A forum for reverse engineering, OS internals and malware analysis 

Search found 454 matches

 Go to advanced search

Re: Is possible remove a file protected by a file system filter driver?

 by Vrtule ¦  Mon Mar 19, 2018 9:11 am ¦  Forum: Kernel-Mode Development ¦  Topic: Is possible remove a file protected by a file system filter driver? ¦  Replies: 13 ¦  Views: 17578

You can send IRPs directly to the file system driver, thus bypassing any file system filter drivers (either legacy ones, or minifilters).

Re: How to Converting PWSTR to UNICODE_STRING in a Kernel Driver

 by Vrtule ¦  Sun Mar 18, 2018 7:26 pm ¦  Forum: Kernel-Mode Development ¦  Topic: How to Converting PWSTR to UNICODE_STRING in a Kernel Driver ¦  Replies: 2 ¦  Views: 3847

Yes, you seem to send an ANSI-character string to the driver, not the wide-character one. UNICODE_STRING is just a structure that contains: * a pointer to the wide-character string (i.e. PWSTR), * string length, in bytes * maximum possible string length that fits into the buffer (the PWSTR), require...

Re: ObRegisterCallbacks return 0xC0000022 error

 by Vrtule ¦  Thu Feb 22, 2018 2:46 pm ¦  Forum: Kernel-Mode Development ¦  Topic: ObRegisterCallbacks return 0xC0000022 error ¦  Replies: 2 ¦  Views: 4087

Did you sign your driver? Some interfaces (including this API) do not like unsigned drivers using htem. And the Disable Driver Signature Enforcement option does not help in this case. Test signing should, howerver, work fine. An alternative is to set a magic flag your DriverObject's DriverSection ty...

Re: Developing a Sandbox for Windows

 by Vrtule ¦  Fri Jan 12, 2018 3:36 pm ¦  Forum: General Discussion ¦  Topic: Developing a Sandbox for Windows ¦  Replies: 9 ¦  Views: 12906

can you elaborate a little on what you mean "interfaces" In this context, interface is a set of APIs used for certain purpose (e.g. filtering registry calls). Also you mentioned hooking userland libraries how can this be done best ? Well, probably inline hooks will do. More importantly if the appli...

Re: Developing a Sandbox for Windows

 by Vrtule ¦  Tue Jan 09, 2018 12:00 pm ¦  Forum: General Discussion ¦  Topic: Developing a Sandbox for Windows ¦  Replies: 9 ¦  Views: 12906

Second question what do you know of cloud based sandboxing ? Nothing actually. Since you had an opportunity to work with a sandbox can you tell me if a sandbox is done right what are the chances of exploits passing through the sandbox and able to make unauthorized changes to the system? You should ...

Re: Developing a Sandbox for Windows

 by Vrtule ¦  Mon Jan 08, 2018 12:27 pm ¦  Forum: General Discussion ¦  Topic: Developing a Sandbox for Windows ¦  Replies: 9 ¦  Views: 12906

When I was playing with HIPS/sandboxing, I had a driver implementing the main logic and separate drivers covering individual areas (file system, registry, network, process/thread access...). These drivers were connected to the main one as plugins. The whole thing worked quite nicely. I have the sour...

Re: Developing a Sandbox for Windows

 by Vrtule ¦  Sun Jan 07, 2018 11:56 am ¦  Forum: General Discussion ¦  Topic: Developing a Sandbox for Windows ¦  Replies: 9 ¦  Views: 12906

Hello, How to intercept a thread from creating a thread or process? The PsSetCreateProcessNotifyRoutineEx should work for blocking process creation (AFAIR you get also the information about the thread creating the new process since the callback is run in its context). As far as I know there is nothi...

Re: Modify Incoming TCP Packet Sent to the Browser

 by Vrtule ¦  Tue Dec 12, 2017 12:36 pm ¦  Forum: General Discussion ¦  Topic: Modify Incoming TCP Packet Sent to the Browser ¦  Replies: 7 ¦  Views: 10151

Yes (version < 6), but it is placed too low to see what application is sending/receiving the data. Also (but I am not sure of that), it may be too low to see through IPSec.

Re: Modify Incoming TCP Packet Sent to the Browser

 by Vrtule ¦  Sun Dec 10, 2017 10:19 pm ¦  Forum: General Discussion ¦  Topic: Modify Incoming TCP Packet Sent to the Browser ¦  Replies: 7 ¦  Views: 10151

For XP, you probably need to develop a TDI filter driver (attach over devices of the Tdx driver and filter/modify their communication). It also kind of works on newer versions of Windows (Vista+) but it is deprecated there so it is best not to rely on it.

Re: Modify Incoming TCP Packet Sent to the Browser

 by Vrtule ¦  Sun Dec 10, 2017 11:51 am ¦  Forum: General Discussion ¦  Topic: Modify Incoming TCP Packet Sent to the Browser ¦  Replies: 7 ¦  Views: 10151

It should be possible to achieve this via Windows Filtering Platform. When the communication beings, you receive a callout at connect/rect_accept layers that also tell you the application information (that it is a browser or not). Then, you can use the tuple of (source_ip, source_port, dest_ip, dest...

  • 1
  • 3
  • 4
  • 5
  • 6
  • 7
  • 46