Support Windows OS Reversing by searching easily for references to functions across many DLLs
Before yesterdayLow Level Pleasure
How .NET executables are loaded
13 September 2019 at 14:56
Iβve always wondered how .NET executables are loaded..
Windows Critical Threads
21 September 2019 at 14:56
In the windows kernel, each kernel object has a Query/SetInformation functions which can be used to manipulate the kernel objects members from user/kernel mode. These functions receive an βINFOCLASSβ which is basically the member we want to modify/query.
Reversing the x64 calling convention
6 October 2019 at 00:24
In this article I will explain how the x64 calling convention looks like in Windows and weβll dive into how it influences reverse engineering.
Random PDC Driver
8 October 2019 at 13:37
Found this funny driver: The pdc.sys windows driver has a DriverUnload routine but it calls KeBugCheckEx causing a bluescreen.
Just run "sc stop pdc" and see for yourself ;)
I wonder why they registered DriverUnload if the driver does not support unload.. π€ pic.twitter.com/TNpKIZGvZX
β Ori Damari (@0xrepnz) October 8, 2019
Finding main() easily
11 October 2019 at 22:30
The entry point of an executable is normally the runtime initialization code - so how can you easily find main()?
About Me
19 October 2019 at 16:37
Hey!
My name is Ori Damari, and I love low level code.
I hope you find this blog interesting and learn new stuff ..
I do low level research for living. My main interests are:
Malware Operating Systems Windows Internals Reverse Engineering Kernel Development Software Development repnz is my nickname (I pronounce it rep notzero..) - I like assembly.
You can contact me easily using twitter messages: @0xrepnz
Reverse Engineering Optimizations: Division By Multiplication
26 October 2019 at 15:06
Intro Reverse engineering compiler optimizations can delay a reverse engineer a-lot. By learning how the compiler optimizes certain things, you can save lots of time. Knowning the pattern, the next time you see this optimization youβll recognize right away how to decompile it.
In this blog post series Iβll document how to decompile certain compiler optimizations, I hope itβll save some time for you.
Division By Multiplication Thereβs no heavy math in this post lol.
Autochk Rootkit Analysis
1 November 2019 at 11:00
Introduction Finally had time to write about this rootkit I saw last week. This rootkit is a very simple, it does not employ any uber fancy methods or something, but I do find it nice so I wanted to share. The name of the driver is βautochk.sysβ - thatβs why weβll call it the autochk rootkit. The sample is already known (28924b6329f5410a5cca30f3530a3fb8a97c23c9509a192f2092cbdf139a91d8), but I havenβt found any public analysis. The rootkit was compiled on the 27/8/2017 according to the PE timestamp.
Abusing