Search found 4297 matches

by EP_X0FF
Mon Mar 18, 2019 4:12 am
Forum: General Discussion
Topic: Global ATM Malware Wall
Replies: 1
Views: 90

Re: Global ATM Malware Wall

Looks cool, also I added link to it here List of Malware Sources
by EP_X0FF
Thu Mar 14, 2019 3:16 am
Forum: Reverse Engineering and Debugging
Topic: Injecting code to non-protected process. getting error loading dll.
Replies: 2
Views: 188

Re: Injecting code to non-protected process. getting error loading dll.

Look for this process mitigation policies.

ProcessSignaturePolicy
https://docs.microsoft.com/en-us/window ... ion_policy

AFAIR it is in EPROCESS field MitigationFlagsValues.
by EP_X0FF
Wed Feb 27, 2019 2:22 pm
Forum: Malware
Topic: Ransom/AveMaria
Replies: 0
Views: 306

Ransom/AveMaria

https://www.zdnet.de/88351787/malware-ave_maria-nutzt-unegepatchte-sicherheitsluecken-zur-rechteausweitung/ https://securityaffairs.co/wordpress/79757/malware/the-ave_maria-malware.html Primitive copy-paste ransomware. VT https://www.virustotal.com/en/file/0cc95d376267ae78c309fd5f60f3083670b1c2616b...
by EP_X0FF
Sat Feb 23, 2019 2:02 am
Forum: Newbie Questions
Topic: Question about WinObjEx output
Replies: 1
Views: 207

Re: Question about WinObjEx output

It mean what written. IRP handler of object located in one module is set to handler in the other module.
by EP_X0FF
Sun Jan 27, 2019 2:40 pm
Forum: Kernel-Mode Development
Topic: How several antivirus software developers are able to write in SSDT/SSSDT tables on Windows x64?
Replies: 4
Views: 1276

Re: How several antivirus software developers are able to write in SSDT/SSSDT tables on Windows x64?

Patchguard in win7 doesn't check some areas. As far as I remember inline hooking of win32k table was used by sandboxie before. Microsoft closed this in Win8. http://www.kernelmode.info/forum/viewtopic.php?f=14&t=2416 As for your links: 1) https://stackoverflow.com/questions/20552300/hook-zwterminate...
by EP_X0FF
Fri Jan 25, 2019 2:41 pm
Forum: User-Mode Development
Topic: How to emulate LOW IL ?
Replies: 6
Views: 1682

Re: How to emulate LOW IL ?

EP_X0FF , thank you, your code works good. I have one question, only for myself education. Microsoft tells, that Low Sid ID is - "S-1-16-1024"; But in book "Writing Secure Code for Windows Vista" (Howard,LeBlank) there is another string for low ID - "S-1-16-4096". Why and where is it right? That is...
by EP_X0FF
Fri Jan 25, 2019 4:06 am
Forum: User-Mode Development
Topic: How to emulate LOW IL ?
Replies: 6
Views: 1682

Re: How to emulate LOW IL ?

Heh, well pretty much what could you expect from MSDN Microsoft code, isn't it? Try this instead. BOOL Exec( _In_ LPWSTR lpszCommandLine, _In_ LPWSTR lpszDirectory, _In_ DWORD dwSubAuthority, _In_ BOOL WaitForExit ) { BOOL cond = FALSE; BOOL bResult = FALSE; HANDLE hToken = NULL, hNewToken = NULL; S...
by EP_X0FF
Wed Jan 23, 2019 8:22 am
Forum: Tools/Software
Topic: Making ReactOS Great Again*, Part 1
Replies: 9
Views: 10490

Re: Making ReactOS Great Again*, Part 1

Post disapproved as offtopic. Currently your devs only succeeded in what they are presumable do better than anything else - in adding "their copyrights" https://i.imgur.com/rXcwlAH.png https://i.imgur.com/7UbtY5t.png This one doesn't even bothered to fix intentionally left bug in rocall, ofc he was ...