A forum for reverse engineering, OS internals and malware analysis 

Search found 80 matches

 Go to advanced search

Re: Physical memory and page manipualtion help

 by r2nwcnydc ¦  Sat Jan 03, 2015 1:03 am ¦  Forum: Newbie Questions ¦  Topic: Physical memory and page manipualtion help ¦  Replies: 6 ¦  Views: 6716

How are you trying to read the memory? Virtual memory is per process. So if you are in a process context that is different than notepad.exe, you'd first need to switch to that process' context. Once you've done that you cannot guarantee that memory will always be paged in, so you have to force the m...

Re: Looking for undocumented flags for process creation

 by r2nwcnydc ¦  Tue Oct 08, 2013 11:38 am ¦  Forum: Newbie Questions ¦  Topic: Looking for undocumented flags for process creation ¦  Replies: 5 ¦  Views: 6683

It means the process is created with normal priority class; NORMAL_PRIORITY_CLASS. From winbase.h: // // dwCreationFlag values // #define DEBUG_PROCESS 0x00000001 #define DEBUG_ONLY_THIS_PROCESS 0x00000002 #define CREATE_SUSPENDED 0x00000004 #define DETACHED_PROCESS 0x00000008 #define CREATE_NEW_CON...

Re: Dropper altering ScanWithAntivirus policy key

 by r2nwcnydc ¦  Mon Sep 09, 2013 2:38 pm ¦  Forum: Completed Malware Requests ¦  Topic: Dropper altering ScanWithAntivirus policy key ¦  Replies: 1 ¦  Views: 1863

Here you go.

Re: Trojan-FakeAV.Win32.Agent.sio, Trojan-Ransom.Win32.Block

 by r2nwcnydc ¦  Tue Jun 25, 2013 7:46 pm ¦  Forum: Malware ¦  Topic: Rogue Antimalware (FakeAV, 2013 year) ¦  Replies: 142 ¦  Views: 220469

Here you go.

Re: Accessing EPROCESS Structure on x64 systems

 by r2nwcnydc ¦  Sun May 19, 2013 10:19 pm ¦  Forum: Kernel-Mode Development ¦  Topic: Accessing EPROCESS Structure on x64 systems ¦  Replies: 10 ¦  Views: 11932

You are casting the pointer to an INT then using the value as a pointer again. On 32 bit this fine, because the pointer is 32 bits long (same as an INT), but on 64 bit it is not. You lose the upper 32 bits of the pointer, and you may even convert the upper 32 bits to 0xffffffff when you convert back...

Re: shared section trick

 by r2nwcnydc ¦  Tue Apr 23, 2013 4:06 pm ¦  Forum: User-Mode Development ¦  Topic: shared section trick ¦  Replies: 9 ¦  Views: 13393

The best I could find is MiFindImageSectionObject is used to determine if the image is already mapped into memory. Page 111. Moving on, MiFindImageSectionObject is now called to check if the file has already been Memory Mapped into a Section Object It looks like in the _FILE_OBJECT there is a member...

Re: shared section trick

 by r2nwcnydc ¦  Tue Apr 23, 2013 8:32 am ¦  Forum: User-Mode Development ¦  Topic: shared section trick ¦  Replies: 9 ¦  Views: 13393

how windows know this section already is created so it must just re-map section in new program? It does this the same way it does for the windows DLLs. 0x10000000 This section is shareable. When used with a DLL, the data in this section will be shared among all processes using the DLL. The default ...

Re: Perkele Lite android malware sample request

 by r2nwcnydc ¦  Sun Apr 07, 2013 12:45 am ¦  Forum: Malware ¦  Topic: Android Malware(All Android malware goes here) ¦  Replies: 105 ¦  Views: 193489

Here you go.

Re: Sample request

 by r2nwcnydc ¦  Fri Mar 29, 2013 6:05 pm ¦  Forum: Completed Malware Requests ¦  Topic: Sample request ¦  Replies: 2 ¦  Views: 2238

Here is the second sample Document.apk

Re: Sample request

 by r2nwcnydc ¦  Fri Mar 29, 2013 6:03 pm ¦  Forum: Completed Malware Requests ¦  Topic: Sample request ¦  Replies: 2 ¦  Views: 2238

Here you go

  • 1
  • 2
  • 3
  • 4
  • 5
  • 8