share

4 days ago by snoone

Lots of times you have a memory dump and need to get some information about the virtual and physical memory state. How much pool is in use? How much physical memory is in use? What about the system working set? Turns out that there’s no one command that will tell you absolutely everything, you’ll ne ...

Analyze -v - analyze-v.com

share

6 days ago by snoone

This is a pretty big shocker to me. Based on your configuration, Win7 may not save a crash dump even though you’ve configured it to do so: http://blogs.msdn.com/wer/archive/2009/02/09/kernel-dump-storage-and-clean-up-behavior-in-windows-7.aspx Definitely going to have to keep that in mind when askin ...

Analyze -v - analyze-v.com

share

16 days ago by admin

A thread in NTDEV yesterday and today brought to light an interesting misunderstanding: http://www.osronline.com/showthread.cfm?link=158854 While it may not be obvious, MmGetSystemAddressForMdlSafe potentially has a side effect that must be undone. Unfortunately, the documentation makes no mention o ...

Analyze -v - analyze-v.com

share

19 days ago by admin

I tried my structure searches on a Vista system to see if the object handle count database types were added to the public Vista PDBs. I found a couple of hits that seem to be the right structures and, as it turns out, I was almost right about the fields: Expanding out those types, we see the structu ...

Analyze -v - analyze-v.com

share

20 days ago by admin

When a new object type is created, the creating component can decide if the Object Manager (Ob) should keep track of the processes that have open handles to those objects. The I/O Manager (Io) requests this option for file objects, thus for any file object we have we can find the processes out there ...

Analyze -v - analyze-v.com

share

25 days ago by Cypherjb

Another WoWMimic build was released recently. I’ve reversed it yet again to bring you the gory details. They’ve beefed up (by their standards) the obfuscation on this one. I put “by their standards” because they’re morons, and by the standards of any real reverser ‘beefed up’ is hardly the right ter ...

Ramblings++ - cypherjb.com/blog

share

39 days ago by Cypherjb

Many of you will know by now that WoWMimic v47 is out. A few interesting changes, nothing really substantial though. GetCursorPos and SetCursorPos are now also hooked using VEH. ZwQueryVirtualMemory is now hooked at the return statement so values are modified AFTER the function is called. They have ...

Ramblings++ - cypherjb.com/blog

share

103 days ago by Thomas

Zufällig sah ich, dass im Mai 2009 endlich die langersehnte fnfte Ausgabe des Buches " Windows Internals Book" von Mark Russinovich mit Infos zu Windows Vista und Windows Server 2008 auf den Markt kommt. Wir ja auch langsam Zeit… Immerhin steht mit Windows 7 schon die nächste Version vor der Tr. An ...

Glorf IT - glorf.it/blog · Rank: 83,703 · 19 references

share

105 days ago by dan

Dear so-called professional software development companies, Would you please stop shitting all over my computer ? I don’t want you to assume that I’m running as root. I’m not. I don’t want you to register unneeded services or processes at startup. I don’t want to use autoruns and process explorer to ...

Indefinite Studies - indefinitestudies.org

share

164 days ago by dan

In case anybody needs system call ordinals for an x64 system, I have retrieved them on my test machine since I couldn’t find them anywhere (not even metasploit’s system call table). Ero Carrera posted a compact IDAPython script that did the trick, so I adapted the code a little. In ntdll.dll, there ...

Indefinite Studies - indefinitestudies.org