A forum for reverse engineering, OS internals and malware analysis 

Search found 124 matches

 Go to advanced search

Re: shared section trick

 by GamingMasteR ¦  Mon Apr 29, 2013 7:32 am ¦  Forum: User-Mode Development ¦  Topic: shared section trick ¦  Replies: 9 ¦  Views: 13482

File ID is filesystem but not OS specific, and it's supported in NTFS only.

Re: Syrian embassy malware

 by GamingMasteR ¦  Fri Nov 30, 2012 3:51 pm ¦  Forum: Malware ¦  Topic: Syrian embassy malware ¦  Replies: 6 ¦  Views: 4805

Great :)
Also, the one I grabbed was using the Unicode U+202e trick to fool the user, it's looks like a pdf document while it's an executable screensaver (fooled me 1st time :D ):
Image


http://www.kernelmode.info/forum/viewto ... f=16&t=471

Syrian embassy malware

 by GamingMasteR ¦  Fri Nov 30, 2012 10:01 am ¦  Forum: Malware ¦  Topic: Syrian embassy malware ¦  Replies: 6 ¦  Views: 4805

Hello,

In attachments a file looks like malware that was sent by one Syrian embassy to others, asking the receiver to just open it :)

Re: Rename NTFS alternate stream

 by GamingMasteR ¦  Wed May 09, 2012 11:17 pm ¦  Forum: Kernel-Mode Development ¦  Topic: Rename NTFS alternate stream ¦  Replies: 2 ¦  Views: 2490

AFAIK, no !

But you can still copy/delete existing stream with different name.

Re: Pointer dereferenced when passed to KM

 by GamingMasteR ¦  Tue May 08, 2012 7:30 pm ¦  Forum: Kernel-Mode Development ¦  Topic: Pointer dereferenced when passed to KM ¦  Replies: 12 ¦  Views: 8314

Pointer misuse :D

Re: Question IA32e context switch

 by GamingMasteR ¦  Sun May 06, 2012 6:36 am ¦  Forum: Newbie Questions ¦  Topic: Question IA32e context switch ¦  Replies: 3 ¦  Views: 5002

AFAIK, PCR is stored in MSR.MSR_GS_BASE and TEB is stored in MSR.MSR_GS_SWAP and during context switch GS and FS are reloaded to specific values if changed.

Re: Pointer dereferenced when passed to KM

 by GamingMasteR ¦  Fri May 04, 2012 3:17 pm ¦  Forum: Kernel-Mode Development ¦  Topic: Pointer dereferenced when passed to KM ¦  Replies: 12 ¦  Views: 8314

I think Vrtule meant by "deep copy" is that IO manager will only copy the passed structure but not the buffer it points to, try including the APINAME/MODULENAME buffers inside API_HOOK_SSDT instead of pointing to them.

Re: [Kernel] Memory dumper / Forensics tools

 by GamingMasteR ¦  Thu May 03, 2012 3:27 pm ¦  Forum: Kernel-Mode Development ¦  Topic: [Kernel] Memory dumper / Forensics tools ¦  Replies: 10 ¦  Views: 14080

MmGetPhysicalMemoryRanges was first documented by Mark Russinovich here :
http://blogs.technet.com/b/sysinternals ... 52896.aspx

Also note that it doesn't count page number 0 in that array so you must add it to your pages list :)

Re: [Kernel] Memory dumper / Forensics tools

 by GamingMasteR ¦  Thu May 03, 2012 3:24 pm ¦  Forum: Kernel-Mode Development ¦  Topic: [Kernel] Memory dumper / Forensics tools ¦  Replies: 10 ¦  Views: 14080

Well, the main problem is that walking through physical memory page 0 to NumberOfPhysicalPages will count some memory portions reserved to other hardware devices, this will usually corrupt and crash the system. You will notice that if you test the code in x64 system with RAM > 4GB. The most stable m...

Re: [Kernel] Memory dumper / Forensics tools

 by GamingMasteR ¦  Wed May 02, 2012 3:23 pm ¦  Forum: Kernel-Mode Development ¦  Topic: [Kernel] Memory dumper / Forensics tools ¦  Replies: 10 ¦  Views: 14080

Ms-Rem code will BSOD in some cases.

  • 1
  • 2
  • 3
  • 4
  • 5
  • 13