A forum for reverse engineering, OS internals and malware analysis 

Forum for announcements and questions about tools and software.
 #10482  by Vrtule
 Tue Dec 20, 2011 1:59 pm
Heelo,

is this utility able to print contents of SDT Shadow table on 64-bit systems? I mean whether it is able to output addresses of individual routines (compute them from the offset stored in the address table). I was somewhat unable to manage it.
 #10530  by redp
 Thu Dec 22, 2011 1:53 pm
Vrtule wrote: is this utility able to print contents of SDT Shadow table on 64-bit systems? I mean whether it is able to output addresses of individual routines (compute them from the offset stored in the address table)
special for you add in new version options -dsdt & -dssdt :P
Also added -fm option to dump all callback nodes from FltMgr
 #10546  by Vrtule
 Thu Dec 22, 2011 5:11 pm
Thank you very much!
 #10564  by a_d_13
 Sat Dec 24, 2011 2:45 am
yanxizhen wrote:the download link is blocked in chinese
Hello,

Here is most recent version mirrored here.

Thanks,
--AD
Attachments
(926.42 KiB) Downloaded 43 times
 #10710  by redp
 Fri Dec 30, 2011 12:25 pm
new version
* add -sched option to dump threads from scheduler structures. Warning: since XP scheduler contains in wait list not all waiting threads
* improved support of old wk2 (sp1/sp2/sp3)
 #10712  by DeepBlueSea
 Fri Dec 30, 2011 2:31 pm
Nice tool. There are some interesting usermode checks you do. I might end up adding them into my tool. Can you check these things with your tool without needing to load your driver?
 #11011  by redp
 Fri Jan 13, 2012 6:45 pm
new version
- add support of w2008r2 sp1
- add checking of win32k.sys gpsi handlers
- add checking of KPRCB.PowerState.IdleFunction
- some bugs was fixed
 #11311  by redp
 Fri Jan 27, 2012 6:24 pm
uploaded new version
sha-256 hashes:
32bit version: 1E5613000A43E57D34DBD8105B4EFE0FE45D27F63536CFD18AF7A87CBFEF5CFF
64bit version: 1060153ACFB7C9F3ABBA1565D36B47E918E85BBCC9AF68179DD4F61D0121D8B2

Changelog:
- wincheck now able to check "protected processes" like audiodg.exe
- add checking of win32k!gDxgkInterface
- add checking of netio!gWfpGlobal index functions and wfp shim handlers (with -ndis option)
- add checking of mswsock!SockProcTable
- some bugs was fixed