пятница, 28 декабря 2012 г.

import graph maker for graphviz

Just small perl script to parse dumpbin /imports output and make .dot file for graphviz

среда, 26 декабря 2012 г.

ms forefront - wtf ?

Claims on hal.dll downloaded from http://msdl.microsoft.com/download/symbols
Wtf ?

пятница, 21 декабря 2012 г.

wincheck rc8.35

Download mirror
Changelog:
  • add -t option to show all process threads
  • add checking of some fields of TEB (and TEB32)
  • -st option now works on w2k
  • some other bugs were fixed

среда, 19 декабря 2012 г.

teb32 of wow64 process

It seems that internet is full of wrong recipes how to get subj (like this one - true anal surgery IMHO)
Actually answer is very simple - TEB32 is always located at offset 0x2000 after TEB

Proofs
Lets see for example function NtSetInformationThread in kernel for THREADINFOCLASS .eq. ThreadZeroTlsCell:
  mov   rcx, [r8+0F0h]           ; load _KTHREAD.Teb in rcx
  test  rcx, rcx
  jz    loc_1403E521A
  mov   rax, [rbx+418h]          ; EPROCESS.Wow64Process
  test  rax, rax
  jz    short loc_1403E5178      ; not wow64 process
  lea   r9, [rcx+2000h]          ; wow64 process - load TEB32
loc_1403E5178:

  mov   edx, [rsp+118h+var_AC]
  cmp   edx, 40h
  jnb   short loc_1403E519F
  test  rax, rax                 ; again check for wow64 process
  jnz   short loc_1403E5190
  mov   [rcx+rdx*8+1480h], rsi   ; store to TEB.TlsSlots[rdx]
loc_1403E5190:
  test  r9, r9
  jz    short loc_1403E520A
  mov   [r9+rdx*4+0E10h], esi    ; store to TEB32.TlsSlots[rdx]


Next lets check MmCreateTeb function:   
  mov   ebx, 1820h            ; sizeof(TEB)
  mov   rax, [rcx+418h]       ; EPROCESS.Wow64Process
  mov   [rsp+98h+var_78], rax
  mov   ecx, 2FE8h            ; sizeof(TEB) rounded to page size + sizeof(TEB32)
  test  rax, rax              ; check if this process is wow64
  cmovnz ebx, ecx             ; if yes apply size for both TEBs
  lea   rdx, [rsp+98h+var_60]
  mov   rcx, r12
  call  KeStackAttachProcess
  lea   r9, [rsp+98h+var_70]
  mov   r8d, ebx              ; use this size as 3rd argument to
MiCreatePebOrTeb
  mov   rdx, rdi
  mov   rcx, r12
  call  MiCreatePebOrTeb

среда, 12 декабря 2012 г.

воскресенье, 9 декабря 2012 г.

A Primer on Scientific Programming with Python

I started reading subj and really enjoy even with acknowledgments:
Ståle Zerener Haugnæss, Kristian Hiorth, Arve Knudsen, Tobias Vidarssønn Langhoff, Martin Vonheim Larsen, Kine Veronica Lund, Solveig Masvie, Håkon Møller, Rebekka Mørken,
Mathias Nedrebø
IMHO all this names sound like norvegian true-black metal bands album titles. I have a strong hope that there will be at least a chapter how to burn wooden church using results maded with sci-python, he-he

четверг, 6 декабря 2012 г.

wincheck rc8.33

Download mirror
Changelog:
  • add -wdf option for checking of WdfFunctions for KMDF-based drivers
  • some bugs were fixed

среда, 5 декабря 2012 г.

WdfFunctions.idc 64bit

Made supplement for WdfFunctions.idc for 64bit versions of KMDF. It seems that my windows server 2012 build 9200 has old Wdf01000.sys so this version of script supports WDFFUNCTIONS with size up to 0x18C only

вторник, 4 декабря 2012 г.

WdfFunctions.idc

I am tired to manually add _WDFFUNCTIONS structure from Wdf01000.sys to any KMDF based driver IDB so I wrote today simple IDC script to automate this activity
Script just try to find WdfFunctions in loaded IDB, extract size and add appropriate version of WDFFUNCTIONS structure. Supported following 32bit versions:
  • vista (size 0x183)
  • w7 (size 0x18c)
  • w8 (size 0x1b0)