Page 4 of 10

Re: ARK for WINDOWS x64 - WIN64AST(Update: 2012-11-10)

Posted: Thu Nov 29, 2012 1:11 pm
by xanax
Attach few crash dumps maded after using Win64AST

0x000000CE -> DRIVER_UNLOADED_WITHOUT_CANCELLING_PENDING_OPERATIONS (CE) -> immediately after try to exit
0x00000050 -> PAGE_FAULT_IN_NONPAGED_AREA (50)
0x00000109 -> CRITICAL_STRUCTURE_CORRUPTION (109) -> after hide processes

on Win 8, in Drivers tab, when check Hide Signed Items and refresh nothing is hidden, not even one signed driver, on Win 7 is OK except Win64AST.sys
on Win 8, in Process tab when do same thing maybe few signed is hidden, not all, on Win 7 is OK
in Process if uncheck Hide Deleting items, refresh and then select hidden item and Scan Module patch, program will crash (Fault Module Name: Win64AST.DLL)

Re: ARK for WINDOWS x64 - WIN64AST(Update: 2012-11-10)

Posted: Tue Dec 04, 2012 10:08 am
by m5home
xanax wrote:Attach few crash dumps maded after using Win64AST

0x000000CE -> DRIVER_UNLOADED_WITHOUT_CANCELLING_PENDING_OPERATIONS (CE) -> immediately after try to exit
0x00000050 -> PAGE_FAULT_IN_NONPAGED_AREA (50)
0x00000109 -> CRITICAL_STRUCTURE_CORRUPTION (109) -> after hide processes

on Win 8, in Drivers tab, when check Hide Signed Items and refresh nothing is hidden, not even one signed driver, on Win 7 is OK except Win64AST.sys
on Win 8, in Process tab when do same thing maybe few signed is hidden, not all, on Win 7 is OK
in Process if uncheck Hide Deleting items, refresh and then select hidden item and Scan Module patch, program will crash (Fault Module Name: Win64AST.DLL)
Thank you. I will try to fix this bug on next version.

New Version Released!

Posted: Mon Dec 10, 2012 12:23 pm
by m5home
WIN64AST 1.00 BETA5(with DIGITAL SIGNATURE)
What's new:
1.Enum/Restore FSD dispatch functions
2.Enum/Restore kernel objects
3.Enum/Stop IO Timer & DPC Timer
4.Enum/Remove minifilter & filter driver
5.Enum/Delete object callback(callback created by ObRegisterCallbacks)
6.Show remote IP geography address of net connection
7.Detect MBR Rootkit(WORK ON RING3, NOT STRONG)
8.fix some bugs on last version

Special thanks: fyyre/EP_X0FF/xanax/rinn

Re: ARK for WINDOWS x64 - WIN64AST(Update: 2012-12-10)

Posted: Sun Dec 30, 2012 10:31 am
by adslxyz
so good tool~

New Version Released!

Posted: Tue Jan 01, 2013 1:34 am
by m5home
WIN64AST 1.00 BETA6(with DIGITAL SIGNATURE)
What's new:
1.Add function "Disable callback function"
2.Enum/Unhook IDT
3.Scan/Unhook Process IAT/EAT HOOK
4.Enum/Restore Dispatch function(ClassPNP.sys/ATAPI.sys/NDIS.sys/TCPIP.sys)
5.View value of special register
6.Enum GDT
7.10 new commands for "Kernel Explorer"
8.New function "exclude specified PIDs" for "Behavior Monitor"

Re: ARK for Win7x64 - Win64AST

Posted: Tue Jan 01, 2013 1:37 am
by m5home
a_d_13 wrote:
m5home wrote:
EP_X0FF wrote:Shutdown of PG as requirement -> compromising OS security -> seriously minimizes usefulness of this tool.
Could you edit my thread, delete this line:
If you want to use this tool, you need to disable PatchGuard, because I use kernel hook to realize some functions.
And change the title:
ARK for WINDOWS x64 - WIN64AST
Done.

Thanks,
--AD
Could you edit my thread, change the title:

Code: Select all

ARK for WINDOWS x64 - WIN64AST(Update: 2013-01-01)[Page4#37]
Thanks.

Functions

Posted: Tue Jan 01, 2013 4:12 pm
by m5home
Manage Process(include Module/Thread/Handle/Window)
View Kernel Module
View/Disconnect Net Connection
Enum/Restore SSDT and SHADOW SSDT
Scan/Clear User mode and Kernel mode Inline hook
View/Delete Message Hook
View/Restore Driver Dispatch Function
View/Restore Kernel Object Routine Function
View/Delete Callback & Notify
Enum/Delete IO Timer
Enum/Delete DPC Timer
Enum MiniFilter/Disable MiniFilter callback function
Enum/Remove Filter Driver
Enum/Restore IDT
Enum GDT
Show value of special register(CR0/CR2/CR3/CR4/DR0/DR1/DR2/DR3/DR6/DR7)
Scan/Clear User mode EAT/IAT Hook
View/Backup/Restore MBR
Process Behavior Monitor
Edit(Disasm/Modify) Kernel Memory
Force Unlock/Delete File
Force Delete/Rename/Create RegKey & RegValue
Check digital signature of file


More functions will be added in the future.

Re: ARK for WINDOWS x64 - WIN64AST(Update: 2013-01-01)[Page4

Posted: Wed Jan 02, 2013 5:06 am
by KeWss
I going to test it.

New Version Released!

Posted: Mon Jan 21, 2013 5:33 pm
by m5home
WIN64AST 1.00(with DIGITAL SIGNATURE)

What is new:
1.Add tab "File Manager"
2.Add tab "Registry Editor"

Functions:
Manage Process(include Module/Thread/Handle/Window)
View Kernel Module
View/Disconnect Net Connection
Enum/Restore SSDT and SHADOW SSDT
Scan/Clear User mode and Kernel mode Inline hook
View/Delete Message Hook
View/Restore Driver Dispatch Function
View/Restore Kernel Object Routine Function
View/Delete Callback & Notify
Enum/Delete IO Timer
Enum/Delete DPC Timer
Enum MiniFilter/Disable MiniFilter callback function
Enum/Remove Filter Driver
Enum/Restore IDT
Enum GDT
Show value of special register(CR0/CR2/CR3/CR4/DR0/DR1/DR2/DR3/DR6/DR7)
Scan/Clear User mode EAT/IAT Hook
View/Backup/Restore MBR
Process Behavior Monitor
Edit(Disasm/Modify) Kernel Memory
Low-level File operation
Low-level Registry operation
Check digital signature of file

Re: ARK for WINDOWS x64 - WIN64AST(Update: 2013-01-22)[Page5

Posted: Tue Jan 22, 2013 10:34 pm
by xanax
many thanks for File Manager and Registry Editor with low level operation