A forum for reverse engineering, OS internals and malware analysis 

Search found 129 matches

 Go to advanced search

What is releatd CVE of this bug ?

 by R00tKit ¦  Sun Oct 04, 2015 6:56 am ¦  Forum: Reverse Engineering and Debugging ¦  Topic: What is releatd CVE of this bug ? ¦  Replies: 1 ¦  Views: 8365

hi i just found this Bug Independently and it was fixed in last! windows update i dont know related CVE , for test run this code in fresh windows without update exploit this bug is so simple just allocate fake Window (tagWND) object or other methods ,... anyone know about CVE of this bug ? https://g...

Re: MS15-061

 by R00tKit ¦  Sun Sep 20, 2015 6:47 pm ¦  Forum: Kernel-Mode Development ¦  Topic: MS15-061 ¦  Replies: 4 ¦  Views: 5485

P.S. I don't know why you put assembly here where it is not needed at all. yes i think just for __asm { mov eax, 116Dh mov edx, 7FFE0300h call dword ptr [edx] retn 8 } and __asm { mov ax, cs mov um, ax } if(um == 0x1b) { // USER MODE } else { success=TRUE; DebugBreak(); Shellcode(); } needed asm co...

Re: MS15-061

 by R00tKit ¦  Sun Sep 20, 2015 1:33 pm ¦  Forum: Kernel-Mode Development ¦  Topic: MS15-061 ¦  Replies: 4 ¦  Views: 5485

this is Use After Free Bug in Win32k.sys Driver call SetClassLongPtr in user mode cause kernel mode call User mode callback in PEB i hooked this callback and free window object inside it then reallocate heap with fack buffer ,.... this is not full weaponized exploit just poc and it worked on my os

MS15-061

 by R00tKit ¦  Sun Sep 20, 2015 4:04 am ¦  Forum: Kernel-Mode Development ¦  Topic: MS15-061 ¦  Replies: 4 ¦  Views: 5485

Re: UACMe - Defeating Windows User Account Control

 by R00tKit ¦  Sun Mar 29, 2015 6:51 am ¦  Forum: Tools/Software ¦  Topic: UACMe - Defeating Windows User Account Control ¦  Replies: 136 ¦  Views: 441462

infDefault.exe Bypass UAC
when UAC is on
with InfDefaultInstall.exe we can install any service in Reg and copy file to privileged path without any alert & UAC prompt
i shared this method with @EP_X0FF in PM and it works in 7,8 but cant check 10

Re: Articles

 by R00tKit ¦  Tue Jun 24, 2014 10:53 am ¦  Forum: Reverse Engineering and Debugging ¦  Topic: Articles ¦  Replies: 33 ¦  Views: 113468

Re: AV SP Discussion & Bypass

 by R00tKit ¦  Mon Mar 10, 2014 3:32 pm ¦  Forum: User-Mode Development ¦  Topic: AV SP Discussion & Bypass ¦  Replies: 121 ¦  Views: 222518

second method is get sys file ID is dr.web in drivers path and open file with file ID with OPEN_EXISTING + TRUNCATE_EXISTING after this sys file will truncate after reboot no AV :D :mrgreen: for Norton 2014 i find this also -> set image File execution option for NIS.exe -> after reboot no AV :D :mrg...

Re: AV SP Discussion & Bypass

 by R00tKit ¦  Mon Mar 10, 2014 9:09 am ¦  Forum: User-Mode Development ¦  Topic: AV SP Discussion & Bypass ¦  Replies: 121 ¦  Views: 222518

Hi i find 2 ( one share now ) new vulnerability in Dr.Web Self Protection : 1) remove Reg key's : reg save HKLM\SYSTEM\CurrentControlSet\serviceMPTRAP hive.hiv reg restore HKLM\SYSTEM\CurrentControlSet\services\SpiderG3 hive.hiv with this we can replace fake key with Dr.web key and Dr.Web will prote...

jevereg Sandbox

 by R00tKit ¦  Mon Feb 10, 2014 12:58 pm ¦  Forum: Tools/Software ¦  Topic: jevereg Sandbox ¦  Replies: 4 ¦  Views: 8597

Re: Articles

 by R00tKit ¦  Fri Jan 17, 2014 12:17 pm ¦  Forum: Reverse Engineering and Debugging ¦  Topic: Articles ¦  Replies: 33 ¦  Views: 113468
  • 1
  • 2
  • 3
  • 4
  • 5
  • 13