A forum for reverse engineering, OS internals and malware analysis 

Search found 214 matches

 Go to advanced search

Re: What is the correct way to load a kernel mode WFP driver

 by Brock ¦  Fri May 26, 2017 10:23 pm ¦  Forum: Kernel-Mode Development ¦  Topic: What is the correct way to load a kernel mode WFP driver ¦  Replies: 5 ¦  Views: 13519

Article looks accurate after quickly glancing over it. Something not mentioned in that however is this, if you want to avoid user intervention when installing the .INF then you can just spawn an instance of the InfDefaultInstall.exe process and pass your .INF filename as a parameter. This accomplish...

Re: What is the correct way to load a kernel mode WFP driver

 by Brock ¦  Thu May 18, 2017 4:13 pm ¦  Forum: Kernel-Mode Development ¦  Topic: What is the correct way to load a kernel mode WFP driver ¦  Replies: 5 ¦  Views: 13519

How would this be done properly ? "Properly" is to use a .INF file containing your driver installation and start information such as start type, loader order group etc. However, it's not required as you can use SCM directly and any registry values that may not be created you can then create by hand...

Re: "Not a valid win32 application"

 by Brock ¦  Tue May 09, 2017 7:22 pm ¦  Forum: Reverse Engineering and Debugging ¦  Topic: "Not a valid win32 application" ¦  Replies: 3 ¦  Views: 13194

You might start by statically analyzing the program in question with a tool like CFF Explorer and looking for any invalid values contained within the image's PE structures, assuming an unpacked sample. These fields are usually highlighted in Red by the program to give you a visual indication of "inv...

Re: Cybellum - another pseudo security company from Israel

 by Brock ¦  Fri Mar 24, 2017 3:36 am ¦  Forum: General Discussion ¦  Topic: Cybellum - another pseudo security company from Israel ¦  Replies: 9 ¦  Views: 22393

They're calling this a post-breach attack. You know, the kind that aren't practical unless your system is actually breached and the compromised user account is in the Administrators group :lol:

Re: Cybellum - another pseudo security company from Israel

 by Brock ¦  Thu Mar 23, 2017 8:20 pm ¦  Forum: General Discussion ¦  Topic: Cybellum - another pseudo security company from Israel ¦  Replies: 9 ¦  Views: 22393

@aionescu, Yes, Cybellum is a joke. As soon as any of us saw them claiming "0-day" it became a comical matter. A grab your popcorn and soda type of event for the masses in the security industry. My point about your post is if you've based your Appverifier example on another's work cite the source/re...

Re: Cybellum - another pseudo security company from Israel

 by Brock ¦  Thu Mar 23, 2017 8:28 am ¦  Forum: General Discussion ¦  Topic: Cybellum - another pseudo security company from Israel ¦  Replies: 9 ¦  Views: 22393

Look at Yang's example hook within his verifier module here https://blogs.msdn.microsoft.com/reiley/2012/08/17/a-debugging-approach-to-application-verifier/ and then at Ionescu's example, 3 years later! https://github.com/ionescu007/HookingNirvana/blob/master/verif.dll/verif.c Ionescu shouldn't be c...

Re: TCPView Source Code

 by Brock ¦  Thu Mar 16, 2017 2:19 am ¦  Forum: General Discussion ¦  Topic: TCPView Source Code ¦  Replies: 25 ¦  Views: 38166

[1] Yes, as a matter of fact in Vista the Windows Firewall itself is built on WFP. [2] Almost anything is certainly *possible* to circumvent security mechanisms, always a cat and mouse game. I focus more on probability and not so much possibility. If malware has clever tricks, locates a bug in said ...

Re: TCPView Source Code

 by Brock ¦  Wed Mar 15, 2017 7:25 am ¦  Forum: General Discussion ¦  Topic: TCPView Source Code ¦  Replies: 25 ¦  Views: 38166

As Vrtule mentioned in his post, you can use ALE with WFP and identify things such as the process information you seek. It's a layer that makes it possible to identify the application associated with the network operation(s). Refer to WDK's WFP layered samples under \src\network\trans. "inspect" sam...

Re: TCPView Source Code

 by Brock ¦  Tue Mar 14, 2017 5:03 am ¦  Forum: General Discussion ¦  Topic: TCPView Source Code ¦  Replies: 25 ¦  Views: 38166

Windows Filtering Platform (WFP) is what you want to be using. WFP is supported on Vista SP2+ and supports callout drivers as well as usermode API to filter and inspect network data. Microsoft designed WFP to replace NDIS, TDI, LSP etc. It's why I mentioned in my previous post that Microsoft is "pus...

Re: TCPView Source Code

 by Brock ¦  Sat Mar 11, 2017 2:45 am ¦  Forum: General Discussion ¦  Topic: TCPView Source Code ¦  Replies: 25 ¦  Views: 38166

GetExtendedTcp/UdpTable() is usermode API only. There is a subset of IP helper APIs for kernel mode drivers though, see here https://msdn.microsoft.com/en-us/windows/hardware/drivers/network/ip-helper - you might also look into NDIS, TDI (supposedly phased out since Vista and no longer supported by ...

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 22