A forum for reverse engineering, OS internals and malware analysis 

Search found 452 matches

 Go to advanced search

Re: IRPMon: An improved version of IrpTracker

 by Vrtule ¦  Sat Jun 22, 2019 2:53 pm ¦  Forum: Tools/Software ¦  Topic: IRPMon: An improved version of IrpTracker ¦  Replies: 3 ¦  Views: 16404

Well, after a looong time, I decided to release version 0.9. This is a beta version but should be quite stable (I used it during some research and all went well). The drivers are signed with my latest certificate which means that they should load correctly unless you have a Secure Boot enabled. Unfo...

Re: Some code doesn't works with SYSTEM priv.

 by Vrtule ¦  Sat Mar 23, 2019 11:35 pm ¦  Forum: Newbie Questions ¦  Topic: Some code doesn't works with SYSTEM priv. ¦  Replies: 4 ¦  Views: 433

As far as I know, network drives are local to the user that connects them, meaning they are not (directly) visible to oth.er users. That also implies a network drive, e.g. Q:, can be mapped to place A for user X and to place B for user Y.

Re: Help installing w10 driver to w8.1

 by Vrtule ¦  Thu Mar 14, 2019 10:07 am ¦  Forum: Newbie Questions ¦  Topic: Help installing w10 driver to w8.1 ¦  Replies: 1 ¦  Views: 472

Hello, changing INF files will not help you since they are usually protected by a digital signature (stored in a file with .cat extension). Your change invalidates the signature, thus Windows refuse to load such a driver. On my laptop, I managed to install a Windows 8 driver on Windows 8.1, however,...

Re: driver without an object

 by Vrtule ¦  Sat Feb 23, 2019 1:04 pm ¦  Forum: Newbie Questions ¦  Topic: driver without an object ¦  Replies: 2 ¦  Views: 475

Hello, 1 - is there is any kind of iat hooking example for kernel mode , because i haven't seen any examples over the internet. well, drivers are stored as PE files, so IAT hooking should work the same way as in usermode. 2 - how could i pass ioctl code back and forth to my usermode app without crea...

Re: How to emulate LOW IL ?

 by Vrtule ¦  Fri Jan 25, 2019 10:13 pm ¦  Forum: User-Mode Development ¦  Topic: How to emulate LOW IL ? ¦  Replies: 6 ¦  Views: 2055

I have one question, only for myself education. Microsoft tells, that Low Sid ID is - "S-1-16-1024"; Yes, it is S-1-16-4096 . SIDs beginning with S-1-16- are used for mandatory integrity levels. The higher the third number, the higher the integrity level is. Actually (and just for the skae of curio...

Re: How i can use one Asm code to x86 and x64?

 by Vrtule ¦  Wed Nov 14, 2018 12:18 pm ¦  Forum: Newbie Questions ¦  Topic: How i can use one Asm code to x86 and x64? ¦  Replies: 3 ¦  Views: 2008

You can write two ASM procedures: one for 32-bit and one for 64-bit platform, and use preprocessor macros (ifdefs) to compile only the procedure appropriate to the selected target.

Re: cpu/gpu contents

 by Vrtule ¦  Sun Oct 14, 2018 8:28 pm ¦  Forum: Newbie Questions ¦  Topic: cpu/gpu contents ¦  Replies: 1 ¦  Views: 1353

Hello, Is there any equivalent of this function for gpus? For NVIDIA, you may use cudaGetDeviceCount and cudaGetDeviceProperties to get information about all CUDA-capable graphics cards installed. See this https://stackoverflow.com/questions/5689028/how-to-get-card-specs-programatically-in-cuda Sinc...

Re: PG check

 by Vrtule ¦  Mon Sep 17, 2018 9:52 pm ¦  Forum: Kernel-Mode Development ¦  Topic: PG check ¦  Replies: 4 ¦  Views: 3231

PG is not in effect if the system runs in Debug mode and a kernel debugger is attached to it (I am not sure whether the Debug mode alone is sufficient).

Re: Windows Kernel Driver Signing issue (WFP/Inspect)

 by Vrtule ¦  Mon Aug 27, 2018 8:22 pm ¦  Forum: Newbie Questions ¦  Topic: Windows Kernel Driver Signing issue (WFP/Inspect) ¦  Replies: 1 ¦  Views: 2034

IIRC you need to do the following:

1) enable Test Signing (bcdedit /set testsigning on),
2) insert the certificate used to test sign the driver into Trusted RootCertificate Authorities,
3) reboot.

I am not sure whether you also need to turn the Secure Boot off.

The error's code number I'm getting is 0x5 which is "Access is denied."
Which function call produces this error?

  • 1
  • 2
  • 3
  • 4
  • 5
  • 46