A forum for reverse engineering, OS internals and malware analysis 

Search found 454 matches

 Go to advanced search

Re: c - How implement a realloc function in kernel mode?

 by Vrtule ¦  Wed Apr 18, 2018 8:35 pm ¦  Forum: Newbie Questions ¦  Topic: c - How implement a realloc function in kernel mode? ¦  Replies: 7 ¦  Views: 8441

The linked lists are a build-in feature in the Windows kernel (see the LIST_ENTRY structure and routines such as InitializeListHead, InsertTailList etc.), so you can just use them, there is no need to reinvent the wheel. When you are talking about realloc, you should at first ask yourself why do you...

Re: c - How implement a realloc function in kernel mode?

 by Vrtule ¦  Mon Apr 16, 2018 7:49 pm ¦  Forum: Newbie Questions ¦  Topic: c - How implement a realloc function in kernel mode? ¦  Replies: 7 ¦  Views: 8441

If you know the size of the buffer being "reallocated", you can use something like this: void *CustomRealloc(POOL_TYPE PoolType, const void *Buffer, size_t Size, size_t NewSize) { void *ret = NULL; ret = ExAllocatePoolWithTag(PoolType, NewSize), Tag); if (ret != NULL) { memcpy(ret, Buffer, Size); Ex...

Re: ArrayList: trouble with a custom IndexOf() routine

 by Vrtule ¦  Sat Apr 14, 2018 9:28 am ¦  Forum: Newbie Questions ¦  Topic: ArrayList: trouble with a custom IndexOf() routine ¦  Replies: 6 ¦  Views: 6245

Well, you went through the code a little bit and see some problems (but there will be probably more of them): 1) when initializing the array, you always allocate space only for one element, altough the size (capacity) of the array is set to 100, 2) in the array, you are storing pointers to UNICODE_S...

It definitely does not allow you to hide a connection from software like netstat. It may be used to hide information in data sent from the machine. IIRC the tcpip.sys driver (\Driver\TcpIp) handles requests for connection listing. At least, Greg Hoglund has a sample code interecepting these requests...

Re: ZwQueryInformationFile: 0xC0000024 STATUS_OBJECT_TYPE_MISMATCH

 by Vrtule ¦  Wed Apr 04, 2018 10:11 pm ¦  Forum: Newbie Questions ¦  Topic: ZwQueryInformationFile: 0xC0000024 STATUS_OBJECT_TYPE_MISMATCH ¦  Replies: 9 ¦  Views: 8325

ZwXxxFile routines work only with file objects (files, directories, pipes, mailslots, ...), ZwXxxProcess only with process objects, ZwXxxThread only with threads etc. By the way, these routines (their NtXxx variants, since each ZwXxx routine is just a thin wrapper around its NtXxx counterpart) use O...

Re: ZwQueryInformationFile: 0xC0000024 STATUS_OBJECT_TYPE_MISMATCH

 by Vrtule ¦  Wed Apr 04, 2018 1:44 pm ¦  Forum: Newbie Questions ¦  Topic: ZwQueryInformationFile: 0xC0000024 STATUS_OBJECT_TYPE_MISMATCH ¦  Replies: 9 ¦  Views: 8325

If you are using NtQueryInformationFile in a driver dispatch routine invoked because an application sent you an IOCTL request (i.e. ExGetPreviousMode returns UserMode), you must specify all buffers in usermode memory. If ExGetPreviousMode == UserMode, NtXxx routines accept only arguments passed from...

Re: ZwQueryInformationFile: 0xC0000024 STATUS_OBJECT_TYPE_MISMATCH

 by Vrtule ¦  Wed Apr 04, 2018 12:18 pm ¦  Forum: Newbie Questions ¦  Topic: ZwQueryInformationFile: 0xC0000024 STATUS_OBJECT_TYPE_MISMATCH ¦  Replies: 9 ¦  Views: 8325

Hello, if the handle you are calling ZwQueryInformationFile for a kernel handle or user handle? If the latter case, the routine probably will not accept it since it thinks (as all ZwXxx routines do) that you are calling it on behalf of the kernel. And kernel drivers should not trust (and use) user h...

Re: NtOpenFile with error STATUS_ACCESS_VIOLATION

 by Vrtule ¦  Mon Apr 02, 2018 4:57 pm ¦  Forum: Newbie Questions ¦  Topic: NtOpenFile with error STATUS_ACCESS_VIOLATION ¦  Replies: 7 ¦  Views: 6204

Hello, I am not sure if this is the case, but if you calling NtOpenFile in your driver as a reaction to an IOCTL from your application, you need to pass usermode buffers to it, otherwise, the checks made by the routine fail. Or use ZwOpenFile instead, as EP is suggesting. If it does not work for you...

Re: Is possible remove a file protected by a file system filter driver?

 by Vrtule ¦  Fri Mar 23, 2018 1:35 pm ¦  Forum: Kernel-Mode Development ¦  Topic: Is possible remove a file protected by a file system filter driver? ¦  Replies: 13 ¦  Views: 17578

How could be (in code) this request directly to that device of ntfs.sys? you say to send from usermode (DeviceIoControl) to kernel mode, right? and also already that we talking about send to thirdy's devices, i cannot "write a DeleteFile() function in these devices" :D, then how the file can be rem...

Re: Is possible remove a file protected by a file system filter driver?

 by Vrtule ¦  Thu Mar 22, 2018 7:32 am ¦  Forum: Kernel-Mode Development ¦  Topic: Is possible remove a file protected by a file system filter driver? ¦  Replies: 13 ¦  Views: 17578

Well, my suggestion is to communicate with the file system driver directly. For example, let's have a NTFS volume, then the device stack for its mounted file system would be * <some devices or possibly nothing> - legacy file system filter drivers * <unnamed device> (\FileSystem\FltMgr) - this device...

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 46