A forum for reverse engineering, OS internals and malware analysis 

Windows 10 binaries

Discussion on reverse-engineering and debugging.

Windows 10 binaries

 #24040  by EP_X0FF
 Fri Oct 03, 2014 10:29 am
Some of the key Windows 10 binaries for people who don't want to download new gigabytes of the same Vista trash.

x64 6.4.9841 aka win 10 TP

files:

ci.dll
ntoskrnl.exe
gdi32.dll
user32.dll
ntdll.dll
Attachments
(5.12 MiB) Downloaded 53 times

Re: Windows 10 binaries

 #24042  by TETYYSs
 Fri Oct 03, 2014 4:44 pm
is ntoskrnl
MD5: 3cb96a9cfd473bec45e9a09a2ee7c1a0
SHA-1: 34aed5d850ae712a771de799ed192f4cf32800a4
?

Re: Windows 10 binaries

 #24076  by rkhunter
 Tue Oct 07, 2014 12:57 pm
Btw, look to list of loaded drivers. Now we have 3 win32k drivers: win32k.sys, win32kbase.sys and win32kfull.sys.
Also very interesting exports in ntoskrnl (MmLoadSystemImage, PsLoadedModuleList) & win32k (related to GUI SSDT on read access).
New fields in kprocess & kthread related to security +0x1B8 kprocess.SecureProcess, +0x31C kthread.SecureThreadCookie.
+ new type of synchronization objects "Auto Expand Push Lock".

I've uploaded list of new exports here http://artemonsecurity.com/win10tp_nt_exports.txt

Re: Windows 10 binaries

 #24080  by EP_X0FF
 Tue Oct 07, 2014 3:27 pm
rkhunter wrote:Also very interesting exports in ntoskrnl (MmLoadSystemImage, PsLoadedModuleList) & win32k (related to GUI SSDT on read access).
Seems trend continues, old known things become half-public/working. AFAIR in win8.1 NtSystemDebugControl is back in meaning it again can be used to read kernel memory.

Re: Windows 10 binaries

 #25103  by EP_X0FF
 Thu Jan 29, 2015 3:41 pm
Dumped ntoskrnl pdb from Windows 10 Technical Preview - January 2015.
Attachments
(109.46 KiB) Downloaded 38 times
 Return to “Reverse Engineering and Debugging”