A forum for reverse engineering, OS internals and malware analysis 

Search found 221 matches

 Go to advanced search

What does the code look like which spawns the VCL app from the service? The VCL app might have issues with the user environment. Post your code for executing the VCL app from the service, I assume in the service you're using CreateProcessAsUser() or similar? * Basically, ShellExecute() isn't an API ...

Re: Windows 10 booting issue

 by Brock ¦  Thu Jan 31, 2019 7:38 pm ¦  Forum: General Discussion ¦  Topic: Windows 10 booting issue ¦  Replies: 1 ¦  Views: 1055

Try almighty Google first, it's as simple as querying the system error code you mentioned here

https://neosmart.net/wiki/0xc0000428/

Re: [C] HTTP-Downloader

 by Brock ¦  Tue Jan 15, 2019 1:42 pm ¦  Forum: Newbie Questions ¦  Topic: [C] HTTP-Downloader ¦  Replies: 6 ¦  Views: 2966

Re: [C] HTTP-Downloader

 by Brock ¦  Sun Jan 13, 2019 12:14 am ¦  Forum: Newbie Questions ¦  Topic: [C] HTTP-Downloader ¦  Replies: 6 ¦  Views: 2966

Took a quick peek at the code, don't forget to close thread and process handles upon successful call returns. Only mentioning this because you mentioned the word "clean" twice and these are resource leaks. Download.cpp download_thread() ---> CloseHandle(pInfo->hThread); CloseHandle(pInfo->hProcess);...

Re: Use LGPL code in MIT project?

 by Brock ¦  Thu Jan 10, 2019 10:39 pm ¦  Forum: General Discussion ¦  Topic: Use LGPL code in MIT project? ¦  Replies: 1 ¦  Views: 1084

Re: Read Unknown Kernel Address In A Safe Way

 by Brock ¦  Wed Jan 02, 2019 12:45 am ¦  Forum: Kernel-Mode Development ¦  Topic: Read Unknown Kernel Address In A Safe Way ¦  Replies: 2 ¦  Views: 2091

These methods as well as many others have been shared on this forum for some time now but for those less informed your examples may be informative, so thanks for this. As of 8.1 MmCopyMemory() is imho the best choice because it was designed to do exactly this and performs the underlying PTE validati...

Re: Making ReactOS Great Again*, Part 1

 by Brock ¦  Sat Dec 29, 2018 9:53 pm ¦  Forum: Tools/Software ¦  Topic: Making ReactOS Great Again*, Part 1 ¦  Replies: 9 ¦  Views: 12806

Nice write-up, EP_X0FF.

#16 (NtUserCreateAcceleratorTable) was my favorite faux pas

2pzz26.jpg

Re: Hooking the offical way?

 by Brock ¦  Sun Aug 12, 2018 4:30 pm ¦  Forum: Kernel-Mode Development ¦  Topic: Hooking the offical way? ¦  Replies: 10 ¦  Views: 9178

Originally you posted this regardless of the Kernel Mode Development section of the forum I've got a question on how to be able to hook various WinAPI functions like VirtualQuery and be able to see the parameters being passed to a certain process Your question, I assumed after your mentioning of a u...

Re: Hooking the offical way?

 by Brock ¦  Thu Aug 09, 2018 11:25 pm ¦  Forum: Kernel-Mode Development ¦  Topic: Hooking the offical way? ¦  Replies: 10 ¦  Views: 9178

Should have mentioned previously that v4.0.1 is now open source and supports both x86 and x64 and will work with all NT-based operating systems. Years ago this wasn't the case, the source for licensing v4.0 was (iirc) $10,000 USD

https://github.com/Microsoft/Detours

Re: Hooking the offical way?

 by Brock ¦  Thu Aug 09, 2018 5:01 pm ¦  Forum: Kernel-Mode Development ¦  Topic: Hooking the offical way? ¦  Replies: 10 ¦  Views: 9178

You can inject a DLL into your target process(es) and use Microsoft Detours hooking engine if you don't want to use 3rd party hooking engines. However, there really isn't any "official" method, Detours just happens to be Microsoft's own hooking solution for various tasks over the years.

  • 1
  • 2
  • 3
  • 4
  • 5
  • 23