CoInzBlog

You think what documented on Microsoft website is exactly how the Windows loader works? Think again. In this blog I will crash your disassembler/debugger by modifying some fields in the PE header. IMAGE_FILE_HEADER.NumberOfRvaAndSizes In pecoff_v8.doc it says NumberOfRvaAndSizes contains the number of data directories we have. But Windows loader just ignores it when you have a value larger than ..

Hi all. ASPack 2.12 is a fairly good packer, be it a good one(70% compression ratio), but that’s all it really is, a packer, thus it’s protection level is weak to say the least… And for that reason I give it a level of beginner :P. Nonetheless it may interest some of you, so let’s get started… Packer: ASPack 2.12 -> Alexey Solodovnikov. Target: It doesn’t matter. Level: Beginner. Tools: PEiD. Im..

The name ASProtect sends shivers the spine to any want to be reverse engineer. Every time a new version comes out, new tricks follow. My target is Notepad.exe and I have packed it with ASProtect 2.22 demo version. This version of ASPR has advanced import protection. Let’s begin to tackle it. DISCLAIMER: THIS ARTICLE IS INTENDED FOR EDUCATIONAL PURPOSES ONLY! I DON’T BEAR ANY CONSEQUENCES FOR YOU..

Creates or opens a named or unnamed mutex object. To specify an access mask for the object, use the CreateMutexEx function. 파라메터 설정을 통해 하나의 뮤텍스를 동일한 데이터 및 코드에 접근하는 프로세스들이 공유할 수 있다. Syntax HANDLE WINAPI CreateMutex( __in_opt LPSECURITY_ATTRIBUTES lpMutexAttributes, __in BOOL bInitialOwner, __in_opt LPCTSTR lpName ); lpName 항목에 대해서 동일한 이름을 이용하게 되면, 여러 프로세스들이 동일한 크리티컬 섹션 (Critical Section) 에 대해 접근이..

웹에 누가 올려놓았다. 키보드 입력 -> 키보드 인터럽트 핸들러 -> WH_KEYBOARD_LL -> WH_KEYBOARD -> Message 아직은 '핑' 하고 이해가 되지 않지만, 우선 적어 놓는다.

//********************************************************************************************* // SDTrestore (Proof-of-Concept) // Version 0.2 // by SIG^2 G-TEC Lab // // Coded by Chew Keong TAN // // Permission is hereby granted, free of charge, to any person obtaining a // copy of this software and associated documentation files (the // "Software"), to deal in the Software without restriction..

GOOD인데;; 이자슥... 따라가려면 한 몇달은 더 공부해야겠다. Introduction Win32 Kernel Rootkits modify the behaviour of the system by Kernel Native API hooking. This technique is typically implemented by modifying the ServiceTable entries in the Service Descriptor Table (SDT). Such modification ensures that a replacement (hook) function installed by a rootkit is called prior to the original native API. The replacement..

PDF 만 보관. Ring3 에서 SSDT 값을 수정 / 복구 등을 할 수 있는 방법을 제시한다. 툴에 활용하면 좋을 것 같다.

Windows Driver Kit: Kernel-Mode Driver Architecture Using Files In A Driver The Microsoft Windows executive represents files by file objects, which are executive objects that are managed by the object manager. (Directories are also represented by file objects.) Kernel-mode components refer to a file by its object name, which is \DosDevices concatenated to the file's full path. (On Microsoft Wind..

Original Question Hello guys!! I'm trying to hook the ZwDeleteFile. I coded a Kernel module and it can hook the ZwDeleteFunction. I see in a "SSDT hook viewer" that the function is hooked correctly, but when I use the DeleteFile API I don't get the "Hello World from a Hooked Function" string in the DebugView Thanks for posting your code! The problem doesn't lie with your (Hoglund's) code, as far..