A forum for reverse engineering, OS internals and malware analysis 

Search found 214 matches

 Go to advanced search

Re: Ring3 Windowed-Process Kill PoC

 by Brock ¦  Sat Aug 13, 2011 2:54 am ¦  Forum: User-Mode Development ¦  Topic: Ring3 Windowed-Process Kill PoC ¦  Replies: 4 ¦  Views: 7818

It's all in good "fun". I just thought the Sudami text about PostMessage API was funny. Originally, I wrote a hack to do similar stuff with AttachThreadInput but it was even nastier.

Ring3 Windowed-Process Kill PoC

 by Brock ¦  Fri Aug 12, 2011 10:47 pm ¦  Forum: User-Mode Development ¦  Topic: Ring3 Windowed-Process Kill PoC ¦  Replies: 4 ¦  Views: 7818

Decided to share a very simple yet effective "generic" PoC, aka stupid ugly nasty hack, I wrote after analyzing some existing ARK self-protection mechanisms, even those with deep kernel object hooks, shadow table hooks etc. Some programs tested against were Rootkit Unhooker 3.8.389.593 LE SR2, IceSw...

Re: Assembler Disassembler Engines

 by Brock ¦  Thu May 26, 2011 1:32 am ¦  Forum: User-Mode Development ¦  Topic: Assembler Disassembler Engines ¦  Replies: 16 ¦  Views: 73914

My personal favorite disasm written by Madshi in Delphi. This is a very complete disasm engine and is nearly 200 kb in source size. It isn't for the faint of heart ;) http://www.2shared.com/file/tjSyW-YR/madDisAsm.html http://www.2shared.com/file/Ell7GM7N/mad.html http://www.2shared.com/file/Z20V7WO...

Re: Assembler Disassembler Engines

 by Brock ¦  Thu May 26, 2011 1:21 am ¦  Forum: User-Mode Development ¦  Topic: Assembler Disassembler Engines ¦  Replies: 16 ¦  Views: 73914

Disassembler written in Delphi for x86 platform written by Rllibby who frequents the experts exchange website. It's a port from the libdisasm project. http://www.programmersheaven.com/download/32918/0/ZipView.aspx //////////////////////////////////////////////////////////////////////////////// // //...

Re: DrvMon

 by Brock ¦  Wed May 25, 2011 3:32 pm ¦  Forum: Tools/Software ¦  Topic: DrvMon ¦  Replies: 51 ¦  Views: 62552

Agreed.

Re: DrvMon

 by Brock ¦  Wed May 25, 2011 3:27 pm ¦  Forum: Tools/Software ¦  Topic: DrvMon ¦  Replies: 51 ¦  Views: 62552

I assume there are definitely more that could freeze the system up, this is exactly why I incorporate core system driver loading allowance. And yes, it seems that other drivers such as kmixer.sys denying can also potentially lock the system up too from what I noticed in my own testing. It seems lega...

Re: DrvMon

 by Brock ¦  Wed May 25, 2011 5:04 am ¦  Forum: Tools/Software ¦  Topic: DrvMon ¦  Replies: 51 ¦  Views: 62552

I think r2nwcnydc is talking about TARGETTYPE=EXPORT_DRIVER which is a kernel mode DLL. It's like any other module loaded in kernel mode in respect to the fact that if it doesn't return STATUS_SUCCESS in its main routine it's immediately unmapped from memory, same rule applies to DriverEntry in stan...

Re: DrvMon

 by Brock ¦  Tue May 24, 2011 7:36 pm ¦  Forum: Tools/Software ¦  Topic: DrvMon ¦  Replies: 51 ¦  Views: 62552

I achieve the same thing with a load image callback / notify routine and inside the callback after calculating OEP I deny drivers with a STATUS_UNSUCCESSFUL return as well. This is the most practical and logical thing to do in my honest opinion. Faking STATUS_SUCCESS could potentially be a bad thing...

Re: DrvMon

 by Brock ¦  Sun May 22, 2011 6:32 pm ¦  Forum: Tools/Software ¦  Topic: DrvMon ¦  Replies: 51 ¦  Views: 62552

@EP_X0FF: To reproduce the Windows component blocking issue a simple test such as this works. Try this under Windows XP x86. Open DrvMon and deny all driver loading, then right click the desktop choosing "properties" and then the "settings" tab which will show your display settings. Hopefully, vga.d...

Re: DrvMon

 by Brock ¦  Sun May 22, 2011 5:26 am ¦  Forum: Tools/Software ¦  Topic: DrvMon ¦  Replies: 51 ¦  Views: 62552

@EP_X0FF [1] I've compiled a quick PoC using a small c-written driver, it simply supports a standard DriverEntry and DriverUnload routines and prints debug messages proving it bypassed DrvMon and was loaded successfully even with DrvMon's "deny drivers loading" checked. The messages can be seen with...

  • 1
  • 18
  • 19
  • 20
  • 21
  • 22