A forum for reverse engineering, OS internals and malware analysis 

Search found 451 matches

 Go to advanced search

Re: Some code doesn't works with SYSTEM priv.

 by Vrtule ¦  Sat Mar 23, 2019 11:35 pm ¦  Forum: Newbie Questions ¦  Topic: Some code doesn't works with SYSTEM priv. ¦  Replies: 4 ¦  Views: 250

As far as I know, network drives are local to the user that connects them, meaning they are not (directly) visible to oth.er users. That also implies a network drive, e.g. Q:, can be mapped to place A for user X and to place B for user Y.

Re: Help installing w10 driver to w8.1

 by Vrtule ¦  Thu Mar 14, 2019 10:07 am ¦  Forum: Newbie Questions ¦  Topic: Help installing w10 driver to w8.1 ¦  Replies: 1 ¦  Views: 278

Hello, changing INF files will not help you since they are usually protected by a digital signature (stored in a file with .cat extension). Your change invalidates the signature, thus Windows refuse to load such a driver. On my laptop, I managed to install a Windows 8 driver on Windows 8.1, however,...

Re: driver without an object

 by Vrtule ¦  Sat Feb 23, 2019 1:04 pm ¦  Forum: Newbie Questions ¦  Topic: driver without an object ¦  Replies: 2 ¦  Views: 354

Hello, 1 - is there is any kind of iat hooking example for kernel mode , because i haven't seen any examples over the internet. well, drivers are stored as PE files, so IAT hooking should work the same way as in usermode. 2 - how could i pass ioctl code back and forth to my usermode app without crea...

Re: How to emulate LOW IL ?

 by Vrtule ¦  Fri Jan 25, 2019 10:13 pm ¦  Forum: User-Mode Development ¦  Topic: How to emulate LOW IL ? ¦  Replies: 6 ¦  Views: 1905

I have one question, only for myself education. Microsoft tells, that Low Sid ID is - "S-1-16-1024"; Yes, it is S-1-16-4096 . SIDs beginning with S-1-16- are used for mandatory integrity levels. The higher the third number, the higher the integrity level is. Actually (and just for the skae of curio...

Re: How i can use one Asm code to x86 and x64?

 by Vrtule ¦  Wed Nov 14, 2018 12:18 pm ¦  Forum: Newbie Questions ¦  Topic: How i can use one Asm code to x86 and x64? ¦  Replies: 3 ¦  Views: 1860

You can write two ASM procedures: one for 32-bit and one for 64-bit platform, and use preprocessor macros (ifdefs) to compile only the procedure appropriate to the selected target.

Re: cpu/gpu contents

 by Vrtule ¦  Sun Oct 14, 2018 8:28 pm ¦  Forum: Newbie Questions ¦  Topic: cpu/gpu contents ¦  Replies: 1 ¦  Views: 1237

Hello, Is there any equivalent of this function for gpus? For NVIDIA, you may use cudaGetDeviceCount and cudaGetDeviceProperties to get information about all CUDA-capable graphics cards installed. See this https://stackoverflow.com/questions/5689028/how-to-get-card-specs-programatically-in-cuda Sinc...

Re: PG check

 by Vrtule ¦  Mon Sep 17, 2018 9:52 pm ¦  Forum: Kernel-Mode Development ¦  Topic: PG check ¦  Replies: 4 ¦  Views: 3072

PG is not in effect if the system runs in Debug mode and a kernel debugger is attached to it (I am not sure whether the Debug mode alone is sufficient).

Re: Windows Kernel Driver Signing issue (WFP/Inspect)

 by Vrtule ¦  Mon Aug 27, 2018 8:22 pm ¦  Forum: Newbie Questions ¦  Topic: Windows Kernel Driver Signing issue (WFP/Inspect) ¦  Replies: 1 ¦  Views: 1961

IIRC you need to do the following:

1) enable Test Signing (bcdedit /set testsigning on),
2) insert the certificate used to test sign the driver into Trusted RootCertificate Authorities,
3) reboot.

I am not sure whether you also need to turn the Secure Boot off.

The error's code number I'm getting is 0x5 which is "Access is denied."
Which function call produces this error?

If I am reading your code correctly, you are resolving imports based on libraries loaded into your process, not the target one. Due to ASLR or a colision of base addresses of multiple DLLs, user32.dll may be placed on different virtual address in the target process.

  • 1
  • 2
  • 3
  • 4
  • 5
  • 46