Yes, thank you ;)
A forum for reverse engineering, OS internals and malware analysis
By the way, i've checked on TDL4 - it overwrites malicious mbr with a clean one as a part of boot process.
*edited for some reason*
Hello,
according to logs there seems has occurred "spy games" trend in this thread.
For your information - nothing what you guys posted and then *deleted/edited* weren't a zeroday information. Especially last one APTI request. There is nothing unknown for malware authors you probably aware of. All stuff you have posted, are based on sources that are publicly available. By doing this constant *edited/deleted* things you are showing total disrespect for everybody who read this forum. This is ridiculous and unacceptable. It is maybe OK for a one time, but not multiple like in this case.
If you have something you won't share with wide public, but still wants to share with somebody - then use private messages and / or protected subforums.
This is wrong place for spy games.
Next one who will erase/edit his message will be banned from this forum and this thread will be closed.
according to logs there seems has occurred "spy games" trend in this thread.
For your information - nothing what you guys posted and then *deleted/edited* weren't a zeroday information. Especially last one APTI request. There is nothing unknown for malware authors you probably aware of. All stuff you have posted, are based on sources that are publicly available. By doing this constant *edited/deleted* things you are showing total disrespect for everybody who read this forum. This is ridiculous and unacceptable. It is maybe OK for a one time, but not multiple like in this case.
If you have something you won't share with wide public, but still wants to share with somebody - then use private messages and / or protected subforums.
This is wrong place for spy games.
Next one who will erase/edit his message will be banned from this forum and this thread will be closed.
Ring0 - the source of inspiration
Understood!
Are you able to restore my last post then?
Especially last one APTI requestWell, I'll trust you.
Are you able to restore my last post then?
Such option is not supported by this software.
Ring0 - the source of inspiration
Well...
So anybody needing some code APTI could ask me, will give him short functionnal sample.
So anybody needing some code APTI could ask me, will give him short functionnal sample.
Tigzy wrote:Well...Hello, Tigzy
So anybody needing some code APTI could ask me, will give him short functionnal sample.
I'm looking for a way to write raw data directly to the file system region of disk from the usermode. I tried to use SCSI request. It works good for first several sectors, but I still don't have write access to needed area. Can your code APTI help me?
Probably there is a mistake in your implementation of SPTI. Here is an example of SPTI with CDB10GENERIC_LENGTH and it works fine - http://www.ntinternals.org/other/nti_sector_reader.rar pass: ntinternals BTW you didn't write anything about version of used OS.
Regards
Regards
I am Jack's NULL pointer (actual e-mail contact.ntinternals_at_gmail.com)
Thank you for an example. What about version of used OS, I mean Vista+ (win32/x64). Here's my code:
Code: Select all
Is there another way to write raw data without getting error 'access denied'?BOOLEAN
SptiRequest(
IN BOOLEAN IsRead,
IN WCHAR VolumeLabel,
IN PVOID pBuffer,
IN ULONG SectorOffset,
IN ULONG SectorNumber
)
{
BOOLEAN Result = FALSE;
WCHAR DosRootPathName[] = L"\\\\.\\C:";
HANDLE DiskHandle = NULL;
ULONG RequestLength = sizeof(SCSI_PASS_THROUGH_DIRECT) + sizeof(SENSE_DATA);
PSCSI_PASS_THROUGH_DIRECT pSrb = NULL;
ULONG BytesRead = 0;
ULONG BytesPerSector = 512;
DosRootPathName[4] = VolumeLabel;
GetDiskFreeSpaceW(&DosRootPathName[4], NULL, &BytesPerSector, NULL, NULL);
DiskHandle = CreateFileW(DosRootPathName, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0, NULL);
if(INVALID_HANDLE_VALUE != DiskHandle)
{
pSrb = MemAlloc(RequestLength);
if(pSrb)
{
RtlZeroMemory(pSrb, RequestLength);
pSrb->Length = sizeof(SCSI_PASS_THROUGH);
pSrb->CdbLength = 10;
pSrb->SenseInfoLength = sizeof(SENSE_DATA);
pSrb->DataIn = IsRead ? SCSI_IOCTL_DATA_OUT : SCSI_IOCTL_DATA_IN;
pSrb->DataTransferLength = SectorNumber * BytesPerSector;
pSrb->TimeOutValue = 500;
pSrb->DataBuffer = pBuffer;
pSrb->SenseInfoOffset = sizeof(SCSI_PASS_THROUGH);
pSrb->Cdb[0] = IsRead ? 0x28 : 0x2A;
pSrb->Cdb[2] = HIBYTE(HIWORD(SectorOffset));
pSrb->Cdb[3] = LOBYTE(HIWORD(SectorOffset));
pSrb->Cdb[4] = HIBYTE(LOWORD(SectorOffset));
pSrb->Cdb[5] = LOBYTE(LOWORD(SectorOffset));
pSrb->Cdb[7] = HIBYTE(LOWORD(SectorNumber));
pSrb->Cdb[8] = LOBYTE(LOWORD(SectorNumber));
Result = DeviceIoControl(DiskHandle, IOCTL_SCSI_PASS_THROUGH_DIRECT, pSrb, RequestLength, pSrb, RequestLength, &BytesRead, NULL);
MemFree(pSrb);
}
CloseHandle(DiskHandle);
}
return Result;
}