WNF identifiers
I have made a mistake in my previous articleabout WNF. It seems that WNF idenificators are not standard IID but pair of DWORDs, so struct my_wnf_item actually looks like:// struct can be ripped from...
View ArticleCFG with LLVM
On holydays I read book "LLVM Cookbook" (not very good - lots of meaningless copy-pasted code blocks are annoying) and played a bit with fresh llvm-3.7.1 (was released 5 january)So I decided to check...
View Articlelxcore syscall table
I can`t get symbols for lxcore.sys so I just write simple idc scipt. Each item in table has very simple structure:PAGE:00000001C0046620 imul r14, r12, 38h ; size of item in syscall...
View ArticleCmControlVector from windows 10 build 14279
IoBlockLegacyFsFilters - wut ?KeyValueName1058614279Session Manager\Debug Print FilterACPI_Kd_ACPI_Mask1058614279Session Manager\Debug Print FilterALPC_Kd_ALPC_Mask1058614279Session Manager\Debug Print...
View ArticlexxxSetAuditingInterface
Nice piece of code from lsasrv:_GetCngAuditFunctions@4 proc near ; CODE XREF: SrvPrepKeyIso(x)+33p ; LsapInitCNGAuditing()+Dp test ecx, ecx jz short...
View Articlewincheck rc8.56
downloadmirrorchangelog:add support of windows 10rtm, build 14279 & 14295add dumping of g_pAuditingFuncsadd dumping of hal!InterruptController add dumping of PICO. Sample of...
View ArticleKiServiceTable from w10 build 14342 x64
In healthy windows (for example w10 build 14332) KiServiceTable looks like:.rdata:00000001402DE4C0 KiServiceTable dq offset NtAccessCheck ; DATA XREF: KiInitializeKernel+5EF o.rdata:00000001402DE4C8...
View Articleapisetschema.dll from windows 10 build 14352
nothing new - only ext-ms-net-vpn-soh-l1-1-0 was...
View Articletcpip port pools in fresh windows 10 builds
It seems that old good TcpPortPool& UdpPortPool were removed since est. build 14251 and were replaced with more complex structure stored in TcpCompartmentSet & UdpCompartmentSetLets see how we...
View ArticleClik here to view.
FilterConnectionPorts
Under windows 10 there are some very strange objects in root directoryThey are created by Filter Manager (fltmgr.sys) and is used for communication between user-mode applications and filesystem...
View Articleapisetschema.dll from windows 10 build 14388
nothing new - only api-ms-win-core-ums was...
View Articleida 6.95 has been released
changeloguseful changes:PE: added detection of entry point from incremental linking by Visual Studio FLIRT: added signatures for Windows Driver Kits 7-10 FLIRT: added detection of GsDriverEntry for...
View Articlehow to build mbedtls-2.3.0 with wdk7
Lets say that you want to have some Diffie-Hellman-Merkle algorithm & hmac inside your driver. I found plain C library mbedtls which is very suitable for this, but has one minor problem - it does...
View Articlebugs in mbedtls DH client/server
1) altough always used constant MBEDTLS_MD_SHA256 parameters are signed with sha1 and then we have MBEDTLS_ERR_RSA_VERIFY_FAILED in library\rsa.c on line 14352) in dh_server.c when receiving client's...
View Article