8 days ago by Cypher

Project: WinNinja Description: This is a code example from WinNinja, showing how to hide files by hooking the NtQueryDirectoryFile API. Notes: You will need to provide your own hooking library. I'm not posting mine (yet?). You will need to provide your own "ShouldHideFile" function (and obviously yo ...

Ramblings++ - blog.cypherjb.com

31 days ago by Safari Books Online

Microsoft Press added the following books to the Safari Books Online library: Windows Essential Business Server 2008: Administrator’s Companion By: J. C. Mackin. Charlie Russel. Publisher: Microsoft Press Windows® Internals, Fifth Edition By: Mark E. Russinovich. David A. Solomon. Alex Ionescu. Publ ...

Safari Books Online's Blog - safaribooksonline.wordpress.com · Rank: 195,966 · 1 reference

80 days ago by Sanil

I used this method on one of my machines and installed the Windows 7 RC. The main advantage is that by using USB drive you will be able to install Windows 7/Vista in just 15 minutes. You can also use this bootable USB drive on friend’s computer who doesn’t have a DVD optical drive. The method is ver ...

Coffee Cup - sunny.byethost18.com/WP

112 days ago by dan

Indefinite Studies - indefinitestudies.org

116 days ago by snoone

A change was made to Windows around the Server 2003 timeframe that can make for some confusing information in the !thread output. Specifically, I’m referring to the Owning Process and Attached Process fields: The above output is from an XP machine and indicates that no information is available for t ...

Analyze -v - analyze-v.com

119 days ago by snoone

I’ve talked about MmMapLockedPagesSpecifyCache before, but this time I wanted to focus on the AccessMode parameter. If you specify an AccessMode of UserMode, the buffer returned will be a user virtual address. Thus, it will be visible to the user and will only be valid in the context of the process ...

Analyze -v - analyze-v.com

119 days ago by aionescu

I am very pleased to announce that the 5th Edition of the Windows Internals book series is finally shipping for the past couple of weeks, and hard copies are now arriving in the hands of most customers! As my last blog post indicates, I took a hiatus from most of my typical work in the security and ...

Alex Ionescu's Blog - alex-ionescu.com · 35 references

131 days ago by snoone

Lots of times you have a memory dump and need to get some information about the virtual and physical memory state. How much pool is in use? How much physical memory is in use? What about the system working set? Turns out that there’s no one command that will tell you absolutely everything, you’ll ne ...

Analyze -v - analyze-v.com

132 days ago by snoone

This is a pretty big shocker to me. Based on your configuration, Win7 may not save a crash dump even though you’ve configured it to do so: http://blogs.msdn.com/wer/archive/2009/02/09/kernel-dump-storage-and-clean-up-behavior-in-windows-7.aspx Definitely going to have to keep that in mind when askin ...

Analyze -v - analyze-v.com

142 days ago by admin

A thread in NTDEV yesterday and today brought to light an interesting misunderstanding: http://www.osronline.com/showthread.cfm?link=158854 While it may not be obvious, MmGetSystemAddressForMdlSafe potentially has a side effect that must be undone. Unfortunately, the documentation makes no mention o ...

Analyze -v - analyze-v.com