A forum for reverse engineering, OS internals and malware analysis 

Search found 4 matches

 Go to advanced search

Question about WinObjEx output

 by gandolf ¦  Wed Feb 20, 2019 3:20 pm ¦  Forum: Newbie Questions ¦  Topic: Question about WinObjEx output ¦  Replies: 1 ¦  Views: 388

Hello what does the output "Hooked by Wdf01000" mean when looking at the Major Functions in a driver in WinObjEx? I know that if it is "nt!IopInvalidDeviceRequest" the I/O request function isnt implemented, but what does the former mean? I assume the same thing as WDF is just the Windows Driver Fram...

Re: Detecting Physical Memory Mapping

 by gandolf ¦  Thu Jan 24, 2019 3:19 am ¦  Forum: Kernel-Mode Development ¦  Topic: Detecting Physical Memory Mapping ¦  Replies: 1 ¦  Views: 1050

VADs are only used to track usermode memory allocations. This code seems to be in kernel mode, if you are also somehow in kernel you could use MDL to request a copy of the physical pages backing the virtual address returned by the ZwMapViewOfSection call.

Re: Win32/Nivdort

 by gandolf ¦  Tue Aug 04, 2015 10:12 pm ¦  Forum: Malware ¦  Topic: Win32/Nivdort ¦  Replies: 6 ¦  Views: 13637

Like you, I also get confused with the nomenclature used for this malware and I did some work on it as well past week or so. It has a DGA algorithm it uses to contact the CnC servers. Another interesting thing some samples I've analyzed do is drop several dropped payloads, some which seem to indicat...

A Discussion on Malware Evolution

 by gandolf ¦  Mon Nov 17, 2014 7:35 pm ¦  Forum: Malware ¦  Topic: A Discussion on Malware Evolution ¦  Replies: 0 ¦  Views: 3155

Hey all, I'm working on a research project and would like to open a discussion that helps me in my research. I'd like to know some of the malwares that have evolved into targeting multiple platforms. For instance, some known Linux or Windows malware families that have been written to target other pl...