Capstone

I play a bit today with this disasm library with BSD license and I should note that it is now virtually unusable

1. size of libcapstone.so is 6.5Mb and even if you remove arch/Mips, arch/AArch64 and arch/ARM from Makefile size of libcapstone.so is still 3.5Mb. Just to compare - size of libudis86.a on the same machine is only 452Kb
2. with udis86 you can easy remove tables with mnemonics (for example they are useless in code analyzers) but this is hard to do with capstone - every arch/mapping.c file contains mix of register names, mnemonic tabs and insn_map structures
3. X86GenDisassemblerTables.inc has size 37Mb ! Authors claim "That is the price to pay for good performance". Perhaps, but 37Mb - it's too much IMHO
4. It seems also that it is very hard to build a library that will fill cs_x86 structure and does not contain references to xprintf or other CRT functions (for example if you plan to use this library in kernel mode driver)

ida 6.5

changelog

PC: handle code sequences which load imagebase value into a temporary register (common in x64 Windows code)

yeah, finally I don`t need to recompile my plugin wpic64 for each new ida version

added win8_um.til and wdk8_km.til for Windows8 WDK (user and kernel mode headers)

he-he. How about WdfFunctions ?

msvcrXXX.dll exports

for msvcr70.dll, msvcr71.dll, msvcr80.dll, msvcr90.dll, msvcr100.dll, msvcr110.dll & msvcr120.dll

ids files for MFC 12

I uploaded archive of IDS files for both 32 & 64bit MFC 12 dll modules
This archive also contains IDT files used for building

clang on windows

it's really wonderful - vs2010 falls on target check-clang:

llvm 3.3 - wtf ?

was built under xp 64bit with visual studio 2010
And I got:
30>  Testing Time: 106.52s
30>  ********************
30>  Failing Tests (32):
30>      LLVM :: CodeGen/ARM/lsr-scale-addr-mode.ll
30>      LLVM :: CodeGen/X86/rodata-relocs.ll
30>      LLVM :: Linker/2003-08-24-InheritPtrSize.ll
30>      LLVM :: Linker/2008-03-05-AliasReference2.ll
30>      LLVM :: Linker/2008-07-06-AliasFnDecl2.ll
30>      LLVM :: Linker/2008-07-06-AliasWeakDest2.ll
30>      LLVM :: Linker/2009-09-03-mdnode2.ll
30>      LLVM :: Linker/2011-08-04-DebugLoc2.ll
30>      LLVM :: Linker/2011-08-04-Metadata2.ll
30>      LLVM :: Linker/2011-08-18-unique-class-type2.ll
30>      LLVM :: Linker/2011-08-18-unique-debug-type2.ll
30>      LLVM :: Linker/2011-08-22-ResolveAlias2.ll
30>      LLVM :: Linker/DbgDeclare2.ll
30>      LLVM :: Linker/available_externally_b.ll
30>      LLVM :: Linker/linkmdnode2.ll
30>      LLVM :: Linker/linknamedmdnode2.ll
30>      LLVM :: Linker/metadata-b.ll
30>      LLVM :: Linker/module-flags-1-b.ll
30>      LLVM :: Linker/module-flags-2-b.ll
30>      LLVM :: Linker/module-flags-3-b.ll
30>      LLVM :: Linker/module-flags-4-b.ll
30>      LLVM :: Linker/module-flags-5-b.ll
30>      LLVM :: Linker/module-flags-6-b.ll
30>      LLVM :: Linker/module-flags-7-b.ll
30>      LLVM :: Linker/module-flags-8-b.ll
30>      LLVM :: Linker/partial-type-refinement-link.ll
30>      LLVM :: Linker/testlink2.ll
30>      LLVM :: Linker/unnamed-addr1-b.ll
30>      LLVM :: Linker/visibility2.ll
30>      LLVM :: MC/MachO/gen-dwarf-producer.s
30>      LLVM :: Transforms/ArgumentPromotion/byval-2.ll
30>      LLVM :: Transforms/LoopSimplify/indirectbr.ll
30>
30>    Expected Passes    : 8274
30>    Expected Failures  : 52
30>    Unsupported Tests  : 264
30>    Unexpected Failures: 32
Is it "normal" ?

msbuild 4.0 debugger

Just patch registry:

c:\windows\system32\reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSBuild\4.0" /v DebuggerEnabled /d true

 and for syswow64:

c:\windows\syswow64\reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSBuild\4.0" /v DebuggerEnabled /d true

from

wincheck rc8.50

Download changelog
Add support of windows 8.1 rtm

ntstatus.idc for WDK 8.1

Add 35 new NTSTATUS values

w8.1 rtm W32pServiceTable 64bit

W32pServiceLimit .eq. 0x40E

apisetschema.dll from w8.1 rtm

to compare with

w8.1 rtm W32pServiceTable

W32pServiceLimit .eq. 0x40C

clang and msbuild integration

chapter 12 of "Inside the Microsoft Build Engine" describes how you can add mingw toolchain to msbuild (visual studio 2010 and newer versions)
So I was very glad to see this patch. But it seems that it does not contains nothing usefull and just don't works !
I wonder if there are some way to integrate clang with msbuild. I missed something ?

crc32 binding for perl

I am tired calculating thousands crc32 hashes of exported functions so I made today binding crc32 for perl
Sample of using:
my $val = crc::my_crc32("GetProcAddress"); # 0xC97C1FFF

or even inside IDA Pro:
use IDA;
use crc;

sub form_ascii
{
  my $addr = shift;
  my $res = '';
  my $c;
  while( $c = Byte($addr) )
  {
    $res .= chr($c);
    $addr++;
  }
  return $res;
}
printf("%X\n", crc::my_crc32(form_ascii(ScreenEA())));

This binding uses swig

exref.pl

a very common problem in static code analysis is finding an exported functions that refers to some desired address. For example KseEngine has 21 references in windows kernel but only 5 of these functions are exported
So I wrote simple perl script for IDA Pro to automate this boring work. Sample of output for KseEngine:
_KseQueryDeviceFlags@12: 74A6C1 addr 74A6E2
_KseQueryDeviceData@20: 74A75B addr 74A77A
_KseQueryDeviceDataList@16: 7A5E74 addr 7A5E95
_KseSetDeviceFlags@16: 7A672D addr 7A6760
_KseUnregisterShim@12: 7A692B addr 7A698B


wincheck rc8.49

Download mirror
Changelog:

