Search found 214 matches

by Brock
Wed Nov 22, 2017 1:28 pm
Forum: Kernel-Mode Development
Topic: Invalid ProcessId in LoadImageNotifyRoutine
Replies: 2
Views: 4634

Re: Invalid ProcessId in LoadImageNotifyRoutine

If you're attempting to use Load Image notify routines as a source of tracking newly created processes you're better off using PsSetCreateProcessNotifyRoutine since it was designed for this purpose solely. About your issue you're experiencing with PsSetLoadImageNotifyRoutine, any section created and...
by Brock
Mon Nov 13, 2017 3:13 pm
Forum: Newbie Questions
Topic: Pls help find malware
Replies: 3
Views: 7556

Re: Pls help find malware

@lili If you're using IDA Pro 6.2+ you can switch into the user friendly Proximity View which will disassemble a complete call graph for you. The data and function code is separated for easy browsing and is displayed via tree nodes for simplified exploration. If you're looking for an in-depth guide ...
by Brock
Mon Oct 02, 2017 9:29 pm
Forum: Kernel-Mode Development
Topic: Some create process notifications cannot be removed
Replies: 6
Views: 10336

Re: Some create process notifications cannot be removed

Very possible the function is hooked as indicated by tcxyqs, malware has done this to do as he said and that is to prevent the removal of a callback it has installed so it guards it if the 2nd param of the function is set to TRUE (Removal). Anyhow, where are you calling PsSetCreateProcessNotifyRouti...
by Brock
Mon Sep 11, 2017 3:27 pm
Forum: Newbie Questions
Topic: trouble: 2 threads accessing simultaneous the same item of a
Replies: 4
Views: 12477

Re: trouble: 2 threads accessing simultaneous the same item

Vrtule is right however if you want to use WinAPI directly it's only a few lines of code and you don't need classes or OO for it. var CritSec: RTL_CRITICAL_SECTION; procedure EnterLock; begin EnterCriticalSection(CritSec); end; procedure LeaveLock; begin LeaveCriticalSection(CritSec); end; procedure...
by Brock
Fri Sep 08, 2017 10:58 am
Forum: Kernel-Mode Development
Topic: WIN64 Driver Development Basic Tutorial
Replies: 19
Views: 43275

Re: WIN64 Driver Development Basic Tutorial

EP_X0FF has already answered your question, kernelmode.info is not affiliated with other forums or websites so we (members here) have no knowledge of another forum's rules and regulations, registration procedures etc. That would be like asking Microsoft for your forgotten Yahoo email password, they ...
by Brock
Sat Aug 05, 2017 8:03 pm
Forum: Tools/Software
Topic: IRPMon: An improved version of IrpTracker
Replies: 2
Views: 16059

Re: IRPMon: An improved version of IrpTracker

What a great tool, VrTule. Thank you for releasing it! I like it a lot
by Brock
Tue Jul 18, 2017 9:22 am
Forum: Kernel-Mode Development
Topic: Very Simple Question: How to read any kernel address safely?
Replies: 7
Views: 14783

Re: Very Simple Question: How to read any kernel address saf

SEH wrapped MDL access can accomplish this
by Brock
Thu Jun 22, 2017 8:36 pm
Forum: Kernel-Mode Development
Topic: remove protection csrss system hang?
Replies: 2
Views: 16508

Re: remove protection csrss system hang?

@nullpointer,

From a security standpoint this is not a sound practice. Why not just make your own process a protected process instead, assuming you use one? If you do this you can access other protected processes without having to remove their protected process status.
by Brock
Sat May 27, 2017 11:24 pm
Forum: Kernel-Mode Development
Topic: What is the correct way to load a kernel mode WFP driver
Replies: 5
Views: 13511

Re: What is the correct way to load a kernel mode WFP driver

I don't see why not. Perhaps create a new thread with any question(s) pertaining to cloud computing, maybe a few members can offer you information about the subject