A forum for reverse engineering, OS internals and malware analysis 

Search found 454 matches

 Go to advanced search

Re: List all processes help

 by Vrtule ¦  Thu Aug 09, 2018 4:58 pm ¦  Forum: Newbie Questions ¦  Topic: List all processes help ¦  Replies: 2 ¦  Views: 2791

Hello, 1) never assign a pointer into an ULONG variable since ULONGs are (on x64) 32-bit, pointers 64-bit, so you loose half of the address. Use ULONG_PTR (or SIZE_T) instead, 2) read about how pointer arithmetic works. For a pointer A pointing to type B and offset x a + x = (ULONG_PTR)a + x*sizeof(...

Re: Detecting Test Mode

 by Vrtule ¦  Wed Jul 11, 2018 11:04 am ¦  Forum: Kernel-Mode Development ¦  Topic: Detecting Test Mode ¦  Replies: 7 ¦  Views: 7893

even though 32 bit doesnt have DSE It is still good to have your 32-bit driver binary signed in order to avoid troubles witch routines such as ObRegisterCallbacks or PsSetCreateProcessNotifyRoutineEx. They can be called even from an unsigned driver but it is quite a dirty hack. if there are ways of...

Re: Process Doppelganging

 by Vrtule ¦  Wed Jul 04, 2018 1:27 pm ¦  Forum: User-Mode Development ¦  Topic: Process Doppelganging ¦  Replies: 7 ¦  Views: 18172

nothing to fix here Well, it seems Microsoft sort of fixed the issue (or attempted to do so at least). The Windows Defender filter driver (wdfilter.sys) blocks creation of processes with file objects being in transaction. I experienced this behavior on WIndows 10 (older versions of Windows seem "un...

Re: Process Doppelganging

 by Vrtule ¦  Mon Jul 02, 2018 7:47 pm ¦  Forum: User-Mode Development ¦  Topic: Process Doppelganging ¦  Replies: 7 ¦  Views: 18172

nothing to fix here Well, it seems Microsoft sort of fixed the issue (or attempted to do so at least). The Windows Defender filter driver (wdfilter.sys) blocks creation of processes with file objects being in transaction. I experienced this behavior on WIndows 10 (older versions of Windows seem "un...

Re: Question about FileSystem DeviceDriver

 by Vrtule ¦  Thu Jun 14, 2018 12:47 pm ¦  Forum: Kernel-Mode Development ¦  Topic: Question about FileSystem DeviceDriver ¦  Replies: 1 ¦  Views: 2950

Hello, The problem is that the driver should work in all versions of Windows! Is there anything possible? This is possible. A filesystem minifilter driver seems to be the right choice. They are supported starting Windows 200 SP4 (maybe some additional updates are required). Does the operating system...

Re: It is normal when i have unsigned driver loaded in my Kernel?

 by Vrtule ¦  Sun May 27, 2018 8:44 am ¦  Forum: Newbie Questions ¦  Topic: It is normal when i have unsigned driver loaded in my Kernel? ¦  Replies: 9 ¦  Views: 10359

If the driver package contains also the catalog (.cat) file, you do not need to sign the driver binary. Signing the catalog file does the trick. The catalog file contains hashes of files contained in the package, including the driver binary, so the driver integrity can be checked by 1) validating si...

Re: PspTerminateAllThreads

 by Vrtule ¦  Fri May 25, 2018 7:51 pm ¦  Forum: Newbie Questions ¦  Topic: PspTerminateAllThreads ¦  Replies: 1 ¦  Views: 2558

stable or BSOD generator The latter one. Unless it is present in the kernel for a very long time and its interface is stable. If this holds you may think of using this routine in the real world since it is not probable that it changes much in the future. However, it is always a risk, you need to de...

Re: Obtaining certificate and signing the driver for production

 by Vrtule ¦  Fri May 18, 2018 7:09 am ¦  Forum: Kernel-Mode Development ¦  Topic: Obtaining certificate and signing the driver for production ¦  Replies: 1 ¦  Views: 2935

Hello, to load your driver on Windows Vista-8.1 (x64) and WIndows 10* with Secure Boot DISABLED, you may use a standard code signing certificate. They are not so expensive and can be obtained also by individuals (i.e. you do not need to have a company to acquire the cert). To sign a driver for this ...

Re: need help Explain this code

 by Vrtule ¦  Wed May 02, 2018 4:10 pm ¦  Forum: Kernel-Mode Development ¦  Topic: need help Explain this code ¦  Replies: 6 ¦  Views: 7618

As far as I understand the code, the driver just copies itself to some other memory locations, plays a little with FsRec.sys (since the kernel, including Patchguard, does not like registered callbacks not belonging to any driver) and returns STATUS_UNSUCCESSFUL, so the system unmaps its executable f...

Re: List process and count packets.

 by Vrtule ¦  Tue May 01, 2018 1:32 pm ¦  Forum: Kernel-Mode Development ¦  Topic: List process and count packets. ¦  Replies: 1 ¦  Views: 2893

Ad 1)
Tool Help library for example (CreateToolhelp32Snapshot, Process32First, Process32Next).

Ad 2)
PDH can be used to collect such information, although I doubt there is a per-process patcket count counter. Alternatively, WMI may be the right choice (but I have never worked with it seriously).

  • 1
  • 2
  • 3
  • 4
  • 5
  • 46