A forum for reverse engineering, OS internals and malware analysis 

Search found 52 matches

 Go to advanced search

Re: Hook Analyser 1.4

 by Microwave89 ¦  Wed Mar 23, 2016 10:11 am ¦  Forum: Tools/Software ¦  Topic: Hook Analyser 1.4 ¦  Replies: 10 ¦  Views: 32091

Hey, seems that your Hook Analyzer 3.3 process is not x86-64 aware when opening the respective image files for a process. I externally opened notepad.exe, then choose to open and hook into a process (I pressed "2" on the welcome screen of Hook Analyzer) and entered the notepad.exe PID as told. Next ...

Re: Welcome back KM.info

 by Microwave89 ¦  Thu Mar 17, 2016 9:48 pm ¦  Forum: General Discussion ¦  Topic: Welcome back KM.info ¦  Replies: 1 ¦  Views: 5971

Yes, full acknowledge!
I truly missed this community! In my opinion it is an outstanding data base of highly advanced knowledge!
I was just about asking someone what would be the replacement for it...glad there isn't need anymore.

Kind regards,
Microwave89

Re: NtXxx System Call Stub Change in Windows 10 525+

 by Microwave89 ¦  Wed Dec 30, 2015 2:54 pm ¦  Forum: Newbie Questions ¦  Topic: NtXxx System Call Stub Change in Windows 10 525+ ¦  Replies: 2 ¦  Views: 5932

But compatibility with what? And is it behaving as expected if I receive a #GP if I currently attempt to invoke the int 2E instruction on my Windows 10 Core 2 Duo machine?

Best regards

Re: Hooking usage of DLL function

 by Microwave89 ¦  Fri Dec 18, 2015 10:08 am ¦  Forum: User-Mode Development ¦  Topic: Hooking usage of DLL function ¦  Replies: 17 ¦  Views: 34074

I did not test it completely (with multiple hooks active) yet but syntax-wise it looks promising. I will lose some words about it after the weekend since unfortunately I have to work for the university project now... Or even better, I'll put it online then so you have everything you need such as dif...

Re: Hooking usage of DLL function

 by Microwave89 ¦  Wed Dec 16, 2015 9:30 pm ¦  Forum: User-Mode Development ¦  Topic: Hooking usage of DLL function ¦  Replies: 17 ¦  Views: 34074

As I also needed true inline assembly in a new project I used GCC for it. Before doing so I tried to sign up for the students Intel C++ compiler, since allegedly it is capable of x86-64 inine assembly too, but I did not receive any further answer after trying to make them add my university to their ...

Re: RogueKillerPE

 by Microwave89 ¦  Sun Dec 06, 2015 4:05 pm ¦  Forum: Tools/Software ¦  Topic: RogueKillerPE ¦  Replies: 5 ¦  Views: 22045

Thanks for the share! However, I noticed two minor "bugs", at least in my opinion. 1.) Shouldn't the OriginalEntryPoint of the file be named OEP instead of EOP? I can find more related information on the web when looking up "PE" "OEP" instead "PE" "EOP". 2.) When I test the tool with an x64 executab...

Re: Monitoring Windows Services

 by Microwave89 ¦  Fri Nov 27, 2015 6:48 pm ¦  Forum: Newbie Questions ¦  Topic: Monitoring Windows Services ¦  Replies: 6 ¦  Views: 7054

Regarding Services: See Windows Internals 6, Part 1, "Services".
Not all services must have a DLL, only those with "shared" type.
Own services are just of an exe with a special main, "SvcMain" iirc.

Kind regards,

Microwave89

NtXxx System Call Stub Change in Windows 10 525+

 by Microwave89 ¦  Sun Nov 22, 2015 8:52 pm ¦  Forum: Newbie Questions ¦  Topic: NtXxx System Call Stub Change in Windows 10 525+ ¦  Replies: 2 ¦  Views: 5932

Hi Kernelmode.info! Upon attempting something (can't remember what exactly it was) that relied on the x64 ntdll.dll system call layout being unchanged I stumbled across the new system call layout. Instead of simply loading eax with the system call number and then issuing the 0F 05 instruction as bef...

Re: VrtuleTree: A Really Simple DeviceTree

 by Microwave89 ¦  Sat Nov 07, 2015 12:22 am ¦  Forum: Tools/Software ¦  Topic: VrtuleTree: A Really Simple DeviceTree ¦  Replies: 20 ¦  Views: 39637

Unfortunately, I cannot check out the tool properly since it tells "Cannot create snapshot" if I click on "File" - "Create snapshot". I'm running Windows 10 x64 Build 10240. If I click on "File" - "Log" - "Test..." it says there has occurred an access violation and nothing happens. The tool does not...

Re: [2015-08-04]ARK for Windows x64: WIN64AST(Page8#78)

 by Microwave89 ¦  Sat Nov 07, 2015 12:04 am ¦  Forum: Tools/Software ¦  Topic: [2017-11-05]ARK for Windows X64: WIN64AST(Page10#96) ¦  Replies: 99 ¦  Views: 351042

Hi m5home, Since I'm extensively using the behavior blocker function I noticed another BSOD that seems to be reproducible reliably. The issue occurs if I attempt to create a process with an initial thread in it using the well known steps listed below. NtCreateSection("csrss.exe") NtCreateProcess NtC...