A forum for reverse engineering, OS internals and malware analysis 

Search found 48 matches

 Go to advanced search


 by listito ¦  Mon Jul 23, 2012 6:19 pm ¦  Forum: Completed Malware Requests ¦  Topic: CVE-2012-1723 ¦  Replies: 1 ¦  Views: 1952

anyone got 5492569df2b1c63e2b97e443a9ce5cd6 ?

Installing a Global SEH

 by listito ¦  Mon Jul 16, 2012 2:43 pm ¦  Forum: Newbie Questions ¦  Topic: Installing a Global SEH ¦  Replies: 0 ¦  Views: 2984


I'm trying to get all TEB base addresses from all threads with the purpose of installing a global SEH, but i haven't figured out how can i do it, anyone could help me please?

Findwindow+GetWindowThreadProcessId would be a good solution for this problem?

Re: Intel SYSRET - MS12-04

 by listito ¦  Sat Jul 07, 2012 9:05 pm ¦  Forum: Newbie Questions ¦  Topic: Intel SYSRET - MS12-04 ¦  Replies: 2 ¦  Views: 3659

well, it looks like its not possible to allocate a virtual page with the address above 0x7fffffa0000

Intel SYSRET - MS12-04

 by listito ¦  Fri Jul 06, 2012 3:15 pm ¦  Forum: Newbie Questions ¦  Topic: Intel SYSRET - MS12-04 ¦  Replies: 2 ¦  Views: 3659

This is a very interesting vulnerability i'd like to talk about, we can exploit it from ring3 calling syscall from a non canonical address, but what i do not understand is what really happens when #GP(0) is executed, how can we control execution flow? I haven't seen any much information in intel man...

Re: Malware Requests

 by listito ¦  Tue May 29, 2012 3:52 pm ¦  Forum: Completed Malware Requests ¦  Topic: Malware Requests ¦  Replies: 97 ¦  Views: 122845

guys, i'm looking for trojan.komodola, got no checksum hash sorry :(

Re: Post MS12-034 0day by Cr4sh, NtUserLoadKeyboardLayoutEx

 by listito ¦  Tue May 29, 2012 3:06 pm ¦  Forum: Reverse Engineering and Debugging ¦  Topic: Post MS12-034 0day by Cr4sh, NtUserLoadKeyboardLayoutEx ¦  Replies: 3 ¦  Views: 6626

i'm gonna try to play with it, but we are dealing with hell trying to exploit a kernel pool overwriting

Re: Stealthiest way of closing another process

 by listito ¦  Tue May 29, 2012 2:59 pm ¦  Forum: Newbie Questions ¦  Topic: Stealthiest way of closing another process ¦  Replies: 13 ¦  Views: 17291

"stealthiest" i mean, hard to detect, great, but i'd like to do the whole thing from ring3, ofc ring0 code can give us superpowers but i still think loading a driver is very "noisy" (at least the documented and undocumented methods i know)

Stealthiest way of closing another process

 by listito ¦  Sun May 27, 2012 11:14 pm ¦  Forum: Newbie Questions ¦  Topic: Stealthiest way of closing another process ¦  Replies: 13 ¦  Views: 17291

So, i was just thinking, what's the most stealth way of closing another process? creating a remote thread with a null pointer, window message flooding maybe?

Re: Intercepting file execution

 by listito ¦  Thu Apr 26, 2012 6:45 pm ¦  Forum: Kernel-Mode Development ¦  Topic: Intercepting file execution ¦  Replies: 9 ¦  Views: 8404

you should really think about hooking explorer.exe's createprocess

Re: Perfect Windows Kernel Hooking

 by listito ¦  Thu Apr 12, 2012 2:08 am ¦  Forum: Newbie Questions ¦  Topic: Perfect Windows Kernel Hooking ¦  Replies: 8 ¦  Views: 8248

thanks, imho patchguard is almost useless, trying to protect windows kernel with ring0 code is stupid