KernelMode.info

xanax wrote:i use FSPro Labs Hide Folders 2012 program to hide files and folders
Win64AST will see hidden files and folders but when i try to open hidden folder i get BSOD
also when i try copy hidden files to another location it say Operation finished! but nothing is copied

This bug is fixed now. No BSOD anymore.
You can operate file (such as copy/rename/delete) directly without any other steps.
New version will be released in these days.

m5home wrote:2.I known, starting Win64AST is very slow, but I cannot solve this, because it depend on .NET4! .NET initialization use a lot of time, I cannot control this.

2.I known, starting Win64AST is very slow, but I cannot solve this, because it depend on .NET4! .NET initialization use a lot of time, I cannot control this.[/quote]
I saw your tool some time ago and it looks interesting but I noticed this. Out of sheer curiosity, why use .NET for any part of such a low level tool? Aside from just using Windows API, does it not seem that some of the C++ GUI frameworks would be suitable?

xp5evr wrote:I saw your tool some time ago and it looks interesting but I noticed this. Out of sheer curiosity, why use .NET for any part of such a low level tool? Aside from just using Windows API, does it not seem that some of the C++ GUI frameworks would be suitable?

WIN64AST is a free tool, no one give me a dollar, so I don't have time and wish to create a new GUI framework.
If some one give me 50,000 dollars, I will use VC to rewrite the GUI part. :lol:

WIN64AST 1.03B

Download URL: http://pan.baidu.com/s/1lCrjb
(If you do not have ID on this forum, you can download WIN64AST via this URL)

Functions:
1.Manage Process(include Module/Thread/Memory/Handle/Window)
2.View Kernel Module
3.View/Disconnect Net Connection
4.Enum/Restore SSDT and SHADOW SSDT
5.Scan/Clear User mode and Kernel mode Inline hook
6.View/Delete Message Hook
7.View/Restore Driver Dispatch Function
8.View/Restore Kernel Object Routine Function
9.View/Delete Callback & Notify
10.Enum/Delete IO Timer
11.Enum/Delete DPC Timer
12.Enum MiniFilter/Disable MiniFilter callback function
13.Enum/Remove Filter Driver
14.View/Backup/Restore/Repair MBR
15.Process Behavior Monitor
16.Edit(Disasm/Modify) Kernel Memory
17.Low-level File operation
18.Low-level Registry operation
19.Forbid create Process/File/RegKey/RegValue and forbid load driver
20.Check digital signature of file
21.Enum/Restore IDT
22.Enum GDT
23.Show value of special register(CR0/CR2/CR3/CR4/DR0/DR1/DR2/DR3/DR6/DR7)
24.Scan/Clear User mode EAT/IAT Hook
25.View/Backup/Restore VBR
26.Simple Firewall
27.Enum/Delete SPI/BHO/IE Right-Click Menu
28.DLL/Driver Loader
29.Turn ON/OFF LKD and DSE dynamically(This function will trigger PatchGuard and lead to BSOD, designed for advanced users.)
30.Hide Process(This function will trigger PatchGuard and lead to BSOD, designed for advanced users.)

WIN64AST 1.04

Download URL: http://pan.baidu.com/s/1kT2YbnL
(If you do not have ID on this forum, you can download WIN64AST via this URL)

What is new?
1.Add: Enumerate/Delete Autoruns.
2.Add: Forbid write MBR and connect Internet.
3.Add: Scan suspicious driver image and crucial system file.
4.Fix: Some BSOD bugs.

Hello guys I have a question is this tool safe? VT shows 30+ detections by AV...

hey m5home, amazing project, i`d like to sugest you to change internet/firewall and add a feature to block a process id from accessing an specific remote port, that would be very useful, at least for me

KiFastCallEntry wrote:hey m5home, amazing project, i`d like to sugest you to change internet/firewall and add a feature to block a process id from accessing an specific remote port, that would be very useful, at least for me

OK. I will carefully consider your proposal.

WIN64AST 1.10 beta1

Download URL: http://pan.baidu.com/s/1dDkXEZB
(If you do not have ID on this forum, you can download WIN64AST via this URL)

What is new?
1.Fix: New UI(Less startup time), Some BSOD bugs.
2.Add: Enumerate WFP CALLOUT and WFP Driver.
3.Add: Display IRP dispatch function of any driver.
4.Add: Turn on LKD dynamically on WIN8/8.1.
5.Add: System important part scan.
6.Cancel: Hide Process.

nice ark,

you should consider adding advanced->read/write to make it able to read/write device driver memory, and add physical memory option as well