A forum for reverse engineering, OS internals and malware analysis 

Search found 216 matches

 Go to advanced search

Re: Read Unknown Kernel Address In A Safe Way

 by Brock ¦  Wed Jan 02, 2019 12:45 am ¦  Forum: Kernel-Mode Development ¦  Topic: Read Unknown Kernel Address In A Safe Way ¦  Replies: 2 ¦  Views: 1647

These methods as well as many others have been shared on this forum for some time now but for those less informed your examples may be informative, so thanks for this. As of 8.1 MmCopyMemory() is imho the best choice because it was designed to do exactly this and performs the underlying PTE validati...

Re: Making ReactOS Great Again*, Part 1

 by Brock ¦  Sat Dec 29, 2018 9:53 pm ¦  Forum: Tools/Software ¦  Topic: Making ReactOS Great Again*, Part 1 ¦  Replies: 9 ¦  Views: 11683

Nice write-up, EP_X0FF.

#16 (NtUserCreateAcceleratorTable) was my favorite faux pas

2pzz26.jpg

Re: Hooking the offical way?

 by Brock ¦  Sun Aug 12, 2018 4:30 pm ¦  Forum: Kernel-Mode Development ¦  Topic: Hooking the offical way? ¦  Replies: 8 ¦  Views: 7831

Originally you posted this regardless of the Kernel Mode Development section of the forum I've got a question on how to be able to hook various WinAPI functions like VirtualQuery and be able to see the parameters being passed to a certain process Your question, I assumed after your mentioning of a u...

Re: Hooking the offical way?

 by Brock ¦  Thu Aug 09, 2018 11:25 pm ¦  Forum: Kernel-Mode Development ¦  Topic: Hooking the offical way? ¦  Replies: 8 ¦  Views: 7831

Should have mentioned previously that v4.0.1 is now open source and supports both x86 and x64 and will work with all NT-based operating systems. Years ago this wasn't the case, the source for licensing v4.0 was (iirc) $10,000 USD

https://github.com/Microsoft/Detours

Re: Hooking the offical way?

 by Brock ¦  Thu Aug 09, 2018 5:01 pm ¦  Forum: Kernel-Mode Development ¦  Topic: Hooking the offical way? ¦  Replies: 8 ¦  Views: 7831

You can inject a DLL into your target process(es) and use Microsoft Detours hooking engine if you don't want to use 3rd party hooking engines. However, there really isn't any "official" method, Detours just happens to be Microsoft's own hooking solution for various tasks over the years.

Re: Design Question

 by Brock ¦  Sun Jul 15, 2018 6:31 pm ¦  Forum: Kernel-Mode Development ¦  Topic: Design Question ¦  Replies: 1 ¦  Views: 2471

Take a look at the Inverted Call Model. Instead of your usermode application using DeviceIoControl with a supplied IOCTL to the driver the driver queues event info to the usermode application, hence the name Inverted.

Re: Process Doppelganging

 by Brock ¦  Tue Jul 03, 2018 10:47 pm ¦  Forum: User-Mode Development ¦  Topic: Process Doppelganging ¦  Replies: 7 ¦  Views: 17667

Interesting. Thanks for sharing Vrtule

Re: why ExFreePool will blue screen

 by Brock ¦  Wed May 23, 2018 11:32 pm ¦  Forum: Kernel-Mode Development ¦  Topic: why ExFreePool will blue screen ¦  Replies: 3 ¦  Views: 4235

@lwbkm,

When you graduate to better understanding kernel memory allocation and general management you might also strongly consider, on Windows 8+ anyhow, using ExAllocatePool(NonPagedPoolNx, ...); or the newer compiler's opt-in flag instead of the NonPagedPool type. It's just a best practice is all

Re: how to delete driver file and still Keep communication

 by Brock ¦  Sat Apr 28, 2018 4:31 pm ¦  Forum: Kernel-Mode Development ¦  Topic: how to delete driver file and still Keep communication ¦  Replies: 10 ¦  Views: 11609

Recently I am writing a rootkit software
This board doesn't support authoring of rootkits.

Re: ObRegisterCallbacks return 0xC0000022 error

 by Brock ¦  Thu Feb 22, 2018 10:27 pm ¦  Forum: Kernel-Mode Development ¦  Topic: ObRegisterCallbacks return 0xC0000022 error ¦  Replies: 2 ¦  Views: 4008

Vrtule's way should work fine for you. If you want a link-time option though you can simply just use the /INTEGRITYCHECK flag

  • 1
  • 2
  • 3
  • 4
  • 5
  • 22