WinDBG Anti-RootKit Extension v2.0 RC available

A few guys asking me if I have a pre-built version of the WinDBG Anti-Rootkit Extension. Honestly, I haven’t. Anyway, I’ve decided to build it for the guys who is unable to build it by himself for the various of reasons like laziness. By the way, an extensions becomes more likely a memory forensic tool. So, it’s a pre-release version full of bugs, of course. Check it by yourself, submit issues, send me your feedback. Okay, what’s new?

  • Bugs were fixed and new one were introduced.
  • Windows 10 improvements.
  • UX improvements. But it’s still a WinDBG, you know.
  • !wa_chknirvana – Checks processes for Hooking Nirvana instrumentation.
  • !wa_cicallbacks – Output kernel-mode nt!g_CiCallbacks or nt!SeCiCallbacks.
  • !wa_ciinfo – Output Code Integrity information.
  • !wa_drvmajor – Output driver(s) major table.
  • !wa_lxsdt – Output the Linux Subsystem Service Descriptor Table.
  • !wa_psppico – Output kernel-mode Pico tables.
  • !wa_w32psdtflt – Output the Win32k Service Descriptor Table Filter.
  • May be something else, can’t remember :)

Have fun!

Windows 10 Hooking Nirvana explained

Preface

keep_calm_and_come_as_you_are
If you accidentally missed a very interesting RECON 2015 presentation from Alex Ionescu, then… I will not repeat. Watch, read, build some code and jmp back here after. Hooking Nirvana is a stealthy instrumentation technique used to control and monitor user-mode execution of running process. Hooking Nirvana is integrated into Windows kernel. Okay, now you know something. But what exactly do you know about how Hooking Nirvana works? If you’re curios as I do, then follow me. I’ll show how exactly Hooking Nirvana is implemented in kernel (well… ehm…), how it works on a different platforms and how it is important to use Google’s images search (no, it’s not) and do not use the very first picture (yes, it is).
Continue reading Windows 10 Hooking Nirvana explained

RE crash dump format using undocumented WinDbg command

WinDbg has a lot of undocumented commands, you know. There are a lot of them, but I’ll show the one that helps you to reverse engineering (or for clarification of) Microsoft’s .DMP format. I’ve found this undocumented command accidentially by opening DumpChk utility in hex editor.

DumpChk (the Microsoft Crash Dump File Checker tool) is a program that performs a quick analysis of a crash dump file. This enables you to see summary information about what the dump file contains. If the dump file is corrupt in such a way that it cannot be opened by a debugger, DumpChk reveals this fact.

.dumpdebug
Continue reading RE crash dump format using undocumented WinDbg command