Malware with famous digital signature is very horrible.
I use CCleaner on my PC, but the version is 4.xx and use Windows firewall to disable software update.
Brock wrote:vs2099,YES, i have already register shutdown notification.
You have to register with a call to IoRegisterShutdownNotification(), are you doing this?
There is the field in IRP describing power action Irp->Parameters.Power.ShutdownType you can try check it if it works in this callback. According to msdn IRP_MJ_POWER -> IRP_MN_SET_POWER -> Irp->Parameters.Power.ShutdownType I fill DriverObject->MajorFunction[IRP_MJ_POWER] to my dispatch function, ...
EP_X0FF wrote:There is the field in IRP describing power actionNot useful.
you can try check it if it works in this callback.
According to msdn IRP_MJ_POWER -> IRP_MN_SET_POWER -> Irp->Parameters.Power.ShutdownType
EP_X0FF wrote:https://msdn.microsoft.com/en-us/librar ... s.85).aspxI cannot judge shutdown or reboot in ShutdownDispatch.
I want to distinguish shutdown or reboot in kernel mode.
How can I do? IRP_MJ_SHUTDOWN with no parameter, IRP_MJ_POWER is to late.
Hi, Everyone knows that if a process call kernel32!GetThreadContext, it will through nt!NtGetContextThread. But I found that if wow64 process call kernel32!GetThreadContext, it will not through nt!NtGetContextThread. I use BP(WINDBG) even KERNEL INLINE HOOK and try to catch something, but I failed. ...
I use FWPM_LAYER_ALE_AUTH_CONNECT_V4 to register a classifyFn.
I want to use FwpsPendClassify0, that means I should get classifyHandle.
But classifyContext in classifyFn1 is NULL, so I cannot get the classifyHandle by FwpsAcquireClassifyHandle0.
How to solve this problem?