• add checking of shims inside apphelp.dll
• add checking of ole32 hook callbacks like pfnInitHookOle/pfnUninitHookOle/pfnEnableHookObject etc
• add some identification of applications within AppContainer
• add checking of KernelBase.dll!pfnAdjustObjectAttributesForPrivateNamespace (windows 8.1 only)
• some other bugs were fixed

how to find ntdll!LdrpHashTable

Old article (warning - it is written in French and has eye-breaking font) describes a good idea of loaded modules cross-scaning using LdrpHashTable. But Ivanlef0u did not show how you can find address of LdrpHashTable with static analysis
It seems that this is not easy task - xrefs to LdrpHashTable are not inside exported functions and they called too deeply from nearest export:

• LdrpResolveDllName
• LdrpFindLoadedDllByName
• LdrpInsertDataTableEntry

so ordinary code-flow graph analysis is very difficult. But actually there is more easy way to find address of LdrpHashTable

Inside the Microsoft Build Engine

it seems that book contains huge amount of misprints. for example on page 79:

The syntax when accessing a static property would be as follows:
$({ClassName}::{PropertyName})

o`k, lets check sample of using static properties:
<Message Text="DataTime.Now: $([System.DateTime]::Now)"/>
and below in PropertyFunctions02.proj was used GetPathToSystemFile('msbuild.exe') but output shows path to mspaint.exe

wincheck rc8.48

Download mirror
Changelog:

• add some support of windows server 2012 r2
• fixed logic for addresses extracting from windows 8.1 preview win32k.sys
• fixed opening of protected processes on windows 8.1 preview
• add checking of dxgi!g_pDebugPrivate & dxgi!g_pDXGIMessage
• some other bugs were fixed 

updated perl binding for IDA Pro

I add functions for accessing cmd structure
Now you can do things like this:

#!perl -w
use strict;
use warnings;
use IDA;

my $addr = ScreenEA();
my $href = ua_ana($addr);
my $str = GetDisasm($addr);
if ( defined($href) )
{
  my $iter;
  printf("real: %s, %s:\n", $str, get_mnem);
  foreach $iter ( keys %$href )
  {
    printf("%s: %X\n", $iter, $href->{$iter});
  }
  my $op_idx;
  for ( $op_idx = 0; $op_idx < 6; $op_idx++ )
  {
    my $op = get_op($op_idx);
    last if ( !defined $op );
    printf("operand %d:\n", $op_idx);
    foreach $iter ( keys %$op )
    {
      printf(" %s ", $iter);
      print $op->{$iter} . "\n";
    }
  }
}

wincheck rc8.47

Download mirror
Changelog:

• interrupts dumping now works on w8.1 preview 32bit
• fixed NDIS interfaces under w8.1 preview
• fixed registry notifiers for w8.1 preview 64bit
• modules loaded by wdfldr now shown under w8.1 preview
• fixed WMI regentries for w8.1 preview 64bit
• add dumping handlers registsred with KdRegisterPowerHandler

interrupts in w8.1

Lets see what windbg !idt command say:
Dumping IDT:

37: 817d0acc hal!HalpX86InterruptSpuriousService
c0: 817d0b78 hal!HalpX86InterruptStubService
d1: 817d1878 hal!HalpTimerClockInterrupt
d2: 817d1b54 hal!HalpTimerClockIpiRoutine
df: 817d1128 hal!HalpX86InterruptRebootService
e1: 817d1388 hal!HalpX86InterruptIpiService
e2: 817d0e50 hal!HalpX86InterruptLocalErrorService
fd: 817d210c hal!HalpTimerProfileInterrupt
fe: 817d23f0 hal!HalpPerfInterrupt

wincheck rc8.46

Download mirror
Some initial support of windows 8.1 preview was added
Known problems:

• -idt option does not work on 32bit w8.1. Btw !idt command in windbg also shows trash
• NDIS interfaces are not shown 
• registry notifiers are not shown on w8.1 64bit
• modules loaded by wdfldr are not shown

w8.1 preview GetVersionEx - wtf ?

Some simple code:

 OSVERSIONINFOEX osvi;
 ZeroMemory(&osvi, sizeof(OSVERSIONINFOEX));
 osvi.dwOSVersionInfoSize = sizeof(OSVERSIONINFOEX);

 if (!::GetVersionExW((LPOSVERSIONINFOW)&osvi))
   return 0;
 printf("Major %d Minor %d\n", osvi.dwMajorVersion, osvi.dwMinorVersion);

produces output
Major 6 Minor 2

O`k, next code sample:
  RTL_OSVERSIONINFOEXW osverEx;
  memset(&osverEx, 0, sizeof(osverEx));
  osverEx.dwOSVersionInfoSize = sizeof(osverEx);
  NTSTATUS res = RtlGetVersion((PRTL_OSVERSIONINFOW)&osverEx);
  if ( NT_SUCCESS(res) )
    printf("Major %d Minor %d\n", osverEx.dwMajorVersion, osverEx.dwMinorVersion);


produces output:
Major 6 Minor 3
wtf ?

w8.1 preview on vbox

64bit on vbox 4.2.14

right after boot
Solution:
"c:\Program Files\Oracle\VirtualBox\VBoxManage.exe" setextradata "VM Name" VBoxInternal/CPUM/CMPXCHG16B 1

WdfFunctions.idc patch for w8.1 preview

Some time ago I wrote simple script for finding _WDFFUNCTIONS in KMDF based drivers. It seems that Wdf01000.sys!_WDFFUNCTIONS from windows 8.1 preview has some additional fields, so I just added their to my script:

