5 days ago by snoone

You might occasionally have seen this error when opening a crash dump file: WARNING: Process directory table base doesn't match CR3 What does it mean and why does it happen? The answer to what it means lies in virtual memory. The page directory table is the term used for the base ...

Analyze -v - analyze-v.com

6 days ago by snoone

Driver Verifier has been updated in Win7 and several new checks have been added. One of the more interesting checks is the check for accessing user mode handles for kernel mode access. So, for example, take a handle from a user mode application and call ObReferenceObjectByHandle specifying KernelMod ...

Analyze -v - analyze-v.com

22 days ago by Cypher

Project: WinNinja Description: This is a code example from WinNinja, showing how to hide files by hooking the NtQueryDirectoryFile API. Notes: You will need to provide your own hooking library. I'm not posting mine (yet?). You will need to provide your own "ShouldHideFile" function (and obviously yo ...

Ramblings++ - blog.cypherjb.com

46 days ago by Safari Books Online

Microsoft Press added the following books to the Safari Books Online library: Windows Essential Business Server 2008: Administrator’s Companion By: J. C. Mackin. Charlie Russel. Publisher: Microsoft Press Windows® Internals, Fifth Edition By: Mark E. Russinovich. David A. Solomon. Alex Ionescu. Publ ...

Safari Books Online's Blog - safaribooksonline.wordpress.com · 1 reference

95 days ago by Sanil

I used this method on one of my machines and installed the Windows 7 RC. The main advantage is that by using USB drive you will be able to install Windows 7/Vista in just 15 minutes. You can also use this bootable USB drive on friend’s computer who doesn’t have a DVD optical drive. The method is ver ...

Coffee Cup - sunny.byethost18.com/WP

126 days ago by dan

Indefinite Studies - indefinitestudies.org

130 days ago by snoone

A change was made to Windows around the Server 2003 timeframe that can make for some confusing information in the !thread output. Specifically, I’m referring to the Owning Process and Attached Process fields: The above output is from an XP machine and indicates that no information is available for t ...

Analyze -v - analyze-v.com

133 days ago by snoone

I’ve talked about MmMapLockedPagesSpecifyCache before, but this time I wanted to focus on the AccessMode parameter. If you specify an AccessMode of UserMode, the buffer returned will be a user virtual address. Thus, it will be visible to the user and will only be valid in the context of the process ...

Analyze -v - analyze-v.com

134 days ago by aionescu

I am very pleased to announce that the 5th Edition of the Windows Internals book series is finally shipping for the past couple of weeks, and hard copies are now arriving in the hands of most customers! As my last blog post indicates, I took a hiatus from most of my typical work in the security and ...

Alex Ionescu's Blog - alex-ionescu.com · 35 references

145 days ago by snoone

Lots of times you have a memory dump and need to get some information about the virtual and physical memory state. How much pool is in use? How much physical memory is in use? What about the system working set? Turns out that there’s no one command that will tell you absolutely everything, you’ll ne ...

Analyze -v - analyze-v.com