There are new articles available, click to refresh the page.
Before yesterdayReWolf's blog

Reverse engineering Mortal Kombat GRA file format (part 1)

By: ReWolf
24 August 2018 at 14:56
Disclaimer: This post is aimed at retro-gaming preservation and code-archeology. All product names, trademarks and registered trademarks are property of their respective owners. GRA files are used by the PC DOS version of Mortal Kombat 1 and 2 (available on GOG) to store all kinds of graphics. There are two different types of GRA files: […]

PCAUSA Rawether for Windows local privilege escalation

By: ReWolf
15 March 2017 at 08:29
Rawether for Windows is a framework that facilitates communication between an application and the NDIS miniport driver. It’s produced by a company named Printing Communications Assoc., Inc. (PCAUSA), which seems to be no longer operating. Company websites can be still reached through web.archive.org: http://web.archive.org/web/20151017034756/http://www.pcausa.com/ http://web.archive.org/web/20151128171809/http://www.rawether.net/ Rawether framework provides NDIS Protocol Driver similar to the NPF.SYS […]

GoGoGadget – kernel exploitation helper class

By: ReWolf
26 November 2016 at 23:09
The aim of this class is to facilitate building kernel shell-codes and ROP chains (at least before RFG kicks in sometime next year) by providing easy access to some of the available kernel information leaks. Under the hood I am using well known NtQuerySystemInformation with following classes: SystemExtendedHandleInformation, SystemModuleInformation. This piece of code came to […]

Leaking EPROCESS address of the specific SYSTEM processes

By: ReWolf
10 November 2016 at 01:19
Today I would like to briefly describe a simple method of obtaining the EPROCESS addresses of some specific system processes, which can be later used as a part of the Local Privilege Escalation exploit. This is an extension to the well known NtQuerySystemInformation (SystemExtendedHandleInformation) EPROCESSes leak. In the typical scenario SystemExtendedHandleInformation class can be used […]

MSI ntiolib.sys/winio.sys local privilege escalation

By: ReWolf
25 September 2016 at 23:15
So, it seems that not only ASUS drivers allows unprivileged reading and writing to physical memory. Just a few months ago I was looking at the drivers that are loaded on my machine, and I found small MSI driver called NTIOLib_X64.sys. Out of curiosity I’ve looked at it in IDA and it turned out that […]

IceCTF 2016 Slickserver/Slickerserver pwn writeup

By: ReWolf
26 August 2016 at 16:00
It’s almost 6 months since the last post, so to keep some good yearly average it’s finally time to write something here. For the last couple of months, most of my spare time went into various CTF challenges. Since I’m very new to CTFs, usually I’m not able to solve top scoring tasks and people […]

SSCTF 2016 Quals Re5 writeup

By: ReWolf
1 March 2016 at 12:26
I neither play CTFs, nor I do writeups for them. Well, both statements are not true anymore, but don’t expect too much CTF writeups on this blog anyway. The task was worth 500 points and according to my knowledge nobody submitted the flag on time (including me as well). So, enjoy the reading and I […]

wow64ext v1.0.0.8

By: ReWolf
11 December 2015 at 21:03
New version of wow64ext library is available for download: http://rewolf.pl/stuff/rewolf.wow64ext.v1.0.0.8.zipor if someone prefer github:https://github.com/rwfpl/rewolf-wow64ext Changelog Fixed elusive bug that appears only on AMD cpus Removed VS CRT dependencies – dll size shrank to 9kB (previously 41kB) Added sanity checks, so x64 switch won’t run on x86 OS More details AMD case is really interesting as […]

Terminus Project launch.

By: ReWolf
29 November 2015 at 01:04
I would like to announce launch of my new web-based tool: Terminus Project. It’s automatically generated diff of Windows structures with nice (I hope!) presentation layer. Currently it contains only data gathered from NTDLL PDBs (281 dlls at the moment of writing this post), but it can be easily extended with other libraries. Idea behind […]