windows 8.1 preview 64bit ntoskrnl.exe exports

to compare with

SYSTEM_INFORMATION_CLASS from w8.1 preview

enum _SYSTEM_INFORMATION_CLASS {
  SystemBasicInformation = 0x0,
  SystemProcessorInformation = 0x1,
  SystemPerformanceInformation = 0x2,
  SystemTimeOfDayInformation = 0x3,
  SystemPathInformation = 0x4,
  SystemProcessInformation = 0x5,
  SystemCallCountInformation = 0x6,
  SystemDeviceInformation = 0x7,
  SystemProcessorPerformanceInformation = 0x8,
  SystemFlagsInformation = 0x9,
  SystemCallTimeInformation = 0xa,
  SystemModuleInformation = 0xb,
  SystemLocksInformation = 0xc,
  SystemStackTraceInformation = 0xd,
  SystemPagedPoolInformation = 0xe,
  SystemNonPagedPoolInformation = 0xf,
  SystemHandleInformation = 0x10,
  SystemObjectInformation = 0x11,
  SystemPageFileInformation = 0x12,
  SystemVdmInstemulInformation = 0x13,
  SystemVdmBopInformation = 0x14,
  SystemFileCacheInformation = 0x15,
  SystemPoolTagInformation = 0x16,
  SystemInterruptInformation = 0x17,
  SystemDpcBehaviorInformation = 0x18,
  SystemFullMemoryInformation = 0x19,
  SystemLoadGdiDriverInformation = 0x1a,
  SystemUnloadGdiDriverInformation = 0x1b,
  SystemTimeAdjustmentInformation = 0x1c,
  SystemSummaryMemoryInformation = 0x1d,
  SystemMirrorMemoryInformation = 0x1e,
  SystemPerformanceTraceInformation = 0x1f,
  SystemObsolete0 = 0x20,
  SystemExceptionInformation = 0x21,
  SystemCrashDumpStateInformation = 0x22,
  SystemKernelDebuggerInformation = 0x23,
  SystemContextSwitchInformation = 0x24,
  SystemRegistryQuotaInformation = 0x25,
  SystemExtendServiceTableInformation = 0x26,
  SystemPrioritySeperation = 0x27,
  SystemVerifierAddDriverInformation = 0x28,
  SystemVerifierRemoveDriverInformation = 0x29,
  SystemProcessorIdleInformation = 0x2a,
  SystemLegacyDriverInformation = 0x2b,
  SystemCurrentTimeZoneInformation = 0x2c,
  SystemLookasideInformation = 0x2d,
  SystemTimeSlipNotification = 0x2e,
  SystemSessionCreate = 0x2f,
  SystemSessionDetach = 0x30,
  SystemSessionInformation = 0x31,
  SystemRangeStartInformation = 0x32,
  SystemVerifierInformation = 0x33,
  SystemVerifierThunkExtend = 0x34,
  SystemSessionProcessInformation = 0x35,
  SystemLoadGdiDriverInSystemSpace = 0x36,
  SystemNumaProcessorMap = 0x37,
  SystemPrefetcherInformation = 0x38,
  SystemExtendedProcessInformation = 0x39,
  SystemRecommendedSharedDataAlignment = 0x3a,
  SystemComPlusPackage = 0x3b,
  SystemNumaAvailableMemory = 0x3c,
  SystemProcessorPowerInformation = 0x3d,
  SystemEmulationBasicInformation = 0x3e,
  SystemEmulationProcessorInformation = 0x3f,
  SystemExtendedHandleInformation = 0x40,
  SystemLostDelayedWriteInformation = 0x41,
  SystemBigPoolInformation = 0x42,
  SystemSessionPoolTagInformation = 0x43,
  SystemSessionMappedViewInformation = 0x44,
  SystemHotpatchInformation = 0x45,
  SystemObjectSecurityMode = 0x46,
  SystemWatchdogTimerHandler = 0x47,
  SystemWatchdogTimerInformation = 0x48,
  SystemLogicalProcessorInformation = 0x49,
  SystemWow64SharedInformationObsolete = 0x4a,
  SystemRegisterFirmwareTableInformationHandler = 0x4b,
  SystemFirmwareTableInformation = 0x4c,
  SystemModuleInformationEx = 0x4d,
  SystemVerifierTriageInformation = 0x4e,
  SystemSuperfetchInformation = 0x4f,
  SystemMemoryListInformation = 0x50,
  SystemFileCacheInformationEx = 0x51,
  SystemThreadPriorityClientIdInformation = 0x52,
  SystemProcessorIdleCycleTimeInformation = 0x53,
  SystemVerifierCancellationInformation = 0x54,
  SystemProcessorPowerInformationEx = 0x55,
  SystemRefTraceInformation = 0x56,
  SystemSpecialPoolInformation = 0x57,
  SystemProcessIdInformation = 0x58,
  SystemErrorPortInformation = 0x59,
  SystemBootEnvironmentInformation = 0x5a,
  SystemHypervisorInformation = 0x5b,
  SystemVerifierInformationEx = 0x5c,
  SystemTimeZoneInformation = 0x5d,
  SystemImageFileExecutionOptionsInformation = 0x5e,
  SystemCoverageInformation = 0x5f,
  SystemPrefetchPatchInformation = 0x60,
  SystemVerifierFaultsInformation = 0x61,
  SystemSystemPartitionInformation = 0x62,
  SystemSystemDiskInformation = 0x63,
  SystemProcessorPerformanceDistribution = 0x64,
  SystemNumaProximityNodeInformation = 0x65,
  SystemDynamicTimeZoneInformation = 0x66,
  SystemCodeIntegrityInformation = 0x67,
  SystemProcessorMicrocodeUpdateInformation = 0x68,
  SystemProcessorBrandString = 0x69,
  SystemVirtualAddressInformation = 0x6a,
  SystemLogicalProcessorAndGroupInformation = 0x6b,
  SystemProcessorCycleTimeInformation = 0x6c,
  SystemStoreInformation = 0x6d,
  SystemRegistryAppendString = 0x6e,
  SystemAitSamplingValue = 0x6f,
  SystemVhdBootInformation = 0x70,
  SystemCpuQuotaInformation = 0x71,
  SystemNativeBasicInformation = 0x72,
  SystemErrorPortTimeouts = 0x73,
  SystemLowPriorityIoInformation = 0x74,
  SystemBootEntropyInformation = 0x75,
  SystemVerifierCountersInformation = 0x76,
  SystemPagedPoolInformationEx = 0x77,
  SystemSystemPtesInformationEx = 0x78,
  SystemNodeDistanceInformation = 0x79,
  SystemAcpiAuditInformation = 0x7a,
  SystemBasicPerformanceInformation = 0x7b,
  SystemQueryPerformanceCounterInformation = 0x7c,
  SystemSessionBigPoolInformation = 0x7d,
  SystemBootGraphicsInformation = 0x7e,
  SystemScrubPhysicalMemoryInformation = 0x7f,
  SystemBadPageInformation = 0x80,
  SystemProcessorProfileControlArea = 0x81,
  SystemCombinePhysicalMemoryInformation = 0x82,
  SystemEntropyInterruptTimingInformation = 0x83,
  SystemConsoleInformation = 0x84,
  SystemPlatformBinaryInformation = 0x85,
  SystemThrottleNotificationInformation = 0x86,
  SystemHypervisorProcessorCountInformation = 0x87,
  SystemDeviceDataInformation = 0x88,
  SystemDeviceDataEnumerationInformation = 0x89,
  SystemMemoryTopologyInformation = 0x8a,
  SystemMemoryChannelInformation = 0x8b,
  SystemBootLogoInformation = 0x8c,
  SystemProcessorPerformanceInformationEx = 0x8d,
  SystemSpare0 = 0x8e,
  SystemSecureBootPolicyInformation = 0x8f,
  SystemPageFileInformationEx = 0x90,
  SystemSecureBootInformation = 0x91,
  SystemEntropyInterruptTimingRawInformation = 0x92,
  SystemPortableWorkspaceEfiLauncherInformation = 0x93,
  SystemFullProcessInformation = 0x94,
  SystemKernelDebuggerInformationEx = 0x95,
  SystemBootMetadataInformation = 0x96,
  SystemSoftRebootInformation = 0x97,
  SystemElamCertificateInformation = 0x98,
  SystemOfflineDumpConfigInformation = 0x99,
  SystemProcessorFeaturesInformation = 0x9a,
  SystemRegistryReconciliationInformation = 0x9b,
  MaxSystemInfoClass = 0x9c,
};


