEeXaTz
http://pan.baidu.com/s/1c1eZdfi (WITH .NET4 FRAMEWORK)
(If you do not have ID on this forum, you can download WIN64AST via these URLs)

Re: [2015-08-04]ARK for Windows x64: WIN64AST(Page8#78)

 by m5home ¦  Mon Dec 28, 2015 4:17 pm ¦  Forum: Tools/Software ¦  Topic: [2017-11-05]ARK for Windows X64: WIN64AST(Page10#96) ¦  Replies: 98 ¦  Views: 349330

Hi m5home, Since I'm extensively using the behavior blocker function I noticed another BSOD that seems to be reproducible reliably. The issue occurs if I attempt to create a process with an initial thread in it using the well known steps listed below. NtCreateSection("csrss.exe") NtCreateProcess Nt...

Re: Kernel - Handle Hiding (7,8,8.1,10) x64 (4 Methods)

 by m5home ¦  Mon Nov 02, 2015 8:24 am ¦  Forum: Kernel-Mode Development ¦  Topic: Kernel - Handle Hiding (7,8,8.1,10) x64 (4 Methods) ¦  Replies: 5 ¦  Views: 6755

I like hide process nearly 6 years ago.
I found that hide process is not useful, because it make process cannot work normally (Some API, like CreateProcess, will always return failed after hide process).

Re: [2015-08-04]ARK for Windows x64: WIN64AST(Page8#78)

 by m5home ¦  Mon Nov 02, 2015 8:15 am ¦  Forum: Tools/Software ¦  Topic: [2017-11-05]ARK for Windows X64: WIN64AST(Page10#96) ¦  Replies: 98 ¦  Views: 349330

tcxyqs wrote:Good tool. Could you support WIN10 10525?
Not support any preview/beta version system.

  • 1
  • 2
  • 3
  • 4
  • 5
  • 9