A forum for reverse engineering, OS internals and malware analysis 

Search found 221 matches

 Go to advanced search

Re: Discovering footprints of loaded and unloaded kernel mode drivers

 by Brock ¦  Sat Aug 10, 2019 9:48 pm ¦  Forum: Newbie Questions ¦  Topic: Discovering footprints of loaded and unloaded kernel mode drivers ¦  Replies: 3 ¦  Views: 471

Tags from pool memory that has not been deallocated and registry values that may have been left behind are another couple of potential areas to investigate. Does not matter if the driver is loaded normally or sideloaded off a vulnerable driver in the system, there can be quite a bit of artifacts lef...

No problem. Glad it is useful to you. I believe it’s a pretty decent example

Please see here:

https://github.com/microsoft/Windows-dr ... r/avscan.c

it shows how to detect and optionally handle transacted files

Best regards

There's a slight chance that in the scenario where the problem has occurred, the rollback phase was skipped so the file with transaction was closed with pending transaction. KTM should automatically roll the transaction back upon the last handle to the tx being closed before any commit action, acco...

Could be due to several reasons. Without seeing a line of code we'd be playing guessing games, wouldn't we? What does your call to FltGetFileNameInformation() look like, mainly the "nameoptions"?

Re: Check if process is UWP application.

 by Brock ¦  Thu Jun 13, 2019 8:19 pm ¦  Forum: User-Mode Development ¦  Topic: Check if process is UWP application. ¦  Replies: 2 ¦  Views: 1518

@Iradicator You can use DllImport in PowerShell for Windows API and make a call to IsImmersiveProcess() https://docs.microsoft.com/en-us/windows/desktop/api/winuser/nf-winuser-isimmersiveprocess It will tell you if the target process is a Windows Store app / Metro app / WinRT app / UWP app etc. What...

Re: Why Microsoft don't block elevation runas?

 by Brock ¦  Tue Apr 30, 2019 2:35 am ¦  Forum: General Discussion ¦  Topic: Why Microsoft don't block elevation runas? ¦  Replies: 5 ¦  Views: 1352

Why is that? Why Microsoft can not somehow track this and ban?
Kinda like a cheater/hacker in Counter-Strike? KEWL!!! =]

Why are you creating a thread in DLLMain just to patch an API? Do this directly in DLLMain and get rid of your handle leaking BeginThread call. Threads also don't run until DLLMain is complete because loader lock is held, so no sense in delaying the patch either. Also, inside the ugly patch routine ...

Re: Some code doesn't works with SYSTEM priv.

 by Brock ¦  Sat Mar 23, 2019 9:59 pm ¦  Forum: Newbie Questions ¦  Topic: Some code doesn't works with SYSTEM priv. ¦  Replies: 4 ¦  Views: 1184

Are you positive that the error isn't correct? You might try impersonating the logged on user while you access the network shares. It's kind of a bit hackish but it may work for you HANDLE hToken = 0; ULONG SessionId = WTSGetActiveConsoleSessionId(); if (WTSQueryUserToken(SessionId, &hToken)) { if (...

Re: My AV says my router is infected

 by Brock ¦  Sat Feb 23, 2019 1:44 pm ¦  Forum: Newbie Questions ¦  Topic: My AV says my router is infected ¦  Replies: 9 ¦  Views: 2546

Perhaps this is VPNFilter malware?

You can quickly and easily check for its presence online below


  • 1
  • 2
  • 3
  • 4
  • 5
  • 23