CoInzBlog

PhantOm Plugin 1.20 Author Hellsp@wn & Archer Description Plug-in for concealment OllyDbg (plugin with the driver). Helps from following methods of detection: // driver - extremehide.sys [+] NtQueryInformationProcess. [+] SetUnhandledExceptionFilter. [+] OpenProcess. [+] Invalid Handle. [+] NtSetInformationThread. [+] RDTSC. [+] NtYieldExecution. [+] NtQueryObject. [+] NtQuerySystemInformation. ..

Windows syscall lister Copyleft (c) by Omega Red 2005,2006 [Windows x64 edition - 10.07.2006] [Cleanup, single 32/64bit source - 07.2007] Windows version: 5.1.2600, platform 2, Dodatek Service Pack 2 NtQuerySystemInformation ok, kernel base: 00000000804d7000 Base Size Flags Idx RefC Image ----------------------------------------------------------- 7c900000 000b2000 00000000 0063 0001 \WINDOWS\sy..

How to send IOCTLs to a filter driver View products that this article applies to. Article ID : 262305 Last Review : August 4, 2005 Revision : 3.1 This article was previously published under Q262305 SUMMARY This article explains how to send IOCTL requests to a plug-and-play (PNP) filter driver by creating a separate control deviceobject instead of opening a proprietary device interface registered..

Driver Loader Description New and Improved V3.0! Installing and starting NT kernel mode drivers can be a hassle. This is especially true during the development stage of a project, before you've built an attractive gui-based custom installation program. Now, OSRLOADER eliminates your trouble. This GUI-based tool will make all the appropriate registry entries for your driver, and even allow you to..

1. 보호모드가 무엇인가? 메모리보호, 가상메모리, 멀티태스킹, 640K 이상 메모리 등을 지원하지 않는 8086의 단점을 보완하기위해 80386 이상은 8086 계열과 호환을 유지하면서 새로운 기능들을 제공한다. 386은 8086과 286의 모든 기능과 함께 많은 추가 기능을 가지고 있다. 이전 프로세서와 같이 리얼모드(real mode)로 작동할 수 있고, 286과 같이 보호모드로 작동할 수도 있다. 그러나 386의 보호모드는 286과 내부적으로 매우 다르다. 386의 보호모드는 프로그래머에게 더 나은 메모리 보호와 더 큰 메모리 지원 제공한다. 보호모드의 목적은 프로그램을 보호하는 것이 아니다. 보호모드의 목적은 당신의 프로그램으로부터 (운영체제를 포함한) 다른 모든 것을 지키기위함이다. 1.1 보..

kd> dt nt!_peb nt!_PEB +0x000 InheritedAddressSpace : UChar +0x001 ReadImageFileExecOptions : UChar +0x002 BeingDebugged : UChar +0x003 SpareBool : UChar +0x004 Mutant : Ptr32 Void +0x008 ImageBaseAddress : Ptr32 Void +0x00c Ldr : Ptr32 _PEB_LDR_DATA +0x010 ProcessParameters : Ptr32 _RTL_USER_PROCESS_PARAMETERS +0x014 SubSystemData : Ptr32 Void +0x018 ProcessHeap : Ptr32 Void +0x01c FastPebLock ..

kd> dt nt!_RTL_USER_PROCESS_PARAMETERS +0x000 MaximumLength : Uint4B +0x004 Length : Uint4B +0x008 Flags : Uint4B +0x00c DebugFlags : Uint4B +0x010 ConsoleHandle : Ptr32 Void +0x014 ConsoleFlags : Uint4B +0x018 StandardInput : Ptr32 Void +0x01c StandardOutput : Ptr32 Void +0x020 StandardError : Ptr32 Void +0x024 CurrentDirectory : _CURDIR +0x030 DllPath : _UNICODE_STRING +0x038 ImagePathName : _..

Someone had been asking how to hook ZwShutdownSystem, the only problem being the function is exported by ntdll, not ntoskrnl. metro_mystery was helpful in providing the table entry number for the call, but unfortunately, the entry number would have to have been hardcoded into the driver. Fortunately, getting the id dynamically from a user land component is easy, simply do it the same way we alwa..

/*++ Routine Description: This routine creates and initializes a process object. It implements the foundation for NtCreateProcess and for system initialization process creation. Arguments: ProcessHandle - Returns the handle for the new process. DesiredAccess - Supplies the desired access modes to the new process. ObjectAttributes - Supplies the object attributes of the new process. ParentProcess..

/*++ Routine Description: This routine creates a system process object. A system process has an address space that is initialized to an empty address space that maps the system. The process inherits its access token and other attributes from the initial system process. The process is created with an empty handle table. Arguments: ProcessHandle - Returns the handle for the new process. DesiredAcc..