Ori Damari

@0xrepnz

Low level developer, Reverse engineer, Windows kernel

0x7c00
Vrijeme pridruživanja: svibanj 2018.

Medijski sadržaj

  1. 18. sij

    Just finished writing my second windows kernel Practical Reverse Engineering solution: "Dumping DPC Queues: Adventures in HIGH_LEVEL IRQL" 🥳 Writing signatures for undocumented windows kernel stuff in HIGH_LEVEL IRQL sure is fun (BSODs are also fun)😎

  2. 10. sij

    Did you know NtUserMsgWaitForMultipleObjectsEx? Probably a win32k syscall that can be used instead of NtWaitForMultipleObjects

  3. 27. pro 2019.

    Practical reverse engineering is an awesome book with insightful windows kernel exercises - I decided to complete all of the exercises and post complete write-ups to my solutions 😛🥳 Here's the first one: Reversing AuxKlibQueryModuleInformation

    Prikaži ovu nit
  4. 22. pro 2019.

    Hardcoding _KPCR offsets ha? MSDN: Do not use undocumented structures! Someone in the header file: this structure is not going to change from version to version! The offset to the PRCB in the PCR is fixed for all time! Trust me developer! ME: 😵😏 Also me: *Installs linux*

  5. 9. pro 2019.

    I wrote a guide for beginners about windows library code:) In this guide I describe how the compilation and linkage model works in windows at the assembly level - static and dynamic libraries, etc. Have fun 🙃

  6. 16. stu 2019.
  7. 12. stu 2019.

    Everyone knows Driver Signature Enforcement.... 🙃 The problem is: Attackers can load any signed driver and abuse its functionality. For example, the process hacker driver can be abused to dump the memory of lsass.exe. Read about it in my blog😋

  8. 1. stu 2019.

    Finally had some time to write about the autochk rootkit Nothing too fancy, but I do think it's nice :) The rootkit redirects hidden files and hides network connections. It's signed by a chinese company. I reconstructed the full source code just for fun;)

  9. 31. lis 2019.

    My windows internals adventure continues 🧗‍♂️

  10. 26. lis 2019.

    While reverse engineering a rootkit sample (That I soon will publish about 😉) I saw this weird compiler optimization. I thought I'll start documenting compiler optimizations for reverse engineers. Read my first article in the series:

  11. 22. lis 2019.
    Prikaži ovu nit
  12. 18. lis 2019.
    Odgovor korisnicima

    Although you do have AuxKlibQueryModuleInformation..?

  13. 12. lis 2019.
    Odgovor korisnicima

    Inside RtlExitUserThread, There's a check using NtQueryInformationThread(ThreadAmILastThread) to see if it's the last thread. If it is, the code will call RtlExitUserProcess which is exported by the name "ExitProcess" 😛 Seems like there's a little race condition lol.

  14. 12. lis 2019.
    Odgovor korisniku/ci

    Normally the top of the callstack is ntdll!RtlUserThreadStart and it calls kernel32!BaseThreadInitThunk. After the code of the executable returns, there's a call to RtlExitUserThread (which is exported from kernel32 as ExitThread).

  15. 11. lis 2019.

    The entry point of an executable is normally the runtime initialization code - so how can you easily find main()? Just find the reference to exit() / ExitProcess() and look where rax comes from 😛 Just remember to xref exit cause sometimes it will be called by another function..

    Prikaži ovu nit
  16. 8. lis 2019.

    Found this funny driver: The pdc.sys windows driver has a DriverUnload routine but it calls KeBugCheckEx causing a bluescreen. Just run "sc stop pdc" and see for yourself ;) I wonder why they registered DriverUnload if the driver does not support unload.. 🤔

  17. 5. lis 2019.

    5/ This is the general problem with __fastcall. If you have better answers to "why did they choose fastcall?" I'll be happy to hear. At least it's consistent (compared to 32 bit stdcall/cdecl/__fastcall..) AND we haven't talked about local variables yet.. This is a last example:

    Prikaži ovu nit
  18. 5. lis 2019.

    2/ But wait, what is this magical allocation over there? 🤔 I thought stack space is used only for functions with more than 4 arguments, so what's this? Maybe our answer lies in the called function:

    Prikaži ovu nit
  19. 5. lis 2019.

    1/ Ready to talk about some windows x64 assembly? 🤓 As you may know, windows uses a "fastcall" calling convention in x64. In contrast to most windows 32 bit calling conventions, arguments are passed using registers: RCX, RDX, R8, R9, and the rest is passed on the stack.

    Prikaži ovu nit
  20. 20. ruj 2019.

    Like ProcessBreakOnTermination, NtSetInformationThread(ThreadBreakOnTermination) can be used to mark a thread as a critical thread, meaning that if you try to kill it the computer will bluescreen! 🤓 read my write-up here:

Čini se da učitavanje traje već neko vrijeme.

Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.

    Možda bi vam se svidjelo i ovo:

    ·