A forum for reverse engineering, OS internals and malware analysis 

Forum for announcements and questions about tools and software.
 #24792  by m5home
 Fri Jan 02, 2015 4:55 am
WIN64AST 1.10 BETA2

Download URL: http://pan.baidu.com/s/1o6MDJmE
(If you do not have ID on this forum, you can download WIN64AST via this URL)

What is new:
1.Enhanced scan user-mode hook
2.Enhanced scan kernel-mode inline hook
3.Scan kernel-mode EAT/IAT hook
4.Scan DLLs without digital signature in all processes
5.Enhanced low-level disk access
6.Show more IRP dispatch functions information
7.Show more object types information
8.Enhanced DLL/SYS loader (it call load driver without digital signature, call DLL exported function / driver IO control code)
9.Disable PATCHGUARD after reboot
10.Enhanced firewall (more filter condition)
11.Enhanced behavior monitor
12.Other small improvement
*Some funny functions: Hide PROCESS/DRIVER/FILE/REGISTRY, change PROCESS/DLL/DRIVER path.
**Funny functions are only for VIP users.
You do not have the required permissions to view the files attached to this post.
 #24857  by Unc3nZureD
 Tue Jan 06, 2015 11:46 pm
I already tried it on Win10, but sadly it isn't supporting it. For some reason these tools are reporting "Failed to load driver" on Win10. I already tried several rootkit detect0rs, but I couldn't find a decent on working on Win10 :(

Probably they changed something.

Anyways, I wrote an email to the author, and (s?)he replied that support will probably be added at RTM, but not before. I hope it'll be done soon :) I'd like to try Win10, but because of the current project I'm working on I have to use at least one such tool which is able to detect Hooks.
 #25538  by m5home
 Mon Mar 30, 2015 4:07 pm
WIN64AST 1.10 BETA3

Download URL: http://pan.baidu.com/s/1pJ3H6Q3
(If you do not have ID on this forum, you can download WIN64AST via this URL)

What is new:
1.Enum/Delete file association
2.Enum/Restore kernel callback table
You do not have the required permissions to view the files attached to this post.
 #26234  by m5home
 Sat Jul 04, 2015 4:07 pm
WIN64AST 1.10 BETA4

Download URL: http://pan.baidu.com/s/1sj81TOL
(If you do not have ID on this forum, you can download WIN64AST via this URL)

What is new:
1.BUGFIX: Cannot get the thread start address on WIN7
2.BUGFIX: Cannot turn on LKD on WIN7
3.BUGFIX: Cannot enumerate all SHUTDOWN callbacks
4.BUGFIX: Cannot search data in process memory
5.ADD: Inject DLL and SHELLCODE to 32-bit process
6.ADD: Scan MSR[0xC0000082] and MSR[0xC0000083]
7.ADD: Certificate blocker
8.ADD: PE file viewer
9.ADD: New commands(RDMSR and WRMSR) for "KERNEL EXPLORER"
10.ADD: Display IRP original address of important drivers
11.ADD: NTFS parse
12.ADD: HIVE parse(WIN7 ONLY)
13.[VIP]ADD: File protection
14.[VIP]ADD: Registry protection
15.[VIP]ADD: Kernel mode DLL injector
16.[VIP]ADD: Global time speed controller
You do not have the required permissions to view the files attached to this post.
 #26423  by m5home
 Mon Aug 03, 2015 3:15 pm
WIN64AST 1.10 BETA5

Download URLs:
http://pan.baidu.com/s/1jGitM9S
http://pan.baidu.com/s/1sj40kxv (WITH .NET4 FRAMEWORK)
(If you do not have ID on this forum, you can download WIN64AST via these URLs)

What is new:
1.Support WIN10
2.Fix some small bugs
You do not have the required permissions to view the files attached to this post.
 #26466  by m5home
 Fri Aug 07, 2015 10:20 pm
frank_boldewin wrote:i like your tool, though some features are hardly missing.

1. complete process + driver dump inkl. pe-fixing
2. memory map (VAD) view for processes including page protections as well as dumping individual pages.
1.You can find memory dump function in "PROCESS -> ADVANCED OPERATIONS -> MEMORY OPERATION", I will add "complete process memory dump" and "kernel memory dump" on next version. If you want to edit kernel memory, you can use "KERNEL EXPLORER" (get more information in HELP file). If you want to edit process memory, the function is also in "PROCESS -> ADVANCED OPERATIONS -> MEMORY OPERATION". If you want to edit PE file on disk, you can use LordPE or WINHEX.

2.You should use RAMMAP or VMMAP.
  • 1
  • 6
  • 7
  • 8
  • 9
  • 10