pdbdump for vs2015 pdbs
It seems that sourceforge finally came out of the coma so I commited today patches to my version of pdbdump for some support of vs2015 pdb filesAlso I added support of DIA SDK from Microsoft Visual...
View Articlewincheck rc8.52
Add support of windows 10 (Technical Preview, build 9879 & 9926)DownloadMirror
View Articlelsasrv.dll!LsapLoadLsaDbExtensionDll
It seems that since windows8 lsasrv.dll allows you to load some arbitrary .dll inside lsass process.Let`s check function LsapLoadLsaDbExtensionDll: lea eax, [ebp+LibFileName] push eax push 0...
View Articlewincheck rc8.53
DownloadMirrorChangelog:improve support of different user-mode modules from w10add dumping of lsasrv!g_pLsaExtensionTableLsaDb
View Articleapisetschema.dll from windows 10 build 10041
very intresting - api-ms-win-core-debug-minidump was...
View Articlewincheck rc8.54
downloadmirrorChangelog:add support of windows10 build 10041.add -obcb key for dumping object type callbacks. Sample from machine infected with dr.web (btw this north papua av consider wincheck as...
View Articlewindows 10 win32kbase.sys exports
It seems that windows 10 moved some important data (like gpepCSRSS or gpsi) from win32k.sys to win32kbase.sys and made in exported. I think it`s epic win,...
View Articlentstatus.idc for WDK 10
added 69 new NTSTATUS values#include static Enums(void) { auto id,cid; id = AddEnum( 0, "NTSTATUS", 0x1100000 ); if ( id == -1 ) { id = GetEnum("NTSTATUS"); } if ( id != -1 ) { AddConstEx(...
View Articleurlmon unnamed exports
It seems that ordinal 470 (RegisterProtocolMonitor) used in networkinspection.dll This info was ripped from ida pro with simple perl script100 ZoneMappingToRegKey ; _ZoneMappingToRegKey@16304...
View Articleiertutil.dll unnamed exports
Perl script to make such files (must be run after applying appropriate .pdb):#!perl -wuse strict;use warnings;use IDA;my$with_addr = 0;my$exp_cnt = GetEntryPointQty();my$dparm =...
View Articleusing CFG on more old windows
As you may know support for CodeFlow Guard exists only since windows 10. But it seems that you still can gain some profit from CFG on more old versions of windows (for example in fuzzers/honeypots)1)...
View Article