w8.1 preview W32pServiceTable 64bit

W32pServiceLimit .eq. 0x40A

w8.1 preview KiServiceTable 64bit

KiServiceLimit .eq. 0x1B1

w8.1 preview W32pServiceTable

W32pServiceLimit eq 0x408

apisetschema.dll from w8.1 preview

to compare with

openssl-1.0.1e

How to build subj for windows 64bit ? Offical solutions do not work

perl Configure VC-WIN64A
nmake
makefile(609) : fatal error U1002: syntax error : invalid macro invocation '$'
Stop.

O`k, second way:  
ms\do_win64a.bat
nmake -f ms/nt.mak
...
perl crypto\sha\asm\sha256-586.pl tmp32\sha256-586.asm
Pick one target type from
        elf     - Linux, FreeBSD, Solaris x86, etc.
        a.out   - DJGPP, elder OpenBSD, etc.
        coff    - GAS/COFF such as Win32 targets
        win32n  - Windows 95/Windows NT NASM format
        nw-nasm - NetWare NASM format
        macosx  - Mac OS X
NMAKE : fatal error U1077: 'C:\Perl\bin\perl.EXE' : return code '0x1'
Stop.


Wtf, why sha256-586 ? Lets check:  
dir /b crypto\sha\asm\*64.pl
sha1-ia64.pl
sha1-x86_64.pl
sha512-ia64.pl
sha512-x86_64.pl


So source tree does not even contain sha256-x86_64.pl !

IDA loader of .dcu files from XE4

Download mirror
Supported 32 & 64bit, osx32 & iossimulator (both 32bit) .dcu files from xe4
x64 debug versions are not supported

building botan with openssl

I`ll describe how to build this cool crypto library with openssl with msvc
It seems that configure.py does not allow you to set additional include & library directories for external packets like openssl/zlib etc
So I used dirty hack
First you just must run configure.py:
python configure.py --cc=msvc --cpu=p4 --enable-asm --with-openssl

Now you can just patch generated Makefile:  
CXX           = cl /MD /IC:\work\src\crypto\openssl-0.9.8y\include
LINK_TO       = advapi32.lib C:\work\src\crypto\openssl-0.9.8y\out32\libeay32.lib user32.lib gdi32.lib

You also need to add gdi32.lib bcs it is used in openssl for functions like DeleteDC. So now you are able build both botan.dll and check.exe:
nmake 
nmake check 
check --test

delphi xe4

I know you may not believe me but this zombie is still alive
So if you want some support for dcu loader for this version - you can share all dcu & dcc32/dcc64.exe and pay me thousands of dollars, he-he

qmake - wtf ?

I tried today build fresh eql from git and got 16815 errors from linker !
After a comparison with the old version I found that qmake generating different Makefile.Release:
< DEFINES       = -DUNICODE -DWIN32 -DQT_LARGEFILE_SUPPORT -DEQL_LIBRARY -DQT_NAMESPACE=QT -DQT_DLL -DQT_NO_DEBUG -DQT_NO_KEYWOR
DS -DQT_XML_LIB -DQT_GUI_LIB -DQT_CORE_LIB -DQT_HAVE_MMX -DQT_HAVE_3DNOW -DQT_HAVE_SSE -DQT_HAVE_MMXEXT -DQT_HAVE_SSE2 -DQT_THRE
AD_SUPPORT
---
> DEFINES       = -DUNICODE -DWIN32 -DQT_LARGEFILE_SUPPORT -DEQL_LIBRARY -DQT_DLL -DQT_NO_DEBUG -DQT_NO_KEYWORDS -DQT_XML_LIB -D
QT_GUI_LIB -DQT_CORE_LIB -DQT_HAVE_MMX -DQT_HAVE_3DNOW -DQT_HAVE_SSE -DQT_HAVE_MMXEXT -DQT_HAVE_SSE2 -DQT_THREAD_SUPPORT

Yes, was used the same version of qmake in both cases
Wtf ?

Update: I found real reason of such behaviour - it`s bcs I forgot add DEFINES     += QT_NAMESPACE=QT to each of eql .pro files. I think this is very annoying and error-prone to fix every .pro file

how Rootkit.Avatar looks like in wincheck logs

Many thanks to Anton Cherepanov for wincheck log from infected machine
Detailed description of avatar can be found here

1) FS Change notifiers
FS Change notifiers: 3 (actual 3)
DriverObj 8B6A31B8 addr 8362CBDA \SystemRoot\system32\drivers\fltmgr.sys
DriverObj 8BEC91B8 addr 8C477D40 UNKNOWN
DriverObj 8B6A31B8 addr 8362CBDA \SystemRoot\system32\drivers\fltmgr.sys

2) Pnp Notifiers
Pnp Notifiers: total 19, readed 19
...
 Pnp[6] CategoryHardwareProfileChange DEVINTERFACE_MT_COMPOSITE addr 92FE793A \SystemRoot\system32\DRIVERS\CompositeBus.sys
 Pnp[7] CategoryHardwareProfileChange DEVINTERFACE_DISK addr 8B618180 UNKNOWN
 Pnp[8] CategoryHardwareProfileChange DEVINTERFACE_HIDDEN_VOLUME addr 8356D3E0 \SystemRoot\system32\DRIVERS\volmgr.sys
 
3) numerous driver patches

windows 8.1 (build 9374) netio.sys exports

In addition to

windows 8.1 (build 9374) ndis.sys exports

In addition to

windows 8.1 interrupts

I just try to find some differences from w8 rtm:
w8 rtm _KiTrap02:
 cli
 mov     eax, large fs:40h
 
w8.1 _KiTrap02:
 cli
 clts
 mov     eax, large fs:40h

Also it seems that w8.1 requires processor with SSE - check for example w8.1 _KiTrap03:
  stmxcsr dword ptr [ebp+48h]
  ldmxcsr large dword ptr fs:8
  sub   esp, 80h
  and   esp, 0FFFFFFF0h
  mov   esi, esp
  movaps oword ptr [esi], xmm0
  movaps oword ptr [esi+10h], xmm1
  movaps oword ptr [esi+20h], xmm2
  movaps oword ptr [esi+30h], xmm3
  movaps oword ptr [esi+40h], xmm4
  movaps oword ptr [esi+50h], xmm5
  movaps oword ptr [esi+60h], xmm6
  movaps oword ptr [esi+70h], xmm7


