IoBlockLegacyFsFilters - wut ?
четверг, 17 марта 2016 г.
понедельник, 14 марта 2016 г.
apisetschema.dll from windows 10 build 14279
Several new modules was added:
- onecoreuap-print-render
- onecoreuap-settingsync-status
- win-core-ums
- win-gdi-internal-uap
- net-eap-sim
- win-audiocore-coreaudiopolicymanager
- win-casting-shell
- win-com-psmregister
- win-desktopappx
- win-direct2d-desktop
- win-dx-ddraw
- win-gaming-xinput
- win-kernelbase-packagebreakaway
- win-media-avi
- win-mf-vfw
- win-ntuser-private
- win-rtcore-ntuser-wmpointer
- win-security-shutdownext
- win-uwf-servicing-apis
четверг, 3 марта 2016 г.
lxcore syscall table
I can`t get symbols for lxcore.sys so I just write simple idc scipt. Each item in table has very simple structure:
IDC script to dump syscall table from lxcore.sys:
And table itself
PAGE:00000001C0046620 imul r14, r12, 38h ; size of item in syscall table
PAGE:00000001C0046624 mov r15, rax
PAGE:00000001C0046627 lea rax, lx_ssdt
PAGE:00000001C004662E add r14, rax
PAGE:00000001C0046631 cmp r12, 136h ; count of items in syscall table
PAGE:00000001C0046638 jnb loc_1C00467AE
string with name of method and arguments located at offset 0x10IDC script to dump syscall table from lxcore.sys:
#include <idc.idc>
static main(void)
{
auto addr, name, fp, idx, s_addr;
fp = fopen("lx.dmp", "w");
if ( !fp )
{
return;
}
addr = 0x1C0008110;
for ( idx = 0; idx < 0x136; idx = idx + 1, addr = addr + 0x38 )
{
s_addr = Qword(addr + 0x10);
fprintf(fp, "%X\t", idx);
if ( s_addr != 0 )
{
// dump string
for ( ; ; s_addr = s_addr + 1 )
{
name = Byte(s_addr);
if ( !name )
break;
fprintf(fp, "%c", name);
}
}
fprintf(fp, "\n");
}
fclose(fp);
}
And table itself