пятница, 26 июля 2013 г.

wincheck rc8.48

Download mirror
  • add some support of windows server 2012 r2
  • fixed logic for addresses extracting from windows 8.1 preview win32k.sys
  • fixed opening of protected processes on windows 8.1 preview
  • add checking of dxgi!g_pDebugPrivate & dxgi!g_pDXGIMessage
  • some other bugs were fixed 

среда, 17 июля 2013 г.

updated perl binding for IDA Pro

I add functions for accessing cmd structure
Now you can do things like this:
#!perl -w
use strict;
use warnings;
use IDA;

my $addr = ScreenEA();
my $href = ua_ana($addr);
my $str = GetDisasm($addr);
if ( defined($href) )
  my $iter;
  printf("real: %s, %s:\n", $str, get_mnem);
  foreach $iter ( keys %$href )
    printf("%s: %X\n", $iter, $href->{$iter});
  my $op_idx;
  for ( $op_idx = 0; $op_idx < 6; $op_idx++ )
    my $op = get_op($op_idx);
    last if ( !defined $op );
    printf("operand %d:\n", $op_idx);
    foreach $iter ( keys %$op )
      printf(" %s ", $iter);
      print $op->{$iter} . "\n";

среда, 10 июля 2013 г.

wincheck rc8.47

Download mirror
  • interrupts dumping now works on w8.1 preview 32bit
  • fixed NDIS interfaces under w8.1 preview
  • fixed registry notifiers for w8.1 preview 64bit
  • modules loaded by wdfldr now shown under w8.1 preview
  • fixed WMI regentries for w8.1 preview 64bit
  • add dumping handlers registsred with KdRegisterPowerHandler

понедельник, 8 июля 2013 г.

interrupts in w8.1

Lets see what windbg !idt command say:
Dumping IDT:

37: 817d0acc hal!HalpX86InterruptSpuriousService
c0: 817d0b78 hal!HalpX86InterruptStubService
d1: 817d1878 hal!HalpTimerClockInterrupt
d2: 817d1b54 hal!HalpTimerClockIpiRoutine
df: 817d1128 hal!HalpX86InterruptRebootService
e1: 817d1388 hal!HalpX86InterruptIpiService
e2: 817d0e50 hal!HalpX86InterruptLocalErrorService
fd: 817d210c hal!HalpTimerProfileInterrupt
fe: 817d23f0 hal!HalpPerfInterrupt

четверг, 4 июля 2013 г.

wincheck rc8.46

Download mirror
Some initial support of windows 8.1 preview was added
Known problems:
  • -idt option does not work on 32bit w8.1. Btw !idt command in windbg also shows trash
  • NDIS interfaces are not shown 
  • registry notifiers are not shown on w8.1 64bit
  • modules loaded by wdfldr are not shown

вторник, 2 июля 2013 г.

w8.1 preview GetVersionEx - wtf ?

Some simple code:

 ZeroMemory(&osvi, sizeof(OSVERSIONINFOEX));
 osvi.dwOSVersionInfoSize = sizeof(OSVERSIONINFOEX);

 if (!::GetVersionExW((LPOSVERSIONINFOW)&osvi))
   return 0;
 printf("Major %d Minor %d\n", osvi.dwMajorVersion, osvi.dwMinorVersion);

produces output
Major 6 Minor 2

O`k, next code sample:
  memset(&osverEx, 0, sizeof(osverEx));
  osverEx.dwOSVersionInfoSize = sizeof(osverEx);
  NTSTATUS res = RtlGetVersion((PRTL_OSVERSIONINFOW)&osverEx);
  if ( NT_SUCCESS(res) )

    printf("Major %d Minor %d\n", osverEx.dwMajorVersion, osverEx.dwMinorVersion);

produces output:
Major 6 Minor 3
wtf ?