A forum for reverse engineering, OS internals and malware analysis 

Search found 4 matches

 Go to advanced search

Duqu 2.0 14712103ddf9f6e77fa5c9a3288bd5ee

 by IChooseYou ¦  Fri Jun 12, 2015 2:44 pm ¦  Forum: Completed Malware Requests ¦  Topic: Duqu 2.0 14712103ddf9f6e77fa5c9a3288bd5ee ¦  Replies: 0 ¦  Views: 3913

https://securelist.com/files/2015/06/Th ... eturns.pdf

Long shot, but if anybody can provide this or the CTwoPENC.dll module it would be great.

NVM, I'm an idiot: http://www.kernelmode.info/forum/viewto ... =16&t=3900

Re: Application Verifier Custom Providers

 by IChooseYou ¦  Sat Mar 14, 2015 5:51 am ¦  Forum: User-Mode Development ¦  Topic: Application Verifier Custom Providers ¦  Replies: 12 ¦  Views: 43464

EP_X0FF wrote:Get rid of CRT.
The post limitation is extremely annoying.

Getting rid of the c run times sounds like a pretty shitty fix.
I just don't understand why Microsoft's verifier _CRT_INIT and my _CRT_INIT are so different from each other.

Re: Application Verifier Custom Providers

 by IChooseYou ¦  Sat Mar 14, 2015 1:52 am ¦  Forum: User-Mode Development ¦  Topic: Application Verifier Custom Providers ¦  Replies: 12 ¦  Views: 43464

Download Application Verifier and test this application with it. I tried it. Application verifier works. My problems seems to be initializing CRT on Windows 7. I skipped _DllMainCRTStartup by setting /ENTRY to DllMain . Surprisingly that worked on Windows 7 (and crashed on Windows 8). Win7 x86 buil...

Re: Application Verifier Custom Providers

 by IChooseYou ¦  Fri Mar 13, 2015 1:27 am ¦  Forum: User-Mode Development ¦  Topic: Application Verifier Custom Providers ¦  Replies: 12 ¦  Views: 43464

This works on Windows 8 & Server 2012 but fails on Windows 7 x64 with this error: http://i.imgur.com/PnrMoyh.png http://i.imgur.com/OMahd9J.png It's so early in the loading process that I'm having a hard time debugging this. The stack in olly shows this: .text:1002C185 ; START OF FUNCTION CHUNK FOR ...