A forum for reverse engineering, OS internals and malware analysis 

Search found 69 matches

 Go to advanced search

Re: Peeking the Memory of Another Process

 by Cr4sh ¦  Mon Jan 18, 2016 8:00 pm ¦  Forum: Newbie Questions ¦  Topic: Peeking the Memory of Another Process ¦  Replies: 3 ¦  Views: 5463

p1nk wrote: Does this technique still work in Windows 8 / 10 ?
I think that technique itself can work on any operating system.

Re: Peeking the Memory of Another Process

 by Cr4sh ¦  Sun Jan 17, 2016 5:24 pm ¦  Forum: Newbie Questions ¦  Topic: Peeking the Memory of Another Process ¦  Replies: 3 ¦  Views: 5463

I did similar work with hijaking existing code page via PDE/PTE manipulations, probably you'll find it useful.
Code: https://github.com/Cr4sh/PTBypass-PoC
Article (rus): https://translate.google.com/translate? ... -post.html

Re: W8.1/W10 Bootkit

 by Cr4sh ¦  Mon Sep 07, 2015 9:14 am ¦  Forum: Kernel-Mode Development ¦  Topic: W8.1/W10 Bootkit ¦  Replies: 10 ¦  Views: 14833

No one will going to leak any decent and well-coded malware source code to public. If you're interested in learning about bootloaders, kernels and other low-level stuff -- check WRK source code and open source implementations of EFI firmware (http://www.tianocore.org/edk2/ for example).

Re: Clear WP Bit on x64

 by Cr4sh ¦  Sun Aug 09, 2015 5:31 pm ¦  Forum: Kernel-Mode Development ¦  Topic: Clear WP Bit on x64 ¦  Replies: 11 ¦  Views: 11886

For user mode pages you should use NtProtectVirtualMemory instead of WP bit reset.

Re: Clear WP Bit on x64

 by Cr4sh ¦  Thu Aug 06, 2015 9:28 pm ¦  Forum: Kernel-Mode Development ¦  Topic: Clear WP Bit on x64 ¦  Replies: 11 ¦  Views: 11886

Oh, and by the way, you can get x64 version of common.cpp and other r0 stuff from my more recent project: https://github.com/Cr4sh/ioctlfuzzer/blob/master/src/driver/src/r0_common/common.cpp https://github.com/Cr4sh/ioctlfuzzer/blob/master/src/driver/src/asm/common_asm.h https://github.com/Cr4sh/ioc...

Re: Clear WP Bit on x64

 by Cr4sh ¦  Thu Aug 06, 2015 7:11 pm ¦  Forum: Kernel-Mode Development ¦  Topic: Clear WP Bit on x64 ¦  Replies: 11 ¦  Views: 11886

On SMP enabled systems you also need to be sure that WP clear and WP set routines will be run on the same CPU, it's very common mistake, add KeSetAffinityThread() call to your code.

Re: Duqu 2.0

 by Cr4sh ¦  Mon Jun 22, 2015 5:51 pm ¦  Forum: Malware ¦  Topic: Duqu 2.0 ¦  Replies: 18 ¦  Views: 34513

Can anyone share a full sample including VFS image? I'm interested mostly in two files that called “CTwoPENC.dll" and “KMART.dll” (unfortunately don't know it's MD5 hashes, idiots from Kaspersky can't even write an adequate analysis report).

Re: Duqu 2.0

 by Cr4sh ¦  Sat Jun 13, 2015 8:06 pm ¦  Forum: Malware ¦  Topic: Duqu 2.0 ¦  Replies: 18 ¦  Views: 34513

r3shl4k1sh wrote:I believe that the Duqu 2.0 team where those who wrote the "report" from Kaspersky...
Probably there is a cease-fire agreement now...
Image

Re: Duqu 2.0

 by Cr4sh ¦  Sat Jun 13, 2015 10:47 am ¦  Forum: Malware ¦  Topic: Duqu 2.0 ¦  Replies: 18 ¦  Views: 34513

My respect to Duqu 2.0 team, all these shitty snake oil sellers from AV companies are totally deserving to be burned into ashes.

Re: openreil

 by Cr4sh ¦  Sun Mar 22, 2015 5:23 pm ¦  Forum: Tools/Software ¦  Topic: openreil ¦  Replies: 2 ¦  Views: 7060

Anyone who interested in OpenREIL also should check this blog post as well: Automated algebraic cryptanalysis with OpenREIL and Z3, it shows that it's relatively easy to use my lib for implementing advanced code analysis primitives like symbolic execution and SMT constrains generation.

  • 1
  • 2
  • 3
  • 4
  • 5
  • 7