A forum for reverse engineering, OS internals and malware analysis 

Search found 454 matches

 Go to advanced search

Re: Windows Kernel Driver Signing issue (WFP/Inspect)

 by Vrtule ¦  Mon Aug 27, 2018 8:22 pm ¦  Forum: Newbie Questions ¦  Topic: Windows Kernel Driver Signing issue (WFP/Inspect) ¦  Replies: 1 ¦  Views: 2069

IIRC you need to do the following:

1) enable Test Signing (bcdedit /set testsigning on),
2) insert the certificate used to test sign the driver into Trusted RootCertificate Authorities,
3) reboot.

I am not sure whether you also need to turn the Secure Boot off.

The error's code number I'm getting is 0x5 which is "Access is denied."
Which function call produces this error?

If I am reading your code correctly, you are resolving imports based on libraries loaded into your process, not the target one. Due to ASLR or a colision of base addresses of multiple DLLs, user32.dll may be placed on different virtual address in the target process.

Re: Export drivers

 by Vrtule ¦  Sat Aug 18, 2018 3:03 pm ¦  Forum: Newbie Questions ¦  Topic: Export drivers ¦  Replies: 14 ¦  Views: 15028

So? .-.
So, what problem are you trying to solve? There is possibly a way other than export drivers.

Re: Export drivers

 by Vrtule ¦  Thu Aug 16, 2018 10:10 pm ¦  Forum: Newbie Questions ¦  Topic: Export drivers ¦  Replies: 14 ¦  Views: 15028

Okay, this is a static linking, but i want a dynamic linking. It is still a dynamic linking but the system does it at driver load time. As far as I know, there is nothing like GetProcAddress in kernel. However, this is not a big issue, since you can find exported functions manually (or find a code ...

Re: Export drivers

 by Vrtule ¦  Thu Aug 16, 2018 3:50 pm ¦  Forum: Newbie Questions ¦  Topic: Export drivers ¦  Replies: 14 ¦  Views: 15028

I expect the system load your export driver when another driver imports at least one of its (export driver's) symbols. The easiest way to import such a symbol is to use a .lib file created together with the "DLL" binary (well, I expect the linker creates one if the export driver exports at least one...

Re: Export drivers

 by Vrtule ¦  Thu Aug 16, 2018 12:01 pm ¦  Forum: Newbie Questions ¦  Topic: Export drivers ¦  Replies: 14 ¦  Views: 15028

Well, the documentation on MSDN linked in EP's post seems to be quite old. SOURCE and MAKEFILE files were required prior WDK 8 (before integration into Microsoft Visual Studio). Maybe, it would be better to look at the Empty DLL for Drivers project template in MSVS (you need to install WDK8-10 I sup...

Re: Probe kernel memory for read

 by Vrtule ¦  Mon Aug 13, 2018 2:33 pm ¦  Forum: Kernel-Mode Development ¦  Topic: Probe kernel memory for read ¦  Replies: 3 ¦  Views: 11275

MmGetPhysicalAddress does not recognize memory that is currently stored in the page file only. Also, the documentation suggests you should not use this function for memory used for DMA operations.

As far as I know, there is no general way how to safe read a block of kernel memory.

Re: Trying to send data

 by Vrtule ¦  Sun Aug 12, 2018 9:40 am ¦  Forum: Newbie Questions ¦  Topic: Trying to send data ¦  Replies: 2 ¦  Views: 2750

Hello, you may find inspiration in keyboard and mouse class drivers (kbdclass.sys, mouclass.sys). You may find their source code in some old WDKs/DDKs (IIRC, DDK 2003 is the right edition). These drivers store keyborad/mouse events received from the hardware drivers in their buffers. Wne an IRP come...

Re: Hooking the offical way?

 by Vrtule ¦  Sun Aug 12, 2018 9:24 am ¦  Forum: Kernel-Mode Development ¦  Topic: Hooking the offical way? ¦  Replies: 10 ¦  Views: 8758

What about methods from kernel mode? I've read about ssdt hooking but apparently it results in a BSOD. I'm trying to find a way to hook those functions from kernel mode. Well, hooking based on code modification is not possible (in most cases) because 64-bit Windows employs Kernel Patch Protection (...

  • 1
  • 2
  • 3
  • 4
  • 5
  • 46