A forum for reverse engineering, OS internals and malware analysis 

Forum for discussion about kernel-mode development.
 #7965  by rkhunter
 Fri Aug 12, 2011 4:04 pm
Structures for various operating systems, that can be very usefull in research.

Obtained with SymbolTypeViewer (free tool).
http://www.laboskopia.com/download/Symb ... 0_beta.zip

Features of tool:
• download the symbols (pdb) very simply.
• sail and visualize in a detailed way the types and their members in the form of tree structure
• easily find the unused areas in the structures (padding). These areas are theoretically usable to put personal data there
• translate the structures for the C Language (.h) and for IDA script (.idc) of DataRescue (http://www.datarescue.com/idabase/)
• personalize the formatting: addition of suffix in the names of types, freeze the sizes of structures and members (the pointers become ULONG32 for a 32bit system and UINT64 for a 64bit system)
• apply searchs of texts or regular expressions
• do a batch processing by treating all modules met in a directory and its under-directories. For example: C:\Windows;)
You do not have the required permissions to view the files attached to this post.
 #8631  by rkhunter
 Mon Sep 19, 2011 11:50 am
Windows 8 developer preview, build 6.2.8102.101.
You do not have the required permissions to view the files attached to this post.
 #8634  by rkhunter
 Mon Sep 19, 2011 12:08 pm
Windows 8 developer preview, build 6.2.8102.101.
You do not have the required permissions to view the files attached to this post.
 #8669  by rkhunter
 Wed Sep 21, 2011 11:07 am
Build 8102:

Added fields in _kprocess:

/*0x05C*/ LONG32 AffinitySet : 1; // 3 BitPosition
/*0x05C*/ ULONG32 DeepFreeze : 1; // 4 BitPosition
/*0x05C*/ ULONG32 IdleAware : 1; // 5 BitPosition
/*0x05C*/ ULONG32 TimerVirtualization : 1; // 6 BitPosition

New flags in _EPROCESS (randomization of element offsets cmp with 7):

/*0x264*/ ULONG32 ExplicitAffinity : 1; // 21 BitPosition
/*0x264*/ ULONG32 LowVaAccessible : 1; // 22 BitPosition
/*0x264*/ ULONG32 ForceRelocateImages : 1; // 23 BitPosition
/*0x264*/ ULONG32 DisallowStrippedImages : 1; // 24 BitPosition
/*0x264*/ ULONG32 HighEntropyASLREnabled : 1; // 25 BitPosition
/*0x264*/ ULONG32 ForceStackCheck : 1; // 26 BitPosition
/*0x264*/ ULONG32 ProcessDeepFrozen : 1; // 27 BitPosition
/*0x264*/ ULONG32 ProcessDeepFreezeRequest : 1; // 28 BitPosition
/*0x264*/ ULONG32 ProcessDeepFreezeInProgress : 1; // 29 BitPosition
/*0x264*/ ULONG32 DisallowWin32kSystemCalls : 1; // 30 BitPosition

/*0x288*/ ULONG32 VadPhysicalPages;
/*0x28C*/ ULONG32 VadPhysicalPagesLimit;

/*0x2C8*/ VOID* WnfContext;

/*0x2CC*/ enum _SE_SIGNING_LEVEL SignatureLevel;

/*0x2D0*/ ULONG32 KeepAliveCounter;
/*0x2D4*/ struct _PROCESS_DISK_COUNTERS* DiskCounters;

Added fields in _kthread:

/*0x040*/ ULONG32 CurrentRunTime;
/*0x044*/ ULONG32 ExpectedRunTime;
/*0x04C*/ struct _XSAVE_FORMAT* StateSaveArea;
/*0x050*/ struct _KSCHEDULING_GROUP* SchedulingGroup;

/*0x058*/ ULONG32 CodePatchInProgress : 1; // 6 BitPosition
/*0x058*/ ULONG32 SystemThread : 1; // 12 BitPosition
/*0x058*/ ULONG32 ProcessDetachActive : 1; // 13 BitPosition
/*0x058*/ ULONG32 ScbReadyQueue : 1; // 15 BitPosition
/*0x058*/ ULONG32 ReservedStackInUse : 1; // 17 BitPosition
/*0x058*/ ULONG32 DisableStackCheck : 1; // 19 BitPosition

Added fields in TEB:

/*0xFCA*/ UINT16 SessionAware : 1; // 11 BitPosition
/*0xFCA*/ UINT16 DisabledStackCheck : 1;

PEB:

/*0x248*/ UINT64 CsrServerReadOnlySharedMemoryBase;

Introduces new object types:

DxgkSharedAllocation
CompositionSurface
WaitCompletionPacket

Functions in SSDT follow in reverse mode (Z-A).
 #8741  by rkhunter
 Mon Sep 26, 2011 9:04 am
Collection of ntos kernels; by link archive with names file_version+MD5.
Includes versions:

