A forum for reverse engineering, OS internals and malware analysis 

Search found 38 matches

 Go to advanced search

Re: Integrity check of DLL from Driver

 by evelyette ¦  Thu Feb 23, 2017 7:55 am ¦  Forum: Kernel-Mode Development ¦  Topic: Integrity check of DLL from Driver ¦  Replies: 3 ¦  Views: 10115

My plan is to support versions from Windows 7 (including) upwards; however if this is considerably easier in Windows 8.1+ I might not bother with Windows 7. Can you provide a link to BCrypt? So all other AV vendors out there are also doing this manually, which makes this a likely issue where they ge...

Integrity check of DLL from Driver

 by evelyette ¦  Wed Feb 22, 2017 11:26 pm ¦  Forum: Kernel-Mode Development ¦  Topic: Integrity check of DLL from Driver ¦  Replies: 3 ¦  Views: 10115

Hi, I'm interested in knowing how one can verify the integrity of the DLL from a kernel-mode driver prior to DLL being injected into the application. I'm basically looking for a kernel-mode WinVerifyTrustEx. I've seen the https://msdn.microsoft.com/en-us/library/aa376210(v=vs.85).aspx , but it doesn...

Re: Mapping ntdll.dll into kernel-mode memory

 by evelyette ¦  Mon Feb 13, 2017 6:50 pm ¦  Forum: Kernel-Mode Development ¦  Topic: Mapping ntdll.dll into kernel-mode memory ¦  Replies: 2 ¦  Views: 8746

Hello, Yes, you can retrieve the system service indexes from a mapped view of the already existing KnownDlls\ntdll.dll section. You have to open the section first with SECTION_MAP_READ then map the view into kernel space with PAGE_READONLY, locate the export directory (RtlImageDirectoryEntryToData)...

Mapping ntdll.dll into kernel-mode memory

 by evelyette ¦  Fri Feb 10, 2017 11:01 pm ¦  Forum: Kernel-Mode Development ¦  Topic: Mapping ntdll.dll into kernel-mode memory ¦  Replies: 2 ¦  Views: 8746

Hi, The http://www.rohitab.com/discuss/topic/42451-mapping-ntdll-into-kernel-memory-and-read-the-ssdt-index-of-system-service-functions/ article obtains the indexes of SSDT entries by doing the following: 1. ZwOpenFile : Open the "\SystemRoot\System32\ntdll.dll" file. 2. ZwQueryInformationFile : Obt...

Re: Monitoring Processes on Windows NT from Usermode (x86 &

 by evelyette ¦  Wed Jul 20, 2016 5:48 pm ¦  Forum: User-Mode Development ¦  Topic: Monitoring Processes on Windows NT from Usermode (x86 & x64) ¦  Replies: 19 ¦  Views: 48750

I realize this is an old thread, but I've been experimenting with AppCertDlls technique on Windows 7 and Windows 10 and while the DLL library is injected into some processes, it isn't injected into others. The library is injected into session 0 processes like the following: - svchost.exe: only one o...

Re: Internals of file integrity checking

 by evelyette ¦  Sun May 22, 2016 9:25 am ¦  Forum: General Discussion ¦  Topic: Internals of file integrity checking ¦  Replies: 11 ¦  Views: 20949

@evelyette, Have you tried running something like Rohitab's API Monitor on SFC.exe and SysInspector.exe? You might try doing this in order to track down dynamic API calls. http://www.rohitab.com/apimonitor Best Regards, Brock Yeah, I'm using it constantly, it's a great application; however it doesn...

Re: Internals of file integrity checking

 by evelyette ¦  Wed May 18, 2016 8:09 pm ¦  Forum: General Discussion ¦  Topic: Internals of file integrity checking ¦  Replies: 11 ¦  Views: 20949

Hi, I've enabled loader snaps and the following is displayed in WinDbg; note that when IE is running under ESET's protected mode, the IE is unable to load the DLL, regardless of whether a debugger is attached or not. 0810:0704 @ 53652843 - LdrpResolveFileName - ENTER: DLL name: C:\Windows\system32\t...

Re: Internals of file integrity checking

 by evelyette ¦  Tue May 17, 2016 10:41 pm ¦  Forum: General Discussion ¦  Topic: Internals of file integrity checking ¦  Replies: 11 ¦  Views: 20949

One more thing. When starting IE in protected mode - provided by ESET, we can attach to iexplore.exe with WinDbg, but IE will fail to load any DLL. WinDbg will display a number of messages like this, where it wants to load the titan.dll, which is available in the system32 folder, but WinDbg fails to...

Re: Internals of file integrity checking

 by evelyette ¦  Sun May 15, 2016 7:37 am ¦  Forum: General Discussion ¦  Topic: Internals of file integrity checking ¦  Replies: 11 ¦  Views: 20949

I've set a breakpoint on WinVerifyTrust in WinDbg, which can be seen on the picture below, but the breakpoint wasn't hit when starting ESET SysInspector or sfc.exe, so I'm assuming that function isn't being used to check the integrity of files. winverify.png I've also run the sfc.exe command like th...

Re: Internals of file integrity checking

 by evelyette ¦  Sat May 14, 2016 5:08 pm ¦  Forum: General Discussion ¦  Topic: Internals of file integrity checking ¦  Replies: 11 ¦  Views: 20949

Hi, I've used the following program (obtained from https://msdn.microsoft.com/en-us/library/windows/desktop/aa382384(v=vs.85).aspx ), which calls the WinVerifyTrust manually. //------------------------------------------------------------------- // Copyright (C) Microsoft. All rights reserved. // Exa...