[xanax]

Attach few crash dumps maded after using Win64AST

0x000000CE -> DRIVER_UNLOADED_WITHOUT_CANCELLING_PENDING_OPERATIONS (CE) -> immediately after try to exit
0x00000050 -> PAGE_FAULT_IN_NONPAGED_AREA (50)
0x00000109 -> CRITICAL_STRUCTURE_CORRUPTION (109) -> after hide processes

on Win 8, in Drivers tab, when check Hide Signed Items and refresh nothing is hidden, not even one signed driver, on Win 7 is OK except Win64AST.sys
on Win 8, in Process tab when do same thing maybe few signed is hidden, not all, on Win 7 is OK
in Process if uncheck Hide Deleting items, refresh and then select hidden item and Scan Module patch, program will crash (Fault Module Name: Win64AST.DLL)

[m5home]

Attach few crash dumps maded after using Win64AST

0x000000CE -> DRIVER_UNLOADED_WITHOUT_CANCELLING_PENDING_OPERATIONS (CE) -> immediately after try to exit
0x00000050 -> PAGE_FAULT_IN_NONPAGED_AREA (50)
0x00000109 -> CRITICAL_STRUCTURE_CORRUPTION (109) -> after hide processes

on Win 8, in Drivers tab, when check Hide Signed Items and refresh nothing is hidden, not even one signed driver, on Win 7 is OK except Win64AST.sys
on Win 8, in Process tab when do same thing maybe few signed is hidden, not all, on Win 7 is OK
in Process if uncheck Hide Deleting items, refresh and then select hidden item and Scan Module patch, program will crash (Fault Module Name: Win64AST.DLL)

Thank you. I will try to fix this bug on next version.

[m5home]

WIN64AST 1.00 BETA5(with DIGITAL SIGNATURE)
What's new:
1.Enum/Restore FSD dispatch functions
2.Enum/Restore kernel objects
3.Enum/Stop IO Timer & DPC Timer
4.Enum/Remove minifilter & filter driver
5.Enum/Delete object callback(callback created by ObRegisterCallbacks)
6.Show remote IP geography address of net connection
7.Detect MBR Rootkit(WORK ON RING3, NOT STRONG)
8.fix some bugs on last version

Special thanks: fyyre/EP_X0FF/xanax/rinn

[adslxyz]

so good tool~

[m5home]

WIN64AST 1.00 BETA6(with DIGITAL SIGNATURE)
What's new:
1.Add function "Disable callback function"
2.Enum/Unhook IDT
3.Scan/Unhook Process IAT/EAT HOOK
4.Enum/Restore Dispatch function(ClassPNP.sys/ATAPI.sys/NDIS.sys/TCPIP.sys)
5.View value of special register
6.Enum GDT
7.10 new commands for "Kernel Explorer"
8.New function "exclude specified PIDs" for "Behavior Monitor"

[m5home]

Shutdown of PG as requirement -> compromising OS security -> seriously minimizes usefulness of this tool.

Could you edit my thread, delete this line:

If you want to use this tool, you need to disable PatchGuard, because I use kernel hook to realize some functions.

And change the title:

ARK for WINDOWS x64 - WIN64AST

Done.

Thanks,
--AD

Could you edit my thread, change the title:

Code: Select all

ARK for WINDOWS x64 - WIN64AST(Update: 2013-01-01)[Page4#37]

Thanks.

[m5home]

Manage Process(include Module/Thread/Handle/Window)
View Kernel Module
View/Disconnect Net Connection
Enum/Restore SSDT and SHADOW SSDT
Scan/Clear User mode and Kernel mode Inline hook
View/Delete Message Hook
View/Restore Driver Dispatch Function
View/Restore Kernel Object Routine Function
View/Delete Callback & Notify
Enum/Delete IO Timer
Enum/Delete DPC Timer
Enum MiniFilter/Disable MiniFilter callback function
Enum/Remove Filter Driver
Enum/Restore IDT
Enum GDT
Show value of special register(CR0/CR2/CR3/CR4/DR0/DR1/DR2/DR3/DR6/DR7)
Scan/Clear User mode EAT/IAT Hook
View/Backup/Restore MBR
Process Behavior Monitor
Edit(Disasm/Modify) Kernel Memory
Force Unlock/Delete File
Force Delete/Rename/Create RegKey & RegValue
Check digital signature of file


More functions will be added in the future.

[KeWss]

I going to test it.

[m5home]

WIN64AST 1.00(with DIGITAL SIGNATURE)

What is new:
1.Add tab "File Manager"
2.Add tab "Registry Editor"

Functions:
Manage Process(include Module/Thread/Handle/Window)
View Kernel Module
View/Disconnect Net Connection
Enum/Restore SSDT and SHADOW SSDT
Scan/Clear User mode and Kernel mode Inline hook
View/Delete Message Hook
View/Restore Driver Dispatch Function
View/Restore Kernel Object Routine Function
View/Delete Callback & Notify
Enum/Delete IO Timer
Enum/Delete DPC Timer
Enum MiniFilter/Disable MiniFilter callback function
Enum/Remove Filter Driver
Enum/Restore IDT
Enum GDT
Show value of special register(CR0/CR2/CR3/CR4/DR0/DR1/DR2/DR3/DR6/DR7)
Scan/Clear User mode EAT/IAT Hook
View/Backup/Restore MBR
Process Behavior Monitor
Edit(Disasm/Modify) Kernel Memory
Low-level File operation
Low-level Registry operation
Check digital signature of file

[xanax]

many thanks for File Manager and Registry Editor with low level operation