Search found 4298 matches

by EP_X0FF
Thu Mar 21, 2019 8:29 am
Forum: Newbie Questions
Topic: Detecting protected processes
Replies: 1
Views: 95

Re: Detecting protected processes

"Critical process" is the process that upon unexpected termination breaks into kernel debugger if it present or simple cause bugcheck with "critical process terminated" message if dbg not present. This is stored in ERPOCESS flags as PS_PROCESS_FLAGS_BREAK_ON_TERMINATION value. You can query this val...
by EP_X0FF
Mon Mar 18, 2019 4:12 am
Forum: General Discussion
Topic: Global ATM Malware Wall
Replies: 1
Views: 191

Re: Global ATM Malware Wall

Looks cool, also I added link to it here List of Malware Sources
by EP_X0FF
Thu Mar 14, 2019 3:16 am
Forum: Reverse Engineering and Debugging
Topic: Injecting code to non-protected process. getting error loading dll.
Replies: 2
Views: 282

Re: Injecting code to non-protected process. getting error loading dll.

Look for this process mitigation policies.

ProcessSignaturePolicy
https://docs.microsoft.com/en-us/window ... ion_policy

AFAIR it is in EPROCESS field MitigationFlagsValues.
by EP_X0FF
Wed Feb 27, 2019 2:22 pm
Forum: Malware
Topic: Ransom/AveMaria
Replies: 0
Views: 351

Ransom/AveMaria

https://www.zdnet.de/88351787/malware-ave_maria-nutzt-unegepatchte-sicherheitsluecken-zur-rechteausweitung/ https://securityaffairs.co/wordpress/79757/malware/the-ave_maria-malware.html Primitive copy-paste ransomware. VT https://www.virustotal.com/en/file/0cc95d376267ae78c309fd5f60f3083670b1c2616b...
by EP_X0FF
Sat Feb 23, 2019 2:02 am
Forum: Newbie Questions
Topic: Question about WinObjEx output
Replies: 1
Views: 246

Re: Question about WinObjEx output

It mean what written. IRP handler of object located in one module is set to handler in the other module.
by EP_X0FF
Sun Jan 27, 2019 2:40 pm
Forum: Kernel-Mode Development
Topic: How several antivirus software developers are able to write in SSDT/SSSDT tables on Windows x64?
Replies: 4
Views: 1397

Re: How several antivirus software developers are able to write in SSDT/SSSDT tables on Windows x64?

Patchguard in win7 doesn't check some areas. As far as I remember inline hooking of win32k table was used by sandboxie before. Microsoft closed this in Win8. http://www.kernelmode.info/forum/viewtopic.php?f=14&t=2416 As for your links: 1) https://stackoverflow.com/questions/20552300/hook-zwterminate...
by EP_X0FF
Fri Jan 25, 2019 2:41 pm
Forum: User-Mode Development
Topic: How to emulate LOW IL ?
Replies: 6
Views: 1854

Re: How to emulate LOW IL ?

EP_X0FF , thank you, your code works good. I have one question, only for myself education. Microsoft tells, that Low Sid ID is - "S-1-16-1024"; But in book "Writing Secure Code for Windows Vista" (Howard,LeBlank) there is another string for low ID - "S-1-16-4096". Why and where is it right? That is...
by EP_X0FF
Fri Jan 25, 2019 4:06 am
Forum: User-Mode Development
Topic: How to emulate LOW IL ?
Replies: 6
Views: 1854

Re: How to emulate LOW IL ?

Heh, well pretty much what could you expect from MSDN Microsoft code, isn't it? Try this instead. BOOL Exec( _In_ LPWSTR lpszCommandLine, _In_ LPWSTR lpszDirectory, _In_ DWORD dwSubAuthority, _In_ BOOL WaitForExit ) { BOOL cond = FALSE; BOOL bResult = FALSE; HANDLE hToken = NULL, hNewToken = NULL; S...
by EP_X0FF
Wed Jan 23, 2019 8:22 am
Forum: Tools/Software
Topic: Making ReactOS Great Again*, Part 1
Replies: 9
Views: 10834

Re: Making ReactOS Great Again*, Part 1

Post disapproved as offtopic. Currently your devs only succeeded in what they are presumable do better than anything else - in adding "their copyrights" https://i.imgur.com/rXcwlAH.png https://i.imgur.com/7UbtY5t.png This one doesn't even bothered to fix intentionally left bug in rocall, ofc he was ...