A forum for reverse engineering, OS internals and malware analysis 

Forum for discussion about kernel-mode development.
 #2855  by Alex
 Thu Sep 23, 2010 4:15 pm
I forgot to mention about this really interesting article - 4MB to 1024 x 4KB...
 #2857  by Orkblutt
 Fri Sep 24, 2010 8:28 am
Thanks Alex! Very interesting stuffs here.

Have now to resolve the PAE issue... :)

Regards,

Orkblutt
 #2879  by Gabben
 Mon Sep 27, 2010 3:14 am
Hey Alex,

Thanks to links u posted (Process Hunter multicpu) i managed to port TRON 'successfully' to win7. As quotes say, i have one very strange and rear problem with certain process. Cloaking DOES work( i read and logged *cloakedAddr after calling ADD_CLOAK ), but process freezes at moment cloaked code is about to execute... I'm preety sure multi-cpu interrupt hook works fine..
Can user-mode antidebug stuff, be resposible for this? Also that app doesnt use any ring0 component.. it;s strictly ring3.

Thank you!
 #2884  by Alex
 Mon Sep 27, 2010 3:59 pm
Hi guys!

@Orkblutt

Thanks for the link - I remember bugcheck's and 90210's (Defeating Shadow Walker) ideas related to the Shadow Walker. I didn't look through sources of Shadow Walker and TRON - they are worth of analysis, but this kind of hiding have no future since it use idt/code hooking...

@Gabben

I have no idea why it freezes your process, but I don't think so it can be related to "user-mode antidebug stuff". Maybe Orkblutt can say something more in this case?
 #2890  by Orkblutt
 Tue Sep 28, 2010 7:11 am
Hey Alex,

i forgot Ivanlef0u's blog... Really nice resources in there.

Gabben, can you say me more about that app? Did you try to hook SwapContext to avoid TLB flushing?

Regards,

Orky
 #2891  by Gabben
 Tue Sep 28, 2010 7:14 am
@Orkblutt

ahhh sry.. Sovled my problem.. I messed up handler code while shrinking 'unneeded code' :( Now all works :)

Thx anyway!