apisetschema.dll from windows 10 build 10041
very intresting - api-ms-win-core-debug-minidump was...
View Articlewincheck rc8.54
downloadmirrorChangelog:add support of windows10 build 10041.add -obcb key for dumping object type callbacks. Sample from machine infected with dr.web (btw this north papua av consider wincheck as...
View Articlewindows 10 win32kbase.sys exports
It seems that windows 10 moved some important data (like gpepCSRSS or gpsi) from win32k.sys to win32kbase.sys and made in exported. I think it`s epic win,...
View Articlentstatus.idc for WDK 10
added 69 new NTSTATUS values#include static Enums(void) { auto id,cid; id = AddEnum( 0, "NTSTATUS", 0x1100000 ); if ( id == -1 ) { id = GetEnum("NTSTATUS"); } if ( id != -1 ) { AddConstEx(...
View Articletcpip6!ADDRESS_OBJECT
try to recover offsets of ADDRESS_OBJECT fields for tcpip6code from CopyAO_TCPConn function: cmp byte ptr [edx+3Ah], 6 ; protocol - 0x3a jnz loc_12425 mov ecx, [ebp+arg_8] mov eax,...
View ArticleCezurity cota in wincheck logs
Nothing new and interesting actually:SDT entry 44 (ZwDuplicateObject) hooked BA8000CC !SDT entry 7A (ZwOpenProcess) hooked BA800060 !SDT entry 80 (ZwOpenThread) hooked BA800096 !SDT entry C1...
View Articlewindows 10 build 10074 KPRCB
to compare withkd> dt _KPRCBntdll!_KPRCB +0x000 MinorVersion : Uint2B +0x002 MajorVersion : Uint2B +0x004 CurrentThread : Ptr32 _KTHREAD +0x008 NextThread : Ptr32 _KTHREAD...
View Articlewincheck rc8.55
downloadmirrorChangelog:add support of windows10 build 10074add -gahti option to dump win32k!gahti add -sockets option to dump from tcpip.sys sockets and established connections. xp/w2k3 onlyadd...
View Articleis vtguard slow ?
Saw some strange code in fresh mshtml.dll (version 11.00.9600.17842) after jun 2015 security update:.text:635F4700 ?ReleaseInterface@@YGXPAUIUnknown@@@Z proc near.text:635F4700 mov edi,...
View Article