A forum for reverse engineering, OS internals and malware analysis 

Search found 221 matches

 Go to advanced search

Re: Assembler Disassembler Engines

 by Brock ¦  Thu May 26, 2011 1:21 am ¦  Forum: User-Mode Development ¦  Topic: Assembler Disassembler Engines ¦  Replies: 16 ¦  Views: 75229

Disassembler written in Delphi for x86 platform written by Rllibby who frequents the experts exchange website. It's a port from the libdisasm project. http://www.programmersheaven.com/download/32918/0/ZipView.aspx //////////////////////////////////////////////////////////////////////////////// // //...

Re: DrvMon

 by Brock ¦  Wed May 25, 2011 3:32 pm ¦  Forum: Tools/Software ¦  Topic: DrvMon ¦  Replies: 51 ¦  Views: 62993

Agreed.

Re: DrvMon

 by Brock ¦  Wed May 25, 2011 3:27 pm ¦  Forum: Tools/Software ¦  Topic: DrvMon ¦  Replies: 51 ¦  Views: 62993

I assume there are definitely more that could freeze the system up, this is exactly why I incorporate core system driver loading allowance. And yes, it seems that other drivers such as kmixer.sys denying can also potentially lock the system up too from what I noticed in my own testing. It seems lega...

Re: DrvMon

 by Brock ¦  Wed May 25, 2011 5:04 am ¦  Forum: Tools/Software ¦  Topic: DrvMon ¦  Replies: 51 ¦  Views: 62993

I think r2nwcnydc is talking about TARGETTYPE=EXPORT_DRIVER which is a kernel mode DLL. It's like any other module loaded in kernel mode in respect to the fact that if it doesn't return STATUS_SUCCESS in its main routine it's immediately unmapped from memory, same rule applies to DriverEntry in stan...

Re: DrvMon

 by Brock ¦  Tue May 24, 2011 7:36 pm ¦  Forum: Tools/Software ¦  Topic: DrvMon ¦  Replies: 51 ¦  Views: 62993

I achieve the same thing with a load image callback / notify routine and inside the callback after calculating OEP I deny drivers with a STATUS_UNSUCCESSFUL return as well. This is the most practical and logical thing to do in my honest opinion. Faking STATUS_SUCCESS could potentially be a bad thing...

Re: DrvMon

 by Brock ¦  Sun May 22, 2011 6:32 pm ¦  Forum: Tools/Software ¦  Topic: DrvMon ¦  Replies: 51 ¦  Views: 62993

@EP_X0FF: To reproduce the Windows component blocking issue a simple test such as this works. Try this under Windows XP x86. Open DrvMon and deny all driver loading, then right click the desktop choosing "properties" and then the "settings" tab which will show your display settings. Hopefully, vga.d...

Re: DrvMon

 by Brock ¦  Sun May 22, 2011 5:26 am ¦  Forum: Tools/Software ¦  Topic: DrvMon ¦  Replies: 51 ¦  Views: 62993

@EP_X0FF [1] I've compiled a quick PoC using a small c-written driver, it simply supports a standard DriverEntry and DriverUnload routines and prints debug messages proving it bypassed DrvMon and was loaded successfully even with DrvMon's "deny drivers loading" checked. The messages can be seen with...

Re: DrvMon

 by Brock ¦  Sat May 21, 2011 9:28 pm ¦  Forum: Tools/Software ¦  Topic: DrvMon ¦  Replies: 51 ¦  Views: 62993

@EP_X0FF & Fyyre: I wrote something identical to this months back for the same purpose which is the collection of malware drivers so I decided to leave you some constructive criticism. This DrvMon tool's "concept" is great but the actual tool itself needs to address some major issues... ;) [1] DrvMo...

Re: Another ARK

 by Brock ¦  Sat Nov 06, 2010 1:16 am ¦  Forum: Tools/Software ¦  Topic: Another ARK ¦  Replies: 14 ¦  Views: 17256

xqrzd - SoftWorkz Innovation is the activation partner, take it up with them and inquire as to why it would report disk full falsely. Check the dna.dll file, it's not copyrighted to NoVirusThanks Company.

Re: Another ARK

 by Brock ¦  Fri Nov 05, 2010 1:17 am ¦  Forum: Tools/Software ¦  Topic: Another ARK ¦  Replies: 14 ¦  Views: 17256

Revisit http://novirusthanks.org, a fully unrestricted evaluation / 24 hour trial of NoVirusThanks Anti-Rootkit is now available. After you're done downloading the trial setup and you are prompted with a product activation screen click "Request Eval Code" and enter a valid email address. After you o...

  • 1
  • 19
  • 20
  • 21
  • 22
  • 23