A forum for reverse engineering, OS internals and malware analysis 

Search found 10 matches

 Go to advanced search

Re: CCleaner

 by vs2099 ¦  Sun Oct 15, 2017 3:12 am ¦  Forum: Malware ¦  Topic: CCleaner ¦  Replies: 1 ¦  Views: 7141

Malware with famous digital signature is very horrible.
I use CCleaner on my PC, but the version is 4.xx and use Windows firewall to disable software update.

Re: DbgChild - Debug Child Process Tool

 by vs2099 ¦  Sun Oct 15, 2017 3:08 am ¦  Forum: Tools/Software ¦  Topic: DbgChild - Debug Child Process Tool ¦  Replies: 1 ¦  Views: 10565

Good tool with source code.
I like it.

Re: How can I distinguish shutdown or reboot in kernel mode?

 by vs2099 ¦  Tue Feb 28, 2017 5:11 am ¦  Forum: Kernel-Mode Development ¦  Topic: How can I distinguish shutdown or reboot in kernel mode? ¦  Replies: 9 ¦  Views: 17230

Brock wrote:vs2099,

You have to register with a call to IoRegisterShutdownNotification(), are you doing this?
YES, i have already register shutdown notification.
I can get DispatchShudown call, but not DispatchPower call.

Re: How can I distinguish shutdown or reboot in kernel mode?

 by vs2099 ¦  Mon Feb 27, 2017 1:16 am ¦  Forum: Kernel-Mode Development ¦  Topic: How can I distinguish shutdown or reboot in kernel mode? ¦  Replies: 9 ¦  Views: 17230

There is the field in IRP describing power action Irp->Parameters.Power.ShutdownType you can try check it if it works in this callback. According to msdn IRP_MJ_POWER -> IRP_MN_SET_POWER -> Irp->Parameters.Power.ShutdownType I fill DriverObject->MajorFunction[IRP_MJ_POWER] to my dispatch function, ...

Re: How can I distinguish shutdown or reboot in kernel mode?

 by vs2099 ¦  Mon Feb 27, 2017 1:14 am ¦  Forum: Kernel-Mode Development ¦  Topic: How can I distinguish shutdown or reboot in kernel mode? ¦  Replies: 9 ¦  Views: 17230

EP_X0FF wrote:There is the field in IRP describing power action

Irp->Parameters.Power.ShutdownType

you can try check it if it works in this callback.

According to msdn IRP_MJ_POWER -> IRP_MN_SET_POWER -> Irp->Parameters.Power.ShutdownType
Not useful.

Re: How can I distinguish shutdown or reboot in kernel mode?

 by vs2099 ¦  Sat Feb 25, 2017 5:16 am ¦  Forum: Kernel-Mode Development ¦  Topic: How can I distinguish shutdown or reboot in kernel mode? ¦  Replies: 9 ¦  Views: 17230

EP_X0FF wrote:https://msdn.microsoft.com/en-us/librar ... s.85).aspx
I cannot judge shutdown or reboot in ShutdownDispatch.

How can I distinguish shutdown or reboot in kernel mode?

 by vs2099 ¦  Sat Feb 25, 2017 3:20 am ¦  Forum: Kernel-Mode Development ¦  Topic: How can I distinguish shutdown or reboot in kernel mode? ¦  Replies: 9 ¦  Views: 17230

Hello everyone!

I want to distinguish shutdown or reboot in kernel mode.

How can I do? IRP_MJ_SHUTDOWN with no parameter, IRP_MJ_POWER is to late.

strange thing about wow64 process call GetThreadContext

 by vs2099 ¦  Sat Nov 21, 2015 8:52 pm ¦  Forum: Kernel-Mode Development ¦  Topic: strange thing about wow64 process call GetThreadContext ¦  Replies: 2 ¦  Views: 4399

Hi, Everyone knows that if a process call kernel32!GetThreadContext, it will through nt!NtGetContextThread. But I found that if wow64 process call kernel32!GetThreadContext, it will not through nt!NtGetContextThread. I use BP(WINDBG) even KERNEL INLINE HOOK and try to catch something, but I failed. ...

Re: Undocumented structures for W2k-Win7

 by vs2099 ¦  Wed Jul 17, 2013 2:53 am ¦  Forum: Kernel-Mode Development ¦  Topic: Undocumented structures for W2k-Win10 ¦  Replies: 21 ¦  Views: 74906

good.

[WFP]Why classifyContext in classifyFn1 is NULL?

 by vs2099 ¦  Wed Jul 17, 2013 2:52 am ¦  Forum: Kernel-Mode Development ¦  Topic: [WFP]Why classifyContext in classifyFn1 is NULL? ¦  Replies: 0 ¦  Views: 2743

Hi, everyone.
I use FWPM_LAYER_ALE_AUTH_CONNECT_V4 to register a classifyFn.
I want to use FwpsPendClassify0, that means I should get classifyHandle.
But classifyContext in classifyFn1 is NULL, so I cannot get the classifyHandle by FwpsAcquireClassifyHandle0.
How to solve this problem?