CoInzBlog

kd> dt nt!_RTL_USER_PROCESS_PARAMETERS +0x000 MaximumLength : Uint4B +0x004 Length : Uint4B +0x008 Flags : Uint4B +0x00c DebugFlags : Uint4B +0x010 ConsoleHandle : Ptr32 Void +0x014 ConsoleFlags : Uint4B +0x018 StandardInput : Ptr32 Void +0x01c StandardOutput : Ptr32 Void +0x020 StandardError : Ptr32 Void +0x024 CurrentDirectory : _CURDIR +0x030 DllPath : _UNICODE_STRING +0x038 ImagePathName : _..

Someone had been asking how to hook ZwShutdownSystem, the only problem being the function is exported by ntdll, not ntoskrnl. metro_mystery was helpful in providing the table entry number for the call, but unfortunately, the entry number would have to have been hardcoded into the driver. Fortunately, getting the id dynamically from a user land component is easy, simply do it the same way we alwa..

/*++ Routine Description: This routine creates and initializes a process object. It implements the foundation for NtCreateProcess and for system initialization process creation. Arguments: ProcessHandle - Returns the handle for the new process. DesiredAccess - Supplies the desired access modes to the new process. ObjectAttributes - Supplies the object attributes of the new process. ParentProcess..

/*++ Routine Description: This routine creates a system process object. A system process has an address space that is initialized to an empty address space that maps the system. The process inherits its access token and other attributes from the initial system process. The process is created with an empty handle table. Arguments: ProcessHandle - Returns the handle for the new process. DesiredAcc..

ExAcquireFastMutexUnsafe ExAcquireRundownProtection ExAcquireRundownProtectionEx ExInitializeRundownProtection ExInterlockedAddLargeStatistic ExInterlockedCompareExchange64 ExInterlockedFlushSList ExInterlockedPopEntrySList ExInterlockedPushEntrySList ExReInitializeRundownProtection ExReleaseFastMutexUnsafe ExReleaseResourceLite ExReleaseRundownProtection ExReleaseRundownProtectionEx ExRundownCo..

A more stable way to locate real KiServiceTable Tan Chew Keong in his Win2K/XP SDT Restore 0.1 uses a simple way to find changed SDT entries - he just compares SDT from memory with SDT from ntoskrnl.exe file, assuming that KeServiceDescriptorTable.Base is not changed. If it is, Tan's code that locates KiServiceTable on disk will fail when KeServiceDescriptorTable.Base points somewhere outside th..

Open Source VMware가 나왔군. 소스가지 공개가 되고... 분석을 위해 Snapshot 간에 비교를 하도록 구현을 한다면 루트킷 같이 까다로운 애들을 분석하는 업무가 진짜 쉬워질텐데... ---------------------------------------------------- URL : http://www.virtualbox.org/ SVN : http://virtualbox.org/svn/vbox/trunk/ 기능은 좀 더 확인을 해봐야 알겠지만. 무엇 보다도 소스가 공개된다는 것이 가장 흥미롭다.

원문(OSR)의 글을 요약, 이해 정리한 글이다. 아래의 4가지 시나리오를 통해 NtXxx 함수와 ZwXxx함수에 대해 알아보자. UserMode에서 NtXxx(NTDLL.DLL) 함수 호출하기 UserMode에서 ZwXxx(NTDLL.DLL) 함수 호출하기 KernelMode에서 NtXxx(NTOSKRNL.EXE) 함수 호출하기 KernelMode에서 ZwXxx(NTOSKRNL.EXE) 함수 호출하기 Calling From User Mode NTDLL.DLL에서 NtXxx의 함수 NtReadFile을 Windbg에서 U 명령어를 통해 disassemble 한 결과는 아래와 같다. 0: kd> u ntdll!NtReadFile ntdll!NtReadFile: 77f761e8 b8b7000000 mov e..

ArcaVir AVAST AVG CA ClamWin Dr.Web F-Prot Ikarus Kaspersky McAfee Corporate McAfee Home NOD32 Norman TrendMicro OfficeScan TrendMicro PC-Cillin Panda Titanium Symantec Corporate UNA

Multiple Vendor Anti-Virus Software Detection Evasion Vulnerability through forged magic byte. AUTHOR: Andrey Bayora (www.securityelf.org) For more details, screenshots and examples please read my article "The Magic of magic byte" at www.securityelf.org . In addition, you will find a sample “triple headed” program which has 3 different 'execution entry points', depending on the extension of the ..