Search found 13 matches

by TurlaBoy
Fri Feb 06, 2015 5:45 am
Forum: Newbie Questions
Topic: Malware Families Using Raw Syscalls
Replies: 21
Views: 26936

Re: Malware Families Using Raw Syscalls

Calling syscalls directly(using sysenter/syscall) is the most efective way to bypass any sandbox implementations in ring3(useless pieces of crap), both PsSetCreateThreadNotifyRoutine/ObRegisterCallbacks can be bypassed by poisoning a single variable into kernel .data this means 2 things, first, 99.9...
by TurlaBoy
Mon Dec 22, 2014 10:43 am
Forum: Tools/Software
Topic: UACMe - Defeating Windows User Account Control
Replies: 136
Views: 439314

Re: UACMe - Defeating Windows User Account Control

It would be interesting to look at what prevented my demo from working on Windows 8+. MS answer on your question by direct message in the w8+ sysprep.exe manifest. </asmv3:application> <!-- Specifically load these DLLs from the specified path. This is done as a defence-in-depth approach to closing ...
by TurlaBoy
Mon Dec 01, 2014 11:04 am
Forum: Kernel-Mode Development
Topic: Patchguard 8.1
Replies: 4
Views: 6506

Re: Patchguard 8.1

Hello Andrea, thanks for sharing this. Its a nice read. Unfortunately, I cannot find any information about what exactly the Patchguard protects on newer versions of Windows (Windows 8+ especially). I am interested mainly in protected data structures (processes, driver objects etc.). Hey Andrea, Nic...
by TurlaBoy
Sun Nov 30, 2014 1:22 pm
Forum: Kernel-Mode Development
Topic: Patchguard 8.1
Replies: 4
Views: 6506

Re: Patchguard 8.1

Hey Andrea,

Nice job, have you done some research you'd like to share about windows 10 PG?
by TurlaBoy
Tue Oct 21, 2014 2:43 pm
Forum: Newbie Questions
Topic: Writing from kernelmode
Replies: 4
Views: 5779

Re: Writing from kernelmode

Hello, 1) KeStackAttachProcess allows you to attach "recursively"; you do not need to detach before doing another attach, howerver, you still must perform a detach for any attach you did before. It works like a stack which is why the routine got its name. 2) AFAIK it also swaps certain APC-related ...
by TurlaBoy
Tue Oct 21, 2014 1:52 pm
Forum: Newbie Questions
Topic: Writing from kernelmode
Replies: 4
Views: 5779

Writing from kernelmode

Hello kernelmode, I've been using KeAttachProcess function to attach to target process's address space, it works nice when I need to read from the process memory, And when I try to write to ntdll.dll( cr0 WP disabled ) after overwriting, then I restore CR0 WP and use KeDetachProcess to detach from t...
by TurlaBoy
Sat Oct 04, 2014 6:10 am
Forum: Tools/Software
Topic: [2017-11-05]ARK for Windows X64: WIN64AST(Page10#96)
Replies: 98
Views: 348075

Re: [2014-06-15]ARK for Windows x64: WIN64AST(Page7#69)

nice ark,

you should consider adding advanced->read/write to make it able to read/write device driver memory, and add physical memory option as well
by TurlaBoy
Wed Sep 10, 2014 4:48 am
Forum: Kernel-Mode Development
Topic: Unloaded Image Notification?
Replies: 10
Views: 11037

Re: Unloaded Image Notification?

both loadimage and unloadimage notifications are useless in a security perspective, since the whole thing can be implemented manually in usermode
by TurlaBoy
Mon Aug 25, 2014 10:49 pm
Forum: Newbie Questions
Topic: Windows 8.1 UAC Bypass
Replies: 8
Views: 10355

Re: Windows 8.1 UAC Bypass

If you want to bypass UAC window then hook/overwrite RtlQueryElevationFlags and return 0 in flags. I believe if i do this the process is not elevated, I've just found out the solution for my problem, win8.1 PE loader workd a lil bit different, i've changed a couple of things in my dll and it worked...
by TurlaBoy
Sun Aug 24, 2014 4:18 pm
Forum: Newbie Questions
Topic: Windows 8.1 UAC Bypass
Replies: 8
Views: 10355

Re: Windows 8.1 UAC Bypass

And why do you need this? Because my reversing skills are quite limited, I do not understand why the autoelevated.exe exits with 0xc000007b error, because my.dll is successfully mmaped in memory, but it looks like dllentrypoint is not called http://msdn.microsoft.com/en-us/library/cc704588.aspx 0xC...