Search found 124 matches

by GamingMasteR
Mon Apr 29, 2013 7:32 am
Forum: User-Mode Development
Topic: shared section trick
Replies: 9
Views: 13254

Re: shared section trick

File ID is filesystem but not OS specific, and it's supported in NTFS only.
by GamingMasteR
Fri Nov 30, 2012 3:51 pm
Forum: Malware
Topic: Syrian embassy malware
Replies: 6
Views: 4709

Re: Syrian embassy malware

Great :)
Also, the one I grabbed was using the Unicode U+202e trick to fool the user, it's looks like a pdf document while it's an executable screensaver (fooled me 1st time :D ):
Image


http://www.kernelmode.info/forum/viewto ... f=16&t=471
by GamingMasteR
Fri Nov 30, 2012 10:01 am
Forum: Malware
Topic: Syrian embassy malware
Replies: 6
Views: 4709

Syrian embassy malware

Hello,

In attachments a file looks like malware that was sent by one Syrian embassy to others, asking the receiver to just open it :)
by GamingMasteR
Wed May 09, 2012 11:17 pm
Forum: Kernel-Mode Development
Topic: Rename NTFS alternate stream
Replies: 2
Views: 2420

Re: Rename NTFS alternate stream

AFAIK, no !

But you can still copy/delete existing stream with different name.
by GamingMasteR
Sun May 06, 2012 6:36 am
Forum: Newbie Questions
Topic: Question IA32e context switch
Replies: 3
Views: 4936

Re: Question IA32e context switch

AFAIK, PCR is stored in MSR.MSR_GS_BASE and TEB is stored in MSR.MSR_GS_SWAP and during context switch GS and FS are reloaded to specific values if changed.
by GamingMasteR
Fri May 04, 2012 3:17 pm
Forum: Kernel-Mode Development
Topic: Pointer dereferenced when passed to KM
Replies: 12
Views: 8152

Re: Pointer dereferenced when passed to KM

I think Vrtule meant by "deep copy" is that IO manager will only copy the passed structure but not the buffer it points to, try including the APINAME/MODULENAME buffers inside API_HOOK_SSDT instead of pointing to them.
by GamingMasteR
Thu May 03, 2012 3:27 pm
Forum: Kernel-Mode Development
Topic: [Kernel] Memory dumper / Forensics tools
Replies: 10
Views: 13684

Re: [Kernel] Memory dumper / Forensics tools

MmGetPhysicalMemoryRanges was first documented by Mark Russinovich here :
http://blogs.technet.com/b/sysinternals ... 52896.aspx

Also note that it doesn't count page number 0 in that array so you must add it to your pages list :)
by GamingMasteR
Thu May 03, 2012 3:24 pm
Forum: Kernel-Mode Development
Topic: [Kernel] Memory dumper / Forensics tools
Replies: 10
Views: 13684

Re: [Kernel] Memory dumper / Forensics tools

Well, the main problem is that walking through physical memory page 0 to NumberOfPhysicalPages will count some memory portions reserved to other hardware devices, this will usually corrupt and crash the system. You will notice that if you test the code in x64 system with RAM > 4GB. The most stable m...
by GamingMasteR
Wed May 02, 2012 3:23 pm
Forum: Kernel-Mode Development
Topic: [Kernel] Memory dumper / Forensics tools
Replies: 10
Views: 13684

Re: [Kernel] Memory dumper / Forensics tools

Ms-Rem code will BSOD in some cases.