5.0.2195.1_d7697fad3df8494ac35f23c0c87c240e
5.0.2195.6717_383b8a84d4bf7c2e3c868e104a1dfbac
5.0.2195.6717_61a2dcfce1abf5340d2128e45b5f52b7
5.0.2195.7376_6010ebb09018a61302cdf0b8ac649474
5.0.2195.7376_92f7588187a67356226a72442a38c253
5.1.2600.0_a29222d5281056e497408fcc9062f749
5.1.2600.1106_b9080d97dbd631aadf9128f7316958d2
5.1.2600.5512_0c89243c7c3ee199b96fcc16990e0679
5.2.3790.0_b83b5d40c77727c64fc299112a0a31aa
5.2.3790.1830_a4830f20b522c3b14335db03d4e3f8fa
5.2.3790.3959_97b946d49ee16357535d433ce7096560
6.0.6000.16386_883d5b644bfa3dc7298d4731b13af499
6.0.6001.18000_6700f35eba206e5c89ac27c9a124dc01
6.0.6001.18000_6760643d6400ca78640e9dd3824115b1
6.0.6002.18005_6798dbf3f25721637aef5b6c69911c9c
6.1.7100.0_55b63dc54e773f64c344cff0974f3d53
6.1.7201.0_ddaf73ad668ecccb57e9b19a0205e5ad
6.1.7600.16385_9e722b768e33d26ad8fa7d642e707443
6.1.7600.16385_b9d673f7707219dfd264891a26c21ecb
6.1.7601.17592_102a6182087b18c795664bcd22eb52e9
6.2.8102.101_a7dd0728bcc75bcc0ff25e4b57a320fd
6.2.8102.101_c768ef231338bf5ea6876e0cec939273

~36 MB
http://narod.ru/disk/26358003001/ntos_kernels.zip.html
 #19849  by rkhunter
 Fri Jun 28, 2013 12:00 pm
Windows 8.1 dev preview (ntoskrnl 6.3.9431.0 symbols)
.h + .idc in attach
You do not have the required permissions to view the files attached to this post.
 #19897  by rkhunter
 Mon Jul 01, 2013 7:30 am
redp wrote:Nice work, can you do the same for ndis.sys ?
I can't translate it for ndis.sys.
Just attached .pdb file of ndis.sys, if it will useful...
You do not have the required permissions to view the files attached to this post.
 #19898  by rkhunter
 Mon Jul 01, 2013 9:04 am
Updated collection of ntos kernels; by link archive with names file_version+MD5.
Includes versions:

5.0.2195.1_d7697fad3df8494ac35f23c0c87c240e
5.0.2195.6717_383b8a84d4bf7c2e3c868e104a1dfbac
5.0.2195.6717_61a2dcfce1abf5340d2128e45b5f52b7
5.0.2195.7376_6010ebb09018a61302cdf0b8ac649474
5.0.2195.7376_92f7588187a67356226a72442a38c253
5.1.2600.0_a29222d5281056e497408fcc9062f749
5.1.2600.1106_b9080d97dbd631aadf9128f7316958d2
5.1.2600.5512_0c89243c7c3ee199b96fcc16990e0679
5.2.3790.0_b83b5d40c77727c64fc299112a0a31aa
5.2.3790.1830_a4830f20b522c3b14335db03d4e3f8fa
5.2.3790.3959_97b946d49ee16357535d433ce7096560
6.0.6000.16386_883d5b644bfa3dc7298d4731b13af499
6.0.6001.18000_6700f35eba206e5c89ac27c9a124dc01
6.0.6001.18000_6760643d6400ca78640e9dd3824115b1
6.0.6002.18005_6798dbf3f25721637aef5b6c69911c9c
6.1.7100.0_55b63dc54e773f64c344cff0974f3d53
6.1.7201.0_ddaf73ad668ecccb57e9b19a0205e5ad
6.1.7600.16385_9e722b768e33d26ad8fa7d642e707443
6.1.7600.16385_b9d673f7707219dfd264891a26c21ecb
6.1.7601.17592_102a6182087b18c795664bcd22eb52e9
6.2.8102.101_a7dd0728bcc75bcc0ff25e4b57a320fd
6.2.8102.101_c768ef231338bf5ea6876e0cec939273
[+] 6.1.7601.18147_575DDD83B40880E1DEB48758673BDA71
[+] 6.2.9200.16604_032AD1C6E1DE36386961DA1879A090AE
[+] 6.3.9431.0_5525D22C4B11B299F170C8D4C8C4007E

~43 MB

http://artemonsecurity.com/ntos_kernels.zip