simple wnf id decoder
extern"C"int__stdcall check_id(PDWORD);extern"C"int__stdcall get_wnf_value(PDWORD);int_tmain(int argc, _TCHAR* argv[]){if ( argc ==3 ) {wchar_t*end; DWORD ids[2]; ids[0] = wcstoul(argv[1], &end,...
View Articleanother cross-process scan
you can use EPROCESS.WnfContext to find list of processes. Lets see how this can be done:kd> ? nt!ExpWnfProcessesListHeadEvaluate expression: -8781752063864 = fffff803`56c9a888kd> dp...
View Articlerfg patches in windows 10 build 14942
Lets see for example body of function user32!GetCursor:.text:00000001800026E0 GetCursor proc near .text:00000001800026E0 66 90 xchg ax,...
View Articlehow to find nt!KeServiceDescriptorTableFilter
Unfortunately all xrefs to KeServiceDescriptorTableFilter are from non-exported functions, for example PsConvertToGuiThread: test dword ptr [edi+2E8h], 18000h ; EPROCESS.Flags3 jnz short...
View ArticleIMAGE_LOAD_CONFIG_DIRECTORY from sdk 14951
typedef struct _IMAGE_LOAD_CONFIG_CODE_INTEGRITY { WORD Flags; // Flags to indicate if CI information is available, etc. WORD Catalog; // 0xFFFF means not available DWORD...
View Articlentstatus.idc for WDK 10.0.14931.0
added 95 new NTSTATUS values#include static Enums(void) { auto id,cid; id = AddEnum( 0, "NTSTATUS", 0x1100000 ); if ( id == -1 ) { id = GetEnum("NTSTATUS"); } if ( id != -1 ) { AddConstEx(...
View Articlerfg longjumps
In IMAGE_LOAD_CONFIG_DIRECTORY64 there are two fields for setjmp/longjmp support - GuardLongJumpTargetTable & GuardLongJumpTargetCount. Lets see some module where this fields are not zero - for...
View ArticleW32pServiceTableFilter from windows 10 build 14951 x64
kd> ? nt!KeServiceDescriptorTableFilterEvaluate expression: -8795428636992 = fffff800`2799b6c0kd> dps fffff800`2799b6c0fffff800`2799b6c0 fffff800`278f4450 nt!KiServiceTablefffff800`2799b6c8...
View Articleapisetschema.dll from windows 10 build 15025
lots of new modules was added:win-core-registry-fromappwin-gaming-expandedresourceswin-gaming-gamemonitorwin-ngc-serializationwin-security-isolatedcontainerwin-shcore-pathonecore-appmodel-tdlmigration...
View ArticleIMAGE_DYNAMIC_RELOCATION_TABLE.Version 2
it seems that around since w10 build 15007 format of rfg relocs was changed and field IMAGE_DYNAMIC_RELOCATION_TABLE.Version now has value 2. So lets install platform SDK for 15003 and see what was...
View ArticleClik here to view.
ida plugin for RFG fixups processing
I commited today code for Ida Pro plugin for RFG fixups processing - for both version 1 & 2It seems that by default during automatic loading of pe files Ida don`t load .reloc section (where usually...
View Articlentdll ProtectedPolicies
It seems that since windows 10 ntdll has security feature called "ProtectedPolicies" - you can query it with RtlQueryProtectedPolicy function. Prototype of this function is:NTAPI NTSTATUS...
View Articleetwex - ida plugin for Etw traces IIDs searching
For example you may need to find which Etw providers located in some module. There are lots of functions can be used to register provider and manual searching is very boringSo I commited today code for...
View Articlekernel etw traces in windows 10
In windows 10 there is no good old EtwpGuidHashTable and all registered Etw stored in SILO. Let`s see how we can extract themCheck first function exported function EtwRegister: call...
View Articlewnf kernelmode callbacks
I already described how to enum usermodewnf callbacksNow it`s time to enum WNF callbacks in kernelIt is not surprising that they stored in EPROCESS.WnfContext, this struct is undocumented but can be...
View Article