Search found 9 matches

by billbudsocket
Wed Feb 10, 2016 6:04 pm
Forum: Reverse Engineering and Debugging
Topic: Following a self-debugging process
Replies: 4
Views: 10976

Re: Following a self-debugging process

Trace the process execution with Pin, Panda, Qira, etc.
by billbudsocket
Wed Jan 06, 2016 12:41 pm
Forum: Newbie Questions
Topic: All possible ways to find loaded drivers
Replies: 9
Views: 10397

Re: All possible ways to find loaded drivers

This was already answered elsewhere, but driverquery use a WMI query - 'select * from Win32_PnpSignedDriver where DeviceName != NULL'
by billbudsocket
Mon Jan 04, 2016 1:30 pm
Forum: Kernel-Mode Development
Topic: Alternatives to service method of loading driver
Replies: 5
Views: 8223

Re: Alternatives to service method of loading driver

MmLoadSystemImage can be reached without image name/path restrictions via NtSetSystemInformation/SystemHotpatchInformation. SeDebugPrivilege and SeLoadDriverPrivilege privs required.
by billbudsocket
Mon Dec 28, 2015 5:09 pm
Forum: Kernel-Mode Development
Topic: Meerkat 1.1 beta GUI for KmdKit4D
Replies: 2
Views: 8665

Re: Meerkat 1.1 beta GUI for KmdKit4D

See attached.
by billbudsocket
Tue Dec 08, 2015 7:07 pm
Forum: Completed Malware Requests
Topic: Sample of FireEye's BootKit?
Replies: 9
Views: 8307

Re: Sample of FireEye's BootKit?

I call bullshit. None of the 14 hashes from the report show up in VT.
by billbudsocket
Wed Nov 04, 2015 6:13 pm
Forum: User-Mode Development
Topic: Application Verifier Custom Providers
Replies: 12
Views: 42976

Re: Application Verifier Custom Providers

^--- This is correct. The code in the OP is not right, the hooks and thunks arrays need an empty entry, like so: RTL_VERIFIER_THUNK_DESCRIPTOR VfProviderNtdllThunks [] = { {"RtlAllocateHeap", NULL, VfHookRtlAllocateHeap }, {"RtlFreeHeap", NULL, VfHookRtlFreeHeap }, {NULL,NULL,NULL} }; RTL_VERIFIER_D...
by billbudsocket
Wed Jul 15, 2015 5:02 pm
Forum: Malware
Topic: ZeusVM (Zeus clone)
Replies: 59
Views: 89939

Re: ZeusVM (Zeus clone)

I believe this is the file.
by billbudsocket
Wed Mar 04, 2015 6:19 pm
Forum: Tools/Software
Topic: Windows Object Explorer 64-bit (WinObjEx64)
Replies: 14
Views: 53951

Re: Windows Object Explorer 64-bit (WinObjEx64)

Great tool, thanks! Are you accepting code contributions to this tool? I have changed the code to add support for other object types and security dialog (ACLUI) related stuff.