A forum for reverse engineering, OS internals and malware analysis 

Forum for announcements and questions about tools and software.
 #16895  by xanax
 Thu Nov 29, 2012 1:11 pm
Attach few crash dumps maded after using Win64AST

0x000000CE -> DRIVER_UNLOADED_WITHOUT_CANCELLING_PENDING_OPERATIONS (CE) -> immediately after try to exit
0x00000050 -> PAGE_FAULT_IN_NONPAGED_AREA (50)
0x00000109 -> CRITICAL_STRUCTURE_CORRUPTION (109) -> after hide processes

on Win 8, in Drivers tab, when check Hide Signed Items and refresh nothing is hidden, not even one signed driver, on Win 7 is OK except Win64AST.sys
on Win 8, in Process tab when do same thing maybe few signed is hidden, not all, on Win 7 is OK
in Process if uncheck Hide Deleting items, refresh and then select hidden item and Scan Module patch, program will crash (Fault Module Name: Win64AST.DLL)
You do not have the required permissions to view the files attached to this post.
 #17012  by m5home
 Tue Dec 04, 2012 10:08 am
xanax wrote:Attach few crash dumps maded after using Win64AST

0x000000CE -> DRIVER_UNLOADED_WITHOUT_CANCELLING_PENDING_OPERATIONS (CE) -> immediately after try to exit
0x00000050 -> PAGE_FAULT_IN_NONPAGED_AREA (50)
0x00000109 -> CRITICAL_STRUCTURE_CORRUPTION (109) -> after hide processes

on Win 8, in Drivers tab, when check Hide Signed Items and refresh nothing is hidden, not even one signed driver, on Win 7 is OK except Win64AST.sys
on Win 8, in Process tab when do same thing maybe few signed is hidden, not all, on Win 7 is OK
in Process if uncheck Hide Deleting items, refresh and then select hidden item and Scan Module patch, program will crash (Fault Module Name: Win64AST.DLL)
Thank you. I will try to fix this bug on next version.
 #17107  by m5home
 Mon Dec 10, 2012 12:23 pm
WIN64AST 1.00 BETA5(with DIGITAL SIGNATURE)
What's new:
1.Enum/Restore FSD dispatch functions
2.Enum/Restore kernel objects
3.Enum/Stop IO Timer & DPC Timer
4.Enum/Remove minifilter & filter driver
5.Enum/Delete object callback(callback created by ObRegisterCallbacks)
6.Show remote IP geography address of net connection
7.Detect MBR Rootkit(WORK ON RING3, NOT STRONG)
8.fix some bugs on last version

Special thanks: fyyre/EP_X0FF/xanax/rinn
You do not have the required permissions to view the files attached to this post.
 #17456  by m5home
 Tue Jan 01, 2013 1:34 am
WIN64AST 1.00 BETA6(with DIGITAL SIGNATURE)
What's new:
1.Add function "Disable callback function"
2.Enum/Unhook IDT
3.Scan/Unhook Process IAT/EAT HOOK
4.Enum/Restore Dispatch function(ClassPNP.sys/ATAPI.sys/NDIS.sys/TCPIP.sys)
5.View value of special register
6.Enum GDT
7.10 new commands for "Kernel Explorer"
8.New function "exclude specified PIDs" for "Behavior Monitor"
You do not have the required permissions to view the files attached to this post.
 #17457  by m5home
 Tue Jan 01, 2013 1:37 am
a_d_13 wrote:
m5home wrote:
EP_X0FF wrote:Shutdown of PG as requirement -> compromising OS security -> seriously minimizes usefulness of this tool.
Could you edit my thread, delete this line:
If you want to use this tool, you need to disable PatchGuard, because I use kernel hook to realize some functions.
And change the title:
ARK for WINDOWS x64 - WIN64AST
Done.

Thanks,
--AD
Could you edit my thread, change the title:
Code: Select all
ARK for WINDOWS x64 - WIN64AST(Update: 2013-01-01)[Page4#37]
Thanks.
 #17463  by m5home
 Tue Jan 01, 2013 4:12 pm
Manage Process(include Module/Thread/Handle/Window)
View Kernel Module
View/Disconnect Net Connection
Enum/Restore SSDT and SHADOW SSDT
Scan/Clear User mode and Kernel mode Inline hook
View/Delete Message Hook
View/Restore Driver Dispatch Function
View/Restore Kernel Object Routine Function
View/Delete Callback & Notify
Enum/Delete IO Timer
Enum/Delete DPC Timer
Enum MiniFilter/Disable MiniFilter callback function
Enum/Remove Filter Driver
Enum/Restore IDT
Enum GDT
Show value of special register(CR0/CR2/CR3/CR4/DR0/DR1/DR2/DR3/DR6/DR7)
Scan/Clear User mode EAT/IAT Hook
View/Backup/Restore MBR
Process Behavior Monitor
Edit(Disasm/Modify) Kernel Memory
Force Unlock/Delete File
Force Delete/Rename/Create RegKey & RegValue
Check digital signature of file


More functions will be added in the future.
 #17795  by m5home
 Mon Jan 21, 2013 5:33 pm
WIN64AST 1.00(with DIGITAL SIGNATURE)

What is new:
1.Add tab "File Manager"
2.Add tab "Registry Editor"

Functions:
Manage Process(include Module/Thread/Handle/Window)
View Kernel Module
View/Disconnect Net Connection
Enum/Restore SSDT and SHADOW SSDT
Scan/Clear User mode and Kernel mode Inline hook
View/Delete Message Hook
View/Restore Driver Dispatch Function
View/Restore Kernel Object Routine Function
View/Delete Callback & Notify
Enum/Delete IO Timer
Enum/Delete DPC Timer
Enum MiniFilter/Disable MiniFilter callback function
Enum/Remove Filter Driver
Enum/Restore IDT
Enum GDT
Show value of special register(CR0/CR2/CR3/CR4/DR0/DR1/DR2/DR3/DR6/DR7)
Scan/Clear User mode EAT/IAT Hook
View/Backup/Restore MBR
Process Behavior Monitor
Edit(Disasm/Modify) Kernel Memory
Low-level File operation
Low-level Registry operation
Check digital signature of file
You do not have the required permissions to view the files attached to this post.
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 10