Hi all, I am playing with Event Trace for Windows, ETW, to trace down some kernel events like files, disk IO and network. ( https://msdn.microsoft.com/fr-fr/library/windows/desktop/bb968803(v=vs.85).aspx ) No problem to get realtime events from userland but I try to achieve reboot persistency and tr...
i forgot Ivanlef0u's blog... Really nice resources in there.
Gabben, can you say me more about that app? Did you try to hook SwapContext to avoid TLB flushing?
here a an interesting thread on the subject:
http://www.rootkit.com/board.php?did=pr ... 0&lastx=15
Where are you Bugcheck... I miss you!! ;)
Why don't you give it a go and try it?In fact I am since 2 weeks and it looks to work fine with just some minor modifications. I was wondering there is something I couldn't see needing a major rewrite to be SMP compatible. Looks like I was wrong.
Hi DBS, When writing to usermode memory in order to delete the Dll-Entries from the Ldr-Lists, he simply delays all interrupts with CLI on the actual CPU, which is unsafe for multiprocessor systems. Yes... I noticed this point. In fact I'm not interested at all by this part. The only interesting par...
Hi Alex, You can find the src and the slide here: http://www.openrce.org/downloads/details/234/ It's in fact an improvment of the "Shadow walker" rootkit. ( http://www.blackhat.com/presentations/bh-jp-05/bh-jp-05-sparks-butler.pdf ) One of the knowed issue to this thechnic is to not support SMP syst...
I'm currently studying Tron's code... I'm not sure to understand why this technic can't be used on SMP systems without a major rewrite.
Someone can give me more information about this issue?