A forum for reverse engineering, OS internals and malware analysis 

Forum for announcements and questions about tools and software.
 #18287  by m5home
 Thu Feb 21, 2013 10:39 am
WIN64AST 1.01(with DIGITAL SIGNATURE)

Download URL: http://pan.baidu.com/share/link?shareid ... 1915097229
(If you do not have ID on this forum, you can download WIN64AST via this URL)

Functions:
1.Manage Process(include Module/Thread/Memory/Handle/Window)
2.View Kernel Module
3.View/Disconnect Net Connection
4.Enum/Restore SSDT and SHADOW SSDT
5.Scan/Clear User mode and Kernel mode Inline hook
6.View/Delete Message Hook
7.View/Restore Driver Dispatch Function
8.View/Restore Kernel Object Routine Function
9.View/Delete Callback & Notify
10.Enum/Delete IO Timer
11.Enum/Delete DPC Timer
12.Enum MiniFilter/Disable MiniFilter callback function
13.Enum/Remove Filter Driver
14.View/Backup/Restore/Repair MBR
15.Process Behavior Monitor
16.Edit(Disasm/Modify) Kernel Memory
17.Low-level File operation
18.Low-level Registry operation
19.Forbid create Process/File/RegKey/RegValue and forbid load driver
20.Check digital signature of file
21.Enum/Restore IDT
22.Enum GDT
23.Show value of special register(CR0/CR2/CR3/CR4/DR0/DR1/DR2/DR3/DR6/DR7)
24.Scan/Clear User mode EAT/IAT Hook
Attachments
(1.93 MiB) Downloaded 183 times
 #20336  by m5home
 Fri Aug 02, 2013 2:39 am
xanax wrote:in Win64AST 1.01 can't listed all keys under HKEY_LOCAL_MACHINE\SOFTWARE\Classes or HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID for example

Image
Thank you, I will fix this bug on next version.
 #20409  by m5home
 Wed Aug 07, 2013 5:32 am
WIN64AST 1.02(with DIGITAL SIGNATURE)

Download URL: http://pan.baidu.com/share/link?shareid ... 1915097229
(If you do not have ID on this forum, you can download WIN64AST via this URL)

Functions:
1.Manage Process(include Module/Thread/Memory/Handle/Window)
2.View Kernel Module
3.View/Disconnect Net Connection
4.Enum/Restore SSDT and SHADOW SSDT
5.Scan/Clear User mode and Kernel mode Inline hook
6.View/Delete Message Hook
7.View/Restore Driver Dispatch Function
8.View/Restore Kernel Object Routine Function
9.View/Delete Callback & Notify
10.Enum/Delete IO Timer
11.Enum/Delete DPC Timer
12.Enum MiniFilter/Disable MiniFilter callback function
13.Enum/Remove Filter Driver
14.View/Backup/Restore/Repair MBR
15.Process Behavior Monitor
16.Edit(Disasm/Modify) Kernel Memory
17.Low-level File operation
18.Low-level Registry operation
19.Forbid create Process/File/RegKey/RegValue and forbid load driver
20.Check digital signature of file
21.Enum/Restore IDT
22.Enum GDT
23.Show value of special register(CR0/CR2/CR3/CR4/DR0/DR1/DR2/DR3/DR6/DR7)
24.Scan/Clear User mode EAT/IAT Hook

What is new:
1.More process information (startup time, command line arguments).
2.Inject dll to system process (except CSRSS.EXE and SMSS.EXE).
3.Distinguish worker thread (maybe not correct).
4.Disable COPY-ON-WRITE if you want.
5.More "Kernel Explorer" command.
6.More "File Manager" functions.
Attachments
(2.04 MiB) Downloaded 70 times
Last edited by m5home on Wed Aug 07, 2013 8:41 am, edited 1 time in total.
 #20410  by m5home
 Wed Aug 07, 2013 5:33 am
xanax wrote:in Win64AST 1.01 can't listed all keys under HKEY_LOCAL_MACHINE\SOFTWARE\Classes or HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID for example

Image
Hey, I fixed this problem on 1.02 version.
 #20421  by xanax
 Thu Aug 08, 2013 12:24 pm
m5home wrote:
xanax wrote:in Win64AST 1.01 can't listed all keys under HKEY_LOCAL_MACHINE\SOFTWARE\Classes or HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID for example
Hey, I fixed this problem on 1.02 version.
now i can go somewhere around HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NetworkConnections
and go somewhere around HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{777BA87C-2498-4875-933A-3067DE883070}, but not all the way

Windows 7 SP1 Ultimate x64 English; AMD Athlon II X4 630; 8GB (2x4GB) DDR3 1600MHz
 #20422  by m5home
 Thu Aug 08, 2013 2:09 pm
xanax wrote:
m5home wrote:
xanax wrote:in Win64AST 1.01 can't listed all keys under HKEY_LOCAL_MACHINE\SOFTWARE\Classes or HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID for example
Hey, I fixed this problem on 1.02 version.
now i can go somewhere around HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NetworkConnections
and go somewhere around HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{777BA87C-2498-4875-933A-3067DE883070}, but not all the way

Windows 7 SP1 Ultimate x64 English; AMD Athlon II X4 630; 8GB (2x4GB) DDR3 1600MHz
Do you means that WIN64AST still can not enumerate all items?
 #20444  by m5home
 Sat Aug 10, 2013 10:00 am
xanax wrote:yes, and i have several different situation

Windows 7 SP1 Ultimate (Physical Machine)
Image

Windows 7 SP1 Ultimate (Virtual Machine)
Image

Windows 8 Enterprise (Virtual Machine)
Image
OK, I know. Thanks.
I will fix this bug on next version. :lol:
 #20748  by m5home
 Sun Sep 08, 2013 4:44 pm
WIN64AST 1.03(with DIGITAL SIGNATURE)

Download URL: http://pan.baidu.com/share/link?shareid ... 1915097229
(If you do not have ID on this forum, you can download WIN64AST via this URL)

Functions:
1.Manage Process(include Module/Thread/Memory/Handle/Window)
2.View Kernel Module
3.View/Disconnect Net Connection
4.Enum/Restore SSDT and SHADOW SSDT
5.Scan/Clear User mode and Kernel mode Inline hook
6.View/Delete Message Hook
7.View/Restore Driver Dispatch Function
8.View/Restore Kernel Object Routine Function
9.View/Delete Callback & Notify
10.Enum/Delete IO Timer
11.Enum/Delete DPC Timer
12.Enum MiniFilter/Disable MiniFilter callback function
13.Enum/Remove Filter Driver
14.View/Backup/Restore/Repair MBR
15.Process Behavior Monitor
16.Edit(Disasm/Modify) Kernel Memory
17.Low-level File operation
18.Low-level Registry operation
19.Forbid create Process/File/RegKey/RegValue and forbid load driver
20.Check digital signature of file
21.Enum/Restore IDT
22.Enum GDT
23.Show value of special register(CR0/CR2/CR3/CR4/DR0/DR1/DR2/DR3/DR6/DR7)
24.Scan/Clear User mode EAT/IAT Hook

What is new:
1.Support WIN8.1
2.Disable Driver Signature Enforcement without reboot
Attachments
(1.94 MiB) Downloaded 59 times
  • 1
  • 3
  • 4
  • 5
  • 6
  • 7
  • 10