Just small perl script to parse dumpbin /imports output and make .dot file for graphviz
пятница, 28 декабря 2012 г.
среда, 26 декабря 2012 г.
пятница, 21 декабря 2012 г.
wincheck rc8.35
среда, 19 декабря 2012 г.
teb32 of wow64 process
It seems that internet is full of wrong recipes how to get subj (like this one - true anal surgery IMHO)
Actually answer is very simple - TEB32 is always located at offset 0x2000 after TEB
Proofs
Lets see for example function NtSetInformationThread in kernel for THREADINFOCLASS .eq. ThreadZeroTlsCell:
Next lets check MmCreateTeb function:
Actually answer is very simple - TEB32 is always located at offset 0x2000 after TEB
Proofs
Lets see for example function NtSetInformationThread in kernel for THREADINFOCLASS .eq. ThreadZeroTlsCell:
mov rcx, [r8+0F0h] ; load _KTHREAD.Teb in rcx
test rcx, rcx
jz loc_1403E521A
mov rax, [rbx+418h] ; EPROCESS.Wow64Process
test rax, rax
jz short loc_1403E5178 ; not wow64 process
lea r9, [rcx+2000h] ; wow64 process - load TEB32
loc_1403E5178:
mov edx, [rsp+118h+var_AC]
cmp edx, 40h
jnb short loc_1403E519F
test rax, rax ; again check for wow64 process
jnz short loc_1403E5190
mov [rcx+rdx*8+1480h], rsi ; store to TEB.TlsSlots[rdx]
loc_1403E5190:
test r9, r9
jz short loc_1403E520A
mov [r9+rdx*4+0E10h], esi ; store to TEB32.TlsSlots[rdx]
Next lets check MmCreateTeb function:
mov ebx, 1820h ; sizeof(TEB)
mov rax, [rcx+418h] ; EPROCESS.Wow64Process
mov [rsp+98h+var_78], rax
mov ecx, 2FE8h ; sizeof(TEB) rounded to page size + sizeof(TEB32)
test rax, rax ; check if this process is wow64
cmovnz ebx, ecx ; if yes apply size for both TEBs
lea rdx, [rsp+98h+var_60]
mov rcx, r12
call KeStackAttachProcess
lea r9, [rsp+98h+var_70]
mov r8d, ebx ; use this size as 3rd argument to
MiCreatePebOrTeb
mov rdx, rdi
mov rcx, r12
call MiCreatePebOrTeb
среда, 12 декабря 2012 г.
wincheck rc8.34
Download mirror
Changelog:
Changelog:
- add -usbport option for USB_CONTROLLER_INTERFACE checking
- some bugs were fixed
воскресенье, 9 декабря 2012 г.
A Primer on Scientific Programming with Python
I started reading subj and really enjoy even with acknowledgments:
Ståle Zerener Haugnæss, Kristian Hiorth, Arve Knudsen, Tobias Vidarssønn Langhoff, Martin Vonheim Larsen, Kine Veronica Lund, Solveig Masvie, Håkon Møller, Rebekka Mørken,IMHO all this names sound like norvegian true-black metal bands album titles. I have a strong hope that there will be at least a chapter how to burn wooden church using results maded with sci-python, he-he
Mathias Nedrebø
четверг, 6 декабря 2012 г.
wincheck rc8.33
Download mirror
Changelog:
Changelog:
- add -wdf option for checking of WdfFunctions for KMDF-based drivers
- some bugs were fixed
среда, 5 декабря 2012 г.
WdfFunctions.idc 64bit
Made supplement for WdfFunctions.idc for 64bit versions of KMDF. It seems that my windows server 2012 build 9200 has old Wdf01000.sys so this version of script supports WDFFUNCTIONS with size up to 0x18C only
вторник, 4 декабря 2012 г.
WdfFunctions.idc
I am tired to manually add _WDFFUNCTIONS structure from Wdf01000.sys to any KMDF based driver IDB so I wrote today simple IDC script to automate this activity
Script just try to find WdfFunctions in loaded IDB, extract size and add appropriate version of WDFFUNCTIONS structure. Supported following 32bit versions:
Script just try to find WdfFunctions in loaded IDB, extract size and add appropriate version of WDFFUNCTIONS structure. Supported following 32bit versions:
- vista (size 0x183)
- w7 (size 0x18c)
- w8 (size 0x1b0)