A forum for reverse engineering, OS internals and malware analysis 

Search found 48 matches

 Go to advanced search

Perfect Windows Kernel Hooking

 by listito ¦  Tue Apr 10, 2012 6:08 pm ¦  Forum: Newbie Questions ¦  Topic: Perfect Windows Kernel Hooking ¦  Replies: 8 ¦  Views: 8248

I've read somewhere ia_32_sysenter holds the offset which is loaded into EIP when sysenter is executed, is there any kind of stealth,best method of kernelhooking when the purpose is monitoring the value of EAX when sysenter is called?

Re: Malware analysis - Buster Sandbox Analyzer

 by listito ¦  Tue Mar 27, 2012 2:33 am ¦  Forum: Tools/Software ¦  Topic: Malware analysis - Buster Sandbox Analyzer ¦  Replies: 314 ¦  Views: 255297

buster, my .exe calls writeprocessmemory 4 times, your tool only shows it is called 1 time, is it normal?

Re: Malware analysis - Buster Sandbox Analyzer

 by listito ¦  Sun Mar 25, 2012 7:24 pm ¦  Forum: Tools/Software ¦  Topic: Malware analysis - Buster Sandbox Analyzer ¦  Replies: 314 ¦  Views: 255297

hey buster, congratz, nice tool, i'd like to know what type of hook you use to monitor the programs?

Re: Device Driver Development for Beginners - Reloaded

 by listito ¦  Fri Mar 23, 2012 2:48 pm ¦  Forum: Kernel-Mode Development ¦  Topic: Device Driver Development for Beginners - Reloaded ¦  Replies: 24 ¦  Views: 111149

can you guys please tell me where i can find this book in pdf?

"Windows NT Device Driver Development (OSR Classic Reprints)" ?

Re: hide idt-hooking

 by listito ¦  Thu Mar 22, 2012 6:18 am ¦  Forum: Reverse Engineering and Debugging ¦  Topic: hide idt-hooking ¦  Replies: 4 ¦  Views: 5803

that's a really nice code thanks for sharing :)

Re: Kill kaspersky 2012 from user mode :)

 by listito ¦  Thu Mar 22, 2012 4:54 am ¦  Forum: User-Mode Development ¦  Topic: AV SP Discussion & Bypass ¦  Replies: 121 ¦  Views: 226409

great, any other av's vulnerable to this attack vector?

what about sharing with us a poc? :)

about ring3 hook

 by listito ¦  Tue Dec 13, 2011 12:59 am ¦  Forum: Newbie Questions ¦  Topic: about ring3 hook ¦  Replies: 1 ¦  Views: 2996

Hi, Sorry if this is a too much noob question, but i've hooked a function in another process successfully with dll injection, no problem 'til now, but what if i want to create a window into the hooked process, pause the execution flow, and wait for the user to put something in a textbox and click a ...

Re: Process list without process32next()

 by listito ¦  Wed Nov 30, 2011 9:00 am ¦  Forum: Newbie Questions ¦  Topic: Process list without process32next() ¦  Replies: 5 ¦  Views: 5145

thanks guys, very interesting how the most of api's exported by ntdll.dll got the Zw prefix instead of Nt hehe :)

the program was calling enumprocess from psapi

Process list without process32next()

 by listito ¦  Tue Nov 29, 2011 9:46 pm ¦  Forum: Newbie Questions ¦  Topic: Process list without process32next() ¦  Replies: 5 ¦  Views: 5145

Hello guys, i'm reversing a software which is listing all processes without calling process32next() and it's in usermode, is there really any other way to do it?

Re: Find what terminated your process..

 by listito ¦  Sun Oct 23, 2011 6:47 am ¦  Forum: Newbie Questions ¦  Topic: Find what terminated your process.. ¦  Replies: 5 ¦  Views: 5291

thanks, procmon gives me 2 (thread exit) the first one is weird and the call comes from ntdll.dll the second one is interesting : CALL DWORD PTR DS:[<&KERNEL32.GetQueuedC>; kernel32.GetQueuedCompletionStatus from xul.dll, it's a firefox plugin i'm reversing and i want to prevent plugin-container.exe...