A forum for reverse engineering, OS internals and malware analysis 

Forum for announcements and questions about tools and software.
 #20781  by EP_X0FF
 Thu Sep 12, 2013 5:07 am
Hello,

please use next time "Report" button, located right above post so we can response faster and rename your thread. Also all old request posts has been removed as they are off topic. Thread renamed.

Thanks.
 #20838  by m5home
 Sun Sep 15, 2013 2:18 am
EP_X0FF wrote:Hello,

please use next time "Report" button, located right above post so we can response faster and rename your thread. Also all old request posts has been removed as they are off topic. Thread renamed.

Thanks.
OK. Thanks.
 #20841  by m5home
 Mon Sep 16, 2013 1:21 am
WIN64AST 1.03A(with DIGITAL SIGNATURE)

Download URL: http://pan.baidu.com/share/link?shareid ... 1915097229
(If you do not have ID on this forum, you can download WIN64AST via this URL)

Functions:
1.Manage Process(include Module/Thread/Memory/Handle/Window)
2.View Kernel Module
3.View/Disconnect Net Connection
4.Enum/Restore SSDT and SHADOW SSDT
5.Scan/Clear User mode and Kernel mode Inline hook
6.View/Delete Message Hook
7.View/Restore Driver Dispatch Function
8.View/Restore Kernel Object Routine Function
9.View/Delete Callback & Notify
10.Enum/Delete IO Timer
11.Enum/Delete DPC Timer
12.Enum MiniFilter/Disable MiniFilter callback function
13.Enum/Remove Filter Driver
14.View/Backup/Restore/Repair MBR
15.Process Behavior Monitor
16.Edit(Disasm/Modify) Kernel Memory
17.Low-level File operation
18.Low-level Registry operation
19.Forbid create Process/File/RegKey/RegValue and forbid load driver
20.Check digital signature of file
21.Enum/Restore IDT
22.Enum GDT
23.Show value of special register(CR0/CR2/CR3/CR4/DR0/DR1/DR2/DR3/DR6/DR7)
24.Scan/Clear User mode EAT/IAT Hook

What is new:
1.Fix some bugs.
2.Window can be resize now.
You do not have the required permissions to view the files attached to this post.
 #20842  by xanax
 Mon Sep 16, 2013 4:28 am
Thanks for fixing Registry tab
Thanks for resizeble window
and thanks for Disable Driver Signature Enforcement feature, already in use for loading driver of daily based used program with broken DS
 #20843  by m5home
 Mon Sep 16, 2013 5:21 am
xanax wrote:Thanks for fixing Registry tab
Thanks for resizeble window
and thanks for Disable Driver Signature Enforcement feature, already in use for loading driver of daily based used program with broken DS
Hey, man, "Disable Driver Signature Enforcement without reboot" will trigger PG and lead to BSOD.
So, you can disable DSE when you want to load unsigned driver, and enable DSE after your driver loaded.
 #20845  by xanax
 Mon Sep 16, 2013 12:08 pm
yes and no, i'm to tired these days, probably i understand wrong some things
on physical machine with win 7 sp1 i successfully load driver 4-5 times, now i can't anymore
run virtual machine with same system, load same driver once at first try, but also a last time, no work anymore
install completly new win 7 in virtual enviroment, now can't load at all
maybe i was in debug-mode
 #21254  by m5home
 Sun Oct 27, 2013 2:15 pm
xanax wrote:yes and no, i'm to tired these days, probably i understand wrong some things
on physical machine with win 7 sp1 i successfully load driver 4-5 times, now i can't anymore
run virtual machine with same system, load same driver once at first try, but also a last time, no work anymore
install completly new win 7 in virtual enviroment, now can't load at all
maybe i was in debug-mode
Try this tool: http://www.kernelmode.info/forum/viewto ... =11&t=3013
 #21256  by xanax
 Sun Oct 27, 2013 9:47 pm
i was already in mind something like that, thanks for tool but i can't use it for particular driver which i need, because it's need to be started by service of program which use that driver.
it will be great if there can be put command line option just for Disable DSE and Enable DSE so we can made batch which will for example disable dse, start service which will load driver and then enable dse back again.
starting Win64AST everytime is little overkill, i mean too slowly, or sometimes start program and then i noticied that driver isn't loaded bacause i forget to start Win64AST and disable/enable dse and load driver through service.
sry for bad english.
 #21339  by xanax
 Wed Nov 06, 2013 5:19 am
i use FSPro Labs Hide Folders 2012 program to hide files and folders
Win64AST will see hidden files and folders but when i try to open hidden folder i get BSOD
also when i try copy hidden files to another location it say Operation finished! but nothing is copied
 #21444  by m5home
 Sun Nov 24, 2013 5:55 pm
xanax wrote:i use FSPro Labs Hide Folders 2012 program to hide files and folders
Win64AST will see hidden files and folders but when i try to open hidden folder i get BSOD
also when i try copy hidden files to another location it say Operation finished! but nothing is copied
FSPro Labs Hide Folders 2012 use minifilter to hide folder/file.

So you can:
1.Disable its minifilter precall and postcall.(Kernel -> MiniFilter -> (Mouse Right Click) -> Disable Operation -> PreCall and PostCall)[Maybe BSOD, Not a good way]
2.Remove any drivers attach to "\FileSystem\NTFS" and "\FileSystem\FAT32".(Kernel -> Filter Driver -> (Mouse Right Click) -> Remove Filter)[The best way]

Other things:
1."Disable DSE" will enhance in next version.
2.I known, starting Win64AST is very slow, but I cannot solve this, because it depend on .NET4! .NET initialization use a lot of time, I cannot control this.
  • 1
  • 4
  • 5
  • 6
  • 7
  • 8
  • 10