Medijski sadržaj
- Tweetovi
- Tweetovi i odgovori
- Medijski sadržaj, trenutna stranica.
-
Just finished writing my second windows kernel Practical Reverse Engineering solution: "Dumping DPC Queues: Adventures in HIGH_LEVEL IRQL"
Writing signatures for undocumented windows kernel stuff in HIGH_LEVEL IRQL sure is fun (BSODs are also fun)
https://repnz.github.io/posts/practical-reverse-engineering/dumping-dpc-queues/ …pic.twitter.com/3lguXVoMAF
-
Did you know NtUserMsgWaitForMultipleObjectsEx? Probably a win32k syscall that can be used instead of NtWaitForMultipleObjects https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-msgwaitformultipleobjects …pic.twitter.com/3l9a3NCntY
-
Practical reverse engineering is an awesome book with insightful windows kernel exercises - I decided to complete all of the exercises and post complete write-ups to my solutions

Here's the first one: Reversing AuxKlibQueryModuleInformation
https://repnz.github.io/posts/practical-reverse-engineering/query-module-information/ …pic.twitter.com/Q6pvPmiTlG
Prikaži ovu nit -
Hardcoding _KPCR offsets ha? MSDN: Do not use undocumented structures! Someone in the header file: this structure is not going to change from version to version! The offset to the PRCB in the PCR is fixed for all time! Trust me developer! ME:

Also me: *Installs linux*pic.twitter.com/aIkBkNtGIs
-
I wrote a guide for beginners about windows library code:) In this guide I describe how the compilation and linkage model works in windows at the assembly level - static and dynamic libraries, etc. Have fun
https://repnz.github.io/posts/reversing-windows-libraries/ …pic.twitter.com/fXthghpE4k
-
Everyone knows Driver Signature Enforcement....
The problem is: Attackers can load any signed driver and abuse its functionality. For example, the process hacker driver can be abused to dump the memory of lsass.exe.
Read about it in my blog
https://repnz.github.io/posts/abusing-signed-drivers/ …pic.twitter.com/FjQ5fC4vdE
-
Finally had some time to write about the autochk rootkit Nothing too fancy, but I do think it's nice :) The rootkit redirects hidden files and hides network connections. It's signed by a chinese company. I reconstructed the full source code just for fun;) https://repnz.github.io/posts/autochk-rootkit-analysis/ …pic.twitter.com/MyoF8dR8Be
-
-
While reverse engineering a rootkit sample (That I soon will publish about
) I saw this weird compiler optimization.
I thought I'll start documenting compiler optimizations for reverse engineers. Read my first article in the series:
https://repnz.github.io/posts/reversing-optimizations-division/ …pic.twitter.com/RufA3fHDa4
-
-
Although you do have AuxKlibQueryModuleInformation..?pic.twitter.com/Bo326tjBSJ
-
Inside RtlExitUserThread, There's a check using NtQueryInformationThread(ThreadAmILastThread) to see if it's the last thread. If it is, the code will call RtlExitUserProcess which is exported by the name "ExitProcess"
Seems like there's a little race condition lol.pic.twitter.com/sQg5ELfCSX
-
Normally the top of the callstack is ntdll!RtlUserThreadStart and it calls kernel32!BaseThreadInitThunk. After the code of the executable returns, there's a call to RtlExitUserThread (which is exported from kernel32 as ExitThread).pic.twitter.com/ooUZ6WbMxR
-
The entry point of an executable is normally the runtime initialization code - so how can you easily find main()? Just find the reference to exit() / ExitProcess() and look where rax comes from
Just remember to xref exit cause sometimes it will be called by another function..pic.twitter.com/7CbmPy0QaI
Prikaži ovu nit -
Found this funny driver: The pdc.sys windows driver has a DriverUnload routine but it calls KeBugCheckEx causing a bluescreen. Just run "sc stop pdc" and see for yourself ;) I wonder why they registered DriverUnload if the driver does not support unload..
pic.twitter.com/TNpKIZGvZX
-
5/ This is the general problem with __fastcall. If you have better answers to "why did they choose fastcall?" I'll be happy to hear. At least it's consistent (compared to 32 bit stdcall/cdecl/__fastcall..) AND we haven't talked about local variables yet.. This is a last example:pic.twitter.com/FUi6opqB8D
Prikaži ovu nit -
2/ But wait, what is this magical allocation over there?
I thought stack space is used only for functions with more than 4 arguments, so what's this?
Maybe our answer lies in the called function:pic.twitter.com/bz3EQOytOX
Prikaži ovu nit -
1/ Ready to talk about some windows x64 assembly?
As you may know, windows uses a "fastcall" calling convention in x64. In contrast to most windows 32 bit calling conventions, arguments are passed using registers: RCX, RDX, R8, R9, and the rest is passed on the stack.pic.twitter.com/wUFTfMqPQI
Prikaži ovu nit -
Like ProcessBreakOnTermination, NtSetInformationThread(ThreadBreakOnTermination) can be used to mark a thread as a critical thread, meaning that if you try to kill it the computer will bluescreen!
read my write-up here:
https://github.com/repnz/set-critical-thread …pic.twitter.com/IlN3yYoKyZ
Čini se da učitavanje traje već neko vrijeme.
Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.

