windows 10 Technical Preview ntoskrnl.exe exports
I see that MmLoadSystemImage & MmUnloadSystemImage now exported,...
View ArticleWdfFunctions.idc for windows 10 Technical Preview 64bit
since w8.1 only pfnWdfDeviceStopIdleActual & pfnWdfDeviceResumeIdleActual was added#include static add_struct(size){ auto id, mid; id = AddStrucEx(-1,"WDFFUNCTIONS",0); if ( -1 == id ) id =...
View Articlew10tp kernel mode RPC
From the time of windows 8 there are yet new several drivers using kernel-mode rpc:CEA.sys - "Event Aggregation Kernel Mode Library". Use interface D09BDEB5-6171-4A34-BFE2-06FA82652568 from...
View Articleapisetschema.dll from windows 10 build 9879 64bit
only api-ms-win-core-ums-l1-1-0 was addedapi-ms-win-appmodel-identity-l1-2-0kernel.appcore.dll api-ms-win-appmodel-runtime-internal-l1-1-0kernel.appcore.dll...
View Articlewindows 10 build 9879 KPRCB 64bit
Just to complete the collectionnt!_KPRCB +0x000 MxCsr : Uint4B +0x004 LegacyNumber : UChar +0x005 ReservedMustBeZero : UChar +0x006 InterruptRequest : UChar +0x007 IdleHalt...
View Articlewindows 10 Technical Preview KPRCB 64bit
to compare withntdll!_KPRCB +0x000 MxCsr : Uint4B +0x004 LegacyNumber : UChar +0x005 ReservedMustBeZero : UChar +0x006 InterruptRequest : UChar +0x007 IdleHalt : UChar...
View Articleinterrupts in w10 build 9879 64bit
it seems that Microsoft completely removed KiInterruptTemplate in this version of windows and interrutps now stored in KPRCB (like in w8.1)Lets see on function KiConnectInterrupt mov rax, gs:20h ;...
View Articlewindows 10 build 9926 KPRCB
For collectionnt!_KPRCB +0x000 MinorVersion : Uint2B +0x002 MajorVersion : Uint2B +0x004 CurrentThread : Ptr32 _KTHREAD +0x008 NextThread : Ptr32 _KTHREAD +0x00c IdleThread...
View Articlemodernexecserver.dll RPC interface
version info says "Modern Execution Server". I don`t know what this means8EC21E98-B5CE-4916-A3D6-449FA428A007 version 0.019...
View Articlebug in vs2010 inlined function
All know how to calculate the crc32, yeah ?Let`s see output from visual studio 2010 for inlined version of crc32:Here list is alias for ecx register: mov [ebp+params.list_rva], list not cl...
View Articlewincheck rc8.52
Add support of windows 10 (Technical Preview, build 9879 & 9926)DownloadMirror
View Articlelsasrv.dll!LsapLoadLsaDbExtensionDll
It seems that since windows8 lsasrv.dll allows you to load some arbitrary .dll inside lsass process.Let`s check function LsapLoadLsaDbExtensionDll: lea eax, [ebp+LibFileName] push eax push 0...
View Articlewincheck rc8.53
DownloadMirrorChangelog:improve support of different user-mode modules from w10add dumping of lsasrv!g_pLsaExtensionTableLsaDb
View Article