RPat another update

I rebuild today RPat with mingw gcc 4.6.2 and binutils 2.23.2
Fresh version can be downloaded here
New object files formats was added in binutils 2.23.2:

• elf32-epiphany
• elf32-powerpc-freebsd
• elf32-rl78
• elf32-tilegx-be
• elf32-tilegx-le
• elf32-xgate

dcu2pat

I wrote today some simple hack tool for creating signatures from delphi .dcu files for IDA flair
The main idea is very simple - flair expects .pat file to produce .sig file with signatures. So I just add some logic to my .dcu files loader to generate .pat files in right format
Supported Delphi versions:

• Delphi 2007 (v12)
• Delphi 2009 (v14)
• Delphi 2010 (v15)
• Delphi XE (v16)
• Delphi XE2 (v17)

Download
signatures for delphi 2007
.pat files
Sample of using:

apisetschema.dll from w8.1 (build 9374)

To compare with

VfXdvThunks in windows 8.1 (build 9374)

Added functions:

• IoSetDeviceToVerify
• RtlCompareUnicodeString
• RtlDowncaseUnicodeChar
• RtlEqualUnicodeString
• RtlFreeUnicodeString
• RtlGenerateClass5Guid
• RtlGUIDFromString
• RtlHashUnicodeString
• RtlStringFromGUID
• RtlUnicodeToUTF8N
• RtlUpcaseUnicodeChar
• RtlUTF8ToUnicodeN
• RtlxAnsiStringToUnicodeSize
• RtlxUnicodeStringToAnsiSize

windows 8.1 (build 9374) user32.dll exports

InjectTabletButton, he-he

windows 8.1 (build 9374) ntdll.dll exports

NtXXX added functions:

• NtSetTimer2
• NtCancelTimer2
• NtCreateTimer2

windows 8.1 (build 9374) ntoskrnl.exe exports

Wtf is PsIsProtectedProcessLight ?

KiServiceTable for windows 8.1 (build 9374)

KiServiceLimit eq 0x1B1

new items in CmControlVector on windows 8.1 (build 9374)

Just to compare with CmControlVector from w8

• Session Manager\Memory Management - EnableCfg
• Session Manager\Kernel - VerifierDpcScalingFactor
• Session Manager\Kernel - KernelSEHOPEnabled
• Session Manager\Kernel - MaximumSharedReadyQueueSize
• Session Manager\Kernel - DisableAutoBoost
• Session Manager\Power - SleepStudyDisabled
• Session Manager\Power - SleepStudyDeviceAccountingLevel
• Session Manager\Power - ThermalZoneMetricsSqmPeriod
• Power - LatencyToleranceDefault
• Power - LatencyTolerancePerfOverride
• Power - LatencyToleranceVSyncEnabled
• Power - LatencyToleranceFSVP
• Power - LatencyToleranceScreenOffIR
• Session Manager\Debug Print Filter - WER
• Session Manager - AlpcWakePolicy

wincheck rc8.45

Download mirror
Changelog:

• add dumping of ObTypeIndexTable (thnx to Nikita Tarakanov for this paper)
• add checking of partmgr!PmFilterDispatch & partmgr!PmLegacyDispatch
• lots of fixes in udis86 disasm
• some other bugs were fixed

Metasploit - A Penetration Tester's Guide

Page 251

Before you begin, download and install Metasploit’s vulnerable Linux virtual machine called Metasploitable. (You can find it at http://www.thepiratebay.org/torrent/5573179/Metasploitable/)

OH SH—

The Garbage Collection Handbook

I finished reading this book today
This is just incredible useful book especially if you writing application-specific heap-spray detectors

Site
Bibliography
Glossary

wincheck rc8.44

Download mirror
Changelog:

• add dumping of registered MINIRDR_DISPATCH in rdbss. Sample of output:
  rdbss registered devs count: 1
 [0] DevObj 8A98E030 DrvObj 8AC45C28 - \SystemRoot\system32\DRIVERS\mrxsmb.sys
  MINIRDR_DISPATCH at A8D949A0:
   MRxStop: A8DABFD3 \SystemRoot\system32\DRIVERS\mrxsmb.sys
   MRxCancel: A8DC069A \SystemRoot\system32\DRIVERS\mrxsmb.sys
   MRxCollapseOpen: A8D9A60E \SystemRoot\system32\DRIVERS\mrxsmb.sys
   MRxShouldTryToCollapseThisOpen: A8D9CF1A \SystemRoot\system32\DRIVERS\mrxsmb.sys
   MRxFlush: A8D9AA23 \SystemRoot\system32\DRIVERS\mrxsmb.sys
   MRxZeroExtend: A8DA490E \SystemRoot\system32\DRIVERS\mrxsmb.sys
   MRxCleanupFobx: A8D9A403 \SystemRoot\system32\DRIVERS\mrxsmb.sys
   MRxCloseSrvOpen: A8D9A4AC \SystemRoot\system32\DRIVERS\mrxsmb.sys
   MRxDeallocateForFcb: A8D9A2B0 \SystemRoot\system32\DRIVERS\mrxsmb.sys
   MRxDeallocateForFobx: A8D9A410 \SystemRoot\system32\DRIVERS\mrxsmb.sys
   MRxIsLockRealizable: A8D98623 \SystemRoot\system32\DRIVERS\mrxsmb.sys
   MRxForceClosed: A8DA01C1 \SystemRoot\system32\DRIVERS\mrxsmb.sys
   MRxOpenPrintFile: A8D9A403 \SystemRoot\system32\DRIVERS\mrxsmb.sys
   MRxClosePrintFile: A8D787FF \SystemRoot\system32\DRIVERS\mrxsmb.sys
   MRxSetFileInfo: A8D9DA55 \SystemRoot\system32\DRIVERS\mrxsmb.sys
   MRxSetFileInfoAtCleanup: A8D9C941 \SystemRoot\system32\DRIVERS\mrxsmb.sys
   MRxQueryEaInfo: A8D9E1B1 \SystemRoot\system32\DRIVERS\mrxsmb.sys
   MRxSetEaInfo: A8D98623 \SystemRoot\system32\DRIVERS\mrxsmb.sys
   MRxQuerySdInfo: A8DBEFC1 \SystemRoot\system32\DRIVERS\mrxsmb.sys
   MRxSetSdInfo: A8DBEC6C \SystemRoot\system32\DRIVERS\mrxsmb.sys
   MRxQueryQuotaInfo: A8DBE953 \SystemRoot\system32\DRIVERS\mrxsmb.sys
   MRxSetQuotaInfo: A8DBEA90 \SystemRoot\system32\DRIVERS\mrxsmb.sys
   MRxQueryVolumeInfo: A8D883E7 \SystemRoot\system32\DRIVERS\mrxsmb.sys
   MRxSetVolumeInfo: A8D885C9 \SystemRoot\system32\DRIVERS\mrxsmb.sys
   MRxIsValidDirectory: A8D9C6B5 \SystemRoot\system32\DRIVERS\mrxsmb.sys
   MRxComputeNewBufferingState: A8DBF506 \SystemRoot\system32\DRIVERS\mrxsmb.sys
   MRxLowIOSubmit[LOWIO_OP_READ]: A8DBF362 \SystemRoot\system32\DRIVERS\mrxsmb.sys
   MRxLowIOSubmit[LOWIO_OP_WRITE]: A8D9F98F \SystemRoot\system32\DRIVERS\mrxsmb.sys
   MRxLowIOSubmit[LOWIO_OP_SHAREDLOCK]: A8D9F7D6 \SystemRoot\system32\DRIVERS\mrxsmb.sys
   MRxLowIOSubmit[LOWIO_OP_EXCLUSIVELOCK]: A8D9EA5B \SystemRoot\system32\DRIVERS\mrxsmb.sys
   MRxLowIOSubmit[LOWIO_OP_UNLOCK]: A8DA0629 \SystemRoot\system32\DRIVERS\mrxsmb.sys
   MRxLowIOSubmit[LOWIO_OP_UNLOCK_MULTIPLE]: A8DA0629 \SystemRoot\system32\DRIVERS\mrxsmb.sys
   MRxLowIOSubmit[LOWIO_OP_FSCTL]: A8DA0629 \SystemRoot\system32\DRIVERS\mrxsmb.sys
   MRxLowIOSubmit[LOWIO_OP_IOCTL]: A8DA0629 \SystemRoot\system32\DRIVERS\mrxsmb.sys
   MRxLowIOSubmit[LOWIO_OP_NOTIFY_CHANGE_DIRECTORY]: A8DA1E1F \SystemRoot\system32\DRIVERS\mrxsmb.sys
   MRxLowIOSubmit[LOWIO_OP_CLEAROUT]: A8DC00F2 \SystemRoot\system32\DRIVERS\mrxsmb.sys
   MRxCompleteBufferingStateChangeRequest: A8D9E639 \SystemRoot\system32\DRIVERS\mrxsmb.sys
   MRxCreateVNetRoot: A8DBF9A2 \SystemRoot\system32\DRIVERS\mrxsmb.sys
   MRxFinalizeVNetRoot: A8D9FF36 \SystemRoot\system32\DRIVERS\mrxsmb.sys
   MRxFinalizeNetRoot: A8DA21EF \SystemRoot\system32\DRIVERS\mrxsmb.sys
   MRxUpdateNetRootState: A8D78B02 \SystemRoot\system32\DRIVERS\mrxsmb.sys
   MRxExtractNetRootName: A8DA14FB \SystemRoot\system32\DRIVERS\mrxsmb.sys
   MRxCreateSrvCall: A8DA60E3 \SystemRoot\system32\DRIVERS\mrxsmb.sys
   MRxCancelCreateSrvCall: A8DA2385 \SystemRoot\system32\DRIVERS\mrxsmb.sys
   MRxSrvCallWinnerNotify: A8DA3529 \SystemRoot\system32\DRIVERS\mrxsmb.sys
   MRxDevFcbXXXControlFile: A8DA30A9 \SystemRoot\system32\DRIVERS\mrxsmb.sys

• fixed srvnet!SrvNetRegisterClient registered clients dumping for w8 32bit
• fixed bad rdbss!RxFsdDispatch detection on w8 32bit
• some other bugs were fixed

ZwQueryLicenseValue in windows 8 user-mode

appidapi.dll

• appid-EnableV2

appidsvc.dll

• appid-EnableV2

d3d9.dll

• TerminalServices-RemoteConnectionManager-b7857721-7a62-4a37-aff3-253fe2b8b0e8-MaxSessions

lsasrv.dll

• LSA-Policy-EnableTrustedDomains

lsm.dll

• TerminalServices-RemoteConnectionManager-AllowMultipleSessions
• TerminalServices-RemoteConnectionManager-b7857721-7a62-4a37-aff3-253fe2b8b0e8-MaxSessions

netjoin.dll

• WorkstationService-DomainJoinEnabled

sppwinob.dll

• Security-SPP-GenuineLocalStatus

sppobjs.dll

• Kernel-ExpirationDate

shell32.dll

• Security-SPP-GenuineLocalStatus
• Security-SPP-TokenActivation-AdditionalInfo

This license names used to determine if current windows license is time-based:

• Security-SPP-Reserved-TBLProductKeyType
• Security-SPP-Reserved-TBLState
• Security-SPP-Reserved-TBLRemainingTime

Also I wrote simple console program dumpwlic to hex-dump license value by name. Sample of using:

using ZwQueryLicenseValue in windows 8 drivers

Function ZwQueryLicenseValue gets the data for a particular license value. As you can see the first argument is PUNICODE_STRING for some license feature name. Let's see which names are checked in windows 8 kernel mode

kernel

• Kernel-ProductInfo - in function RtlGetProductInfo
• Kernel-ProductInfoLegacyMapping - in function RtlGetProductInfo
• Kernel-VirtualDynamicPartitioningSupported
• Kernel-VmPhysicalMemoryAddAllowed
• Kernel-RegisteredProcessors
• Kernel-CsChecksDisabled
• Kernel-PersistDefectiveMemoryList
• Kernel-ExpirationDate
• Kernel-MemoryMirroringSupported
• WSLicensingService-LOBSideloadingActivated

Also function RtlpGetWindowsPolicy checks following names:

• WindowsExcludedProcs
• Kernel-MUI-Number-Allowed
• Kernel-MUI-Language-Allowed
• Kernel-MUI-Language-Disallowed
• Kernel-MUI-Language-SKU

hal.dll

• Kernel-RegisteredProcessors

win32k.sys

• Microsoft-Windows-Core-THQAEnabled
• Microsoft-Windows-Core-AllowMultiMon

wincheck rc8.43

Download mirror
Changelog:

• add dumping of srvnet!SrvNetRegisterClient registered clients
• add dumping of WdfLdr registered libraries (-wdf or -full options). Sample of output:
    RegService: \Registry\Machine\System\CurrentControlSet\Services\Wdf01000
  DrvName: Wdf01000.sys
  Module: FFFFF880010D4000 \SystemRoot\system32\drivers\Wdf01000.sys
  WdfLibraryInfo: FFFFF8800117E128 \SystemRoot\system32\drivers\Wdf01000.sys
• some other bugs were fixed

UCXFunctions.idc

It seems that KMDF has possibility to register extension drivers with undocumented (as usually) function WdfRegisterClassLibrary
For example driver Ucx01000.sys (USB host controller extension) contains functions table which I named UCXFUNCTIONS. I wrote simple IDC script to find and add this structure (in addition to ordinary WDFFUNCTIONS) in clients drivers of this extension

srvnet!SrvNetRegisterClient registered clients

It seems that undocumented function srvnet!SrvNetRegisterClient accepts as first argument some structure with handlers. Lets see how it was stored and how we can extract it.

    mov eax, [ebp+srvnet_clnt] ; first argument
    push esi
    movzx esi, word ptr [eax]  ; UNICODE_STRING.Length
    add esi, 84h  ; plus some internal structure size
    push edi
    push 'fbSL'   ; Tag
    push esi      ; NumberOfBytes
    push 200h     ; PoolType
    call ds:__imp__ExAllocatePoolWithTag
  ...
    mov edx, [ebp+srvnet_clnt]
    mov esi, edx
    lea edi, [ebx+4Ch] ; ebx holds allocated memory address
    mov ecx, 8         ; size 4 * 8 = 0x20 bytes
    rep movsd

It seems that input structure srvnet_clnt was copied in offset 0x4c. Prototype of srvnet_clnt: 

struct srvnet_clnt
{
/*  0 */  UNICODE_STRING Name;
/*  8 */  PBYTE RegisterEndpointHandler;
/*  C */  PBYTE DeregisterEndpointHandler;
/* 10 */  PBYTE NegotiateHandler;
/* 14 */  PBYTE ConnectHandler;
/* 18 */  PBYTE ReceiveHandler;
/* 1C */  PBYTE DisconnectHandler;
/* 20 */  PBYTE CredentialHandler;
};

Lets see how this allocated buffer was used next:
    mov edx, _SrvNetDeviceExtension ; some global ptr in srvnet.sys
    cmp dword ptr [edx+0ECh], 4     ; seems like max count check
    mov [ebp+var_1], al
    jge loc_27DAE
    xor eax, eax  ; zero index before cycle
loc_14911:
    movzx ecx, ax
    cmp dword ptr [edx+ecx*4+0DCh], 0 ; check for next free ptr
    jnz loc_149E8
loc_14922:
    lea ecx, [edx+38h]
    cmp ax, 4    ; check for max count
    jz  loc_27E16
    ...
    inc dword ptr [edx+0ECh]  ; inc count of clients
    mov [edx+eax*4+0DCh], ebx ; store current client ptr
loc_149E8:
    inc eax       ; inc current index
    cmp ax, 4     ; again check for max count
    jb  loc_14911 ; go to next cycle
    jmp loc_14922 ; out of cycle

It`s easy to see that all registered clients stored in some internal structure (its address can be found in srvnet!SrvNetDeviceExtension var) in fixed-size (max 4) buffer at offset 0xDC and count of registered clients located at offset 0xEC

wincheck rc8.42

Download mirror
Changelog:

• add dumping of HW_INITIALIZATION_DATA for scsiport & storport driver extensions (-dext option)
• add checking of Hub[PF]doGenDispatch/Hub[PF]doPnPDispatch from usbhub (-usb option)
• some other bugs were fixed

HW_INITIALIZATION_DATA in storport driver extensions

Function StorPortInitialize has struct HW_INITIALIZATION_DATA as third args, but where this structure is stored ?
Run wincheck.exe -alldrv -dext -f dext.log and see dext.log for storport.sys driver extensions:

Driver \Driver\LSI_SCSI extensions:
 8389AA78 Key 80738711 \SystemRoot\system32\drivers\storport.sys

Check address 8389AA78 in windbg:

HW_INITIALIZATION_DATA in scsiport driver extensions

Function ScsiPortInitialize has struct HW_INITIALIZATION_DATA as third args, but where this structure is stored ?
Run wincheck.exe -alldrv -dext -f dext.log and see dext.log for scsiport.sys driver extensions:

Driver \Driver\viamraid extensions:
 8658FAC0 Key F7415F74 \WINDOWS\system32\DRIVERS\SCSIPORT.SYS

wincheck rc8.41

Download mirror
Changelog:

• add -dext option to dump all driver extensions
• add checking of  (Fdo|Pdo)PnpDispatchTable, (Fdo|Pdo)PowerDispatchTable & (Fdo|Pdo)WmiDispatchTable in pciidex.sys
• checking of CLASS_DRIVER_EXTENSION now works under w2k
• some other bugs were fixed

wincheck rc8.40

Download mirror

Add checking & dumping of CLASS_INIT_DATA & CLASS_DRIVER_EXTENSION. Output sample:
Driver Disk DrvObj FFFFFA8007F15640:
...
CLASS_DRIVER_EXTENSION: FFFFFA8007F15090
 Fdo.ClassError: FFFFF88001B4F430 \SystemRoot\system32\DRIVERS\disk.sys
 Fdo.ClassReadWriteVerification: FFFFF88001B4F010 \SystemRoot\system32\DRIVERS\disk.sys
 Fdo.ClassDeviceControl: FFFFF88001B4F1F0 \SystemRoot\system32\DRIVERS\disk.sys
 Fdo.ClassShutdownFlush: FFFFF88001B57010 \SystemRoot\system32\DRIVERS\disk.sys
 Fdo.ClassInitDevice:    FFFFF88001B5DCE0 \SystemRoot\system32\DRIVERS\disk.sys
 Fdo.ClassStartDevice:   FFFFF88001B5C4F0 \SystemRoot\system32\DRIVERS\disk.sys
 Fdo.ClassPowerDevice:   FFFFF88001B4FA94 \SystemRoot\system32\DRIVERS\disk.sys
 Fdo.ClassStopDevice:    FFFFF88001B503F0 \SystemRoot\system32\DRIVERS\disk.sys
 Fdo.ClassRemoveDevice:  FFFFF88001B5AF10 \SystemRoot\system32\DRIVERS\disk.sys
 Fdo.ClassWmiInfo.ClassQueryWmiRegInfo:   FFFFF88001B57B60 \SystemRoot\system32\DRIVERS\disk.sys
 Fdo.ClassWmiInfo.ClassQueryWmiDataBlock: FFFFF88001B5C9D0 \SystemRoot\system32\DRIVERS\disk.sys
 Fdo.ClassWmiInfo.ClassSetWmiDataBlock:   FFFFF88001B5C7F0 \SystemRoot\system32\DRIVERS\disk.sys
 Fdo.ClassWmiInfo.ClassSetWmiDataItem:   FFFFF88001B58850 \SystemRoot\system32\DRIVERS\disk.sys
 Fdo.ClassWmiInfo.ClassExecuteWmiMethod: FFFFF88001B5D3A0 \SystemRoot\system32\DRIVERS\disk.sys
 Fdo.ClassWmiInfo.ClassWmiFunctionControl: FFFFF88001B5D900 \SystemRoot\system32\DRIVERS\disk.sys
 ClassAddDevice: FFFFF88001B5B000 \SystemRoot\system32\DRIVERS\disk.sys
 ClassUnload:  FFFFF88001B5AD10 \SystemRoot\system32\DRIVERS\disk.sys
 

wincheck rc8.39

Download mirror
Changelog:

• add checking of callbacks registered with IoRegisterIoTracking (w8 only)
• add checking of advapi32.dll!g_ActivationStateCallback
• lots of GUID names was added for PoRegisterPowerSettingCallback
• fixed error "Cannot resolve WdfFunctions for tpm.sys"
• some other bugs were fixed

rubygems pwned

details

curl.exe -I rubygems.org
HTTP/1.1 200 OK
Server: nginx/1.2.2

he-he

wincheck rc8.38

Download mirror
Changelog:

• add checking of old mfc42 CRuntimeClasses in .data section
• fixed bug in PE exports reader
• add checking of AppHelp.dll encoded handlers in kernel32.dll. Sample of output:
  gApphelpGlobals: 1
 Apphelp.ApphelpCheckRunAppEx: c:\windows\system32\apphelp.dll (000007FEFDBF5B70)
 Apphelp.ApphelpQueryModuleDataEx: c:\windows\system32\apphelp.dll (000007FEFDC0A4A8)
 Apphelp.ApphelpCreateAppcompatData: c:\windows\system32\apphelp.dll (000007FEFDBF1090)
 Apphelp.SdbInitDatabaseEx: c:\windows\system32\apphelp.dll (000007FEFDBF5084)
 Apphelp.SdbReleaseDatabase: c:\windows\system32\apphelp.dll (000007FEFDBF4F10)
 Apphelp.SdbUnpackAppCompatData: c:\windows\system32\apphelp.dll (000007FEFDBFE540)
 Apphelp.SdbQueryContext: c:\windows\system32\apphelp.dll (000007FEFDBFD18C)
• some other bugs were fixed

bug in Malware and Rootkits Secrets and Solutions

Code from appendix of this book:
 pModuleList=ExAllocatePoolWithTag(NonPagedPool,bufsize,MY_TAG);
 //oops, out of memory...
 if (pModuleList == NULL)
 {
    DbgPrint("\nExamineDriverIrpTables():  [0] Out of memory.\n");
    return;
 }
 nt=ZwQuerySystemInformation(SystemModuleInformation,
                             pModuleList,
                             bufsize,
                             returnLength);
 if (nt != STATUS_SUCCESS)
 {
       DbgPrint("\nExamineDriverIrpTables():  [0] Error:
             ZwQuerySystemInformation() failed\n.");
       return;
 } 
Yeah, memory leak - when authors prepare for memory freeing if call to ZwQuerySystemInformation was unsuccessful ?

hidden processes in wincheck log

It`s easy to make cross-scan of processes and threads from scheduler (run wincheck with -sched or -full options) and analyze produced log
Simple perl script for this tedious task:

wincheck rc8.37

Download mirror
Changelog:

• add checking of CrashdmpCallTable
• add checking of drivers in crash dump stack (crashdmp.sys & dump_XXX.sys)
• some other bugs were fixed

crashdmp.sys & CrashdmpCallTable

I noticed in cool presentation "Regaining Control of Your Disk in the Presence of Bootkits" that DriverEntry of crashdmp.sys has strange prototype:

  mov   ebx, [ebp+arg_4] ; DriverEntry(IN PDRIVER_OBJECT DriverObject, IN PUNICODE_STRING RegistryPath). Do we really write to RegistryPath here ?
  test  ebx, ebx
  cmp   dword ptr [ebx], 1
  jz    short loc_19038
  cmp   dword ptr [ebx+4], 4
  jz    short loc_19038
loc_19038:
  ...
  mov   dword ptr [ebx], 1
  mov   dword ptr [ebx+4], 4
  mov   dword ptr [ebx+8], offset _CrashdmpInitialize@16
  mov   dword ptr [ebx+0Ch], offset _CrashdmpLoadDumpStack@20
  mov   dword ptr [ebx+10h], offset _CrashdmpInitDumpStack@8
  mov   dword ptr [ebx+14h], offset _CrashdmpFreeDumpStack@4
  mov   dword ptr [ebx+18h], offset _CrashdmpDisable@0
  mov   dword ptr [ebx+1Ch], offset _CrashdmpNotify@12
  mov   dword ptr [ebx+20h], offset _CrashdmpWrite@8
  mov   dword ptr [ebx+24h], offset _CrashdmpUpdatePhysicalRange@4
  mov   dword ptr [ebx+28h], offset _CrashdmpResumeCapable@4
  mov   dword ptr [ebx+2Ch], offset _CrashdmpGetTransferSizes@8
  mov   dword ptr [ebx+30h], offset _CrashdmpLogStatusData@16
  mov   dword ptr [ebx+34h], offset _CrashdmpReady@0

Lets check crashdmp.sys loading mechanics in kernel:

ida 6.4

Changelog
[sarcasm mode on]

PC: added decoding of AVX, AVX2, FMA, BMI1, BMI2, F16C, ADX, RDSEED, SMAP, INVPCID, RTM x86 extensions

I just cant believe it, he-he

UI: moved to Qt 4.8.3

I foresee another bloody quest to build pyside in nearest couple of weeks (for example bcs pyside for qt 4.8.3 is still missed in IDA download center)

DWARF: detect and apply Dwarf debug info for ELF and Mach-O files

Why I don`t see mingw here ?

IDS: add IDT files for mfcNN.dll and msvcrNN.dll for VC9/10/11

Oh yeah baby, he-he

IDAPython: wrap obsolete IDA API functions too, so that old scripts continue to work

And there is still no support for functions from include\intel.hpp like x86_scale. Perhaps bcs this functions are not enough "obsolete", he-he

[sarcasm mode off]

wincheck rc8.36

Download mirror
Changelog:

• BSOD fix on w8/windows server 2012 64bit
• add more names of USB_CONTROLLER_INTERFACE functions
• some other bugs were fixed