Global Windows Callbacks and WinDbg
Kernel-mode callbacks routines are used by various drivers, they are commonly used by malwares or third party products because they make possible to “hijack” critical functions without having to patch...
View ArticleClik here to view.
Retrieving Windows Services via WinDbg
From Windows 2000 to Windows 7 and Windows 2008 R2, Windows Service Controler/Manager is “services.exe” – in other words “services records” are inside this process address space. The interesting thing...
View ArticleClik here to view.
IO Callbacks and File Systems
Download WinDbg Script As highlighted Frank Boldewin to me, some rootkits also use the following functions to registers callbacks or notification functions. IoRegisterFsRegistrationChange...
View ArticleClik here to view.
Hyper-V VMs: Management and Incident Response over WMI
Did you ever wish of being able to control your virtual machines from your host/parent partition, without having to install any agent inside your Virtual Machine ? Like kernel modules, processes, dlls,...
View ArticleClik here to view.
WMI, VMs, LiveCloudKd, MoonSols Analyst & CVE-2011-0611 -Part 1
Some people have already made the analysis of the lastest Flash 0day itself, which means this blogpost is not going to cover the attack itself but only a specific part: when Microsoft Word is re-opened...
View ArticleClik here to view.
WMI, VMs, LiveCloudKd, MoonSols Analyst & CVE-2011-0611 -Part 2
This blogpost is the part two of “WMI, VMs, LiveCloudKd, MoonSols Analyst & CVE-2011-0611″ about latest Adobe Flash 0day/unpatched vulnerability. Yesterday, we saw how we could identify how...
View ArticleAre ASLR or DEP flags enabled ?
Few days ago, Peter Vreugdenhil twitted a one-line WinDbg command to detect if ASLR (Address Space Layout Randomization) is used by the current process and its Dlls. !for_each_module...
View ArticleMoonSols DumpIt goes mainstream !
After talking with few people who expressed their limitations with current Windows memory dumpers, I decided to release MoonSols DumpIt publicly. MoonSols DumpIt is a fusion of win32dd and win64dd in...
View ArticleClik here to view.
NEW UTILITY: MoonSols HyperTaskMgr v1.0
Today, I finally decided to release the first public version of MoonSols HyperTaskMgr. What is MoonSols HyperTaskMgr ? It’s a new generation Task Manager for IT Professionals to manage Windows Virtual...
View ArticleNew commands in WinDbg 6.2.8102.0
Windows Developer Preview WDK contains the new version of WinDbg which is 6.2.8102.0 (previous version was 6.12.0002 – it seems that Microsoft decided to change the version name to the corresponding...
View Article
