RSS Security

❌ About FreshRSS
There are new articles available, click to refresh the page.
Before yesterdayLow Level Pleasure

APC Series: KiUserApcDispatcher and Wow64

28 June 2020 at 00:00
I recommend to read the previous posts before reading this one: User APC API: We discussed the user mode API of user APC User APC Internals: We discussed the implementation of user APC in the kernel Let’s continue our discussion about APC internals in windows: This time we’ll discuss APC dispatching in user mode and how APC works in Wow64 processes: The evolution of KiUserApcDispatcher Modifications to APC functions to support Wow64 Wow64 APC injection techniques The evolution of KiUserApcDispatcher NTDLL contains a set of entry points that the kernel uses to run code in user mode like: KiUserExceptionDispatcher, KiUserCallbackDispatcher, …

APC Series: User APC Internals

2 June 2020 at 21:00
Hey! This is the second part of the APC Series, If you haven’t read it I recommend you to read the first post about User APC API. where I explore the internals of APC objects in Windows. In this part I’ll explain: How to queue user APCs from kernel mode? How user APCs are implemented in the windows kernel? How user APCs are delivered to user mode? In this blog I won’t cover the internals of Special User APCs, because Special User APCs rely on Kernel APC to perform their operation - I’ll explore this type in a future post after I explain about Kernel APCs.

APC Series: User APC API

17 May 2020 at 00:00
Hey! Long time no see. Coronavirus makes it harder for me to write posts, I hope I’ll have the time to write - I have a lot I want to share! One of the things I did in the last few weeks is to explore the APC mechanism in Windows and I wanted to share some of my findings. The purpose of this series is to allow you to get a systematic understanding of APC internals.

Dumping DPC Queues: Adventures in HIGH_LEVEL IRQL

17 January 2020 at 23:30
This post is part of the Practical Reverse Engineering Exercises series. To understand more about the basics of DPCs, read Reversing KeInsertQueueDpc (Source code below.) Exercise: Write a driver to enumerate all DPCs on the entire system. Make sure you support multi-processor systems! Explain the difficulties and how you solved them. Sounds fun! let’s start. I thought about dividing this post to 2 posts, but nah Using Undocumented APIs in Windows First of all, we need to understand that accessing the DPC queue from a real product is an extremely bad idea because it’s a pretty undocumented data structure.

Reversing DPC: KeInsertQueueDpc

5 January 2020 at 19:33
Exercise: Explain how the following functions work: KeInsertQueueDpc, KiRetireDpcList, KiExecuteDpc, and KiExecuteAllDpcs. If you feel like an overachiever, decompile those functions from the x86 and x64 assemblies and explain the differences. If I want to explain the complete solution I’ll have to divide this exercise to 2 posts. The first post is pretty simple.. we are going to reverse engineer KeInsertQueueDpc. In future posts we’ll continue exploring DPC and we will write code that dumps the DPC queues.

Practical Reverse Engineering Solutions

27 December 2019 at 16:33
Hey, Here I save all the solutions to the windows kernel chapter of the practical reverse engineering book. The exercises in this book are pretty insightful. The target audience of these posts are: People that want to read cool stuff about windows kernel reverse engineering People that want to learn how to break down reverse engineering tasks effeciently People that actually do the exercises and need a reference to the solutions.


27 December 2019 at 16:33
In this article I’m going over the solution to reverse engineering AuxKlibQueryModuleInformation. This exercise is one of the easiest exercises in the book. Exercise: In the walk-through, we mentioned that a driver can enumerate all loaded modules with the documented API AuxKlibQueryModuleInformation. Does this API guarantee that the returned module list is always up-to-date? Explain your answer. Next, reverse engineer AuxKlibQueryModuleInformation on Windows 8 and explain how it works. How does it handle the case when multiple threads are requesting access to the loaded module list?

Windows Library Code

9 December 2019 at 12:00
Intro I thought I will make a guide about windows library code.. The target audience are beginners that want to understand more about windows reverse engineering, development and compilation. I tried to make this guide as simple as possible. A β€œLibrary” is a term used in computer science for a collection of pre-written code / variables. Libraries are pretty useful for developers because it saves development time. There are 2 types of libraries:

Abusing Signed Windows Drivers

12 November 2019 at 23:23
The Problem We all know the β€œDriver Signature Enforcement” feature in windows. This security feature won’t allow you to load unsigned drivers into the windows kernel. To bypass this protection, many attackers use vulnerable signed drivers like turla. They try to find vulnerabilities in these drivers and exploit them. What people don’t think about is the fact that it’s way simpler than finding an exploitable memory corruption bug in a software driver - sometimes the driver just exposes the functionality via DeviceIoControl and this can be used to perform malicious operations in kernel mode.

Autochk Rootkit Analysis

1 November 2019 at 11:00
Introduction Finally had time to write about this rootkit I saw last week. This rootkit is a very simple, it does not employ any uber fancy methods or something, but I do find it nice so I wanted to share. The name of the driver is β€œautochk.sys” - that’s why we’ll call it the autochk rootkit. The sample is already known (28924b6329f5410a5cca30f3530a3fb8a97c23c9509a192f2092cbdf139a91d8), but I haven’t found any public analysis. The rootkit was compiled on the 27/8/2017 according to the PE timestamp.

Reverse Engineering Optimizations: Division By Multiplication

26 October 2019 at 15:06
Intro Reverse engineering compiler optimizations can delay a reverse engineer a-lot. By learning how the compiler optimizes certain things, you can save lots of time. Knowning the pattern, the next time you see this optimization you’ll recognize right away how to decompile it. In this blog post series I’ll document how to decompile certain compiler optimizations, I hope it’ll save some time for you. Division By Multiplication There’s no heavy math in this post lol.

About Me

19 October 2019 at 16:37
Hey! My name is Ori Damari, and I love low level code. I hope you find this blog interesting and learn new stuff .. I do low level research for living. My main interests are: Malware Operating Systems Windows Internals Reverse Engineering Kernel Development Software Development repnz is my nickname (I pronounce it rep notzero..) - I like assembly. You can contact me easily using twitter messages: @0xrepnz

Finding main() easily

11 October 2019 at 22:30

The entry point of an executable is normally the runtime initialization code - so how can you easily find main()?

Random PDC Driver

8 October 2019 at 13:37
Found this funny driver: The pdc.sys windows driver has a DriverUnload routine but it calls KeBugCheckEx causing a bluescreen. Just run "sc stop pdc" and see for yourself ;) I wonder why they registered DriverUnload if the driver does not support unload.. πŸ€” β€” Ori Damari (@0xrepnz) October 8, 2019

Reversing the x64 calling convention

6 October 2019 at 00:24

In this article I will explain how the x64 calling convention looks like in Windows and we’ll dive into how it influences reverse engineering.

Windows Critical Threads

21 September 2019 at 14:56

In the windows kernel, each kernel object has a Query/SetInformation functions which can be used to manipulate the kernel objects members from user/kernel mode. These functions receive an β€œINFOCLASS” which is basically the member we want to modify/query.

How .NET executables are loaded

13 September 2019 at 14:56

I’ve always wondered how .NET executables are loaded..

Windows Imports Searcher

27 July 2019 at 16:37

Support Windows OS Reversing by searching easily for references to functions across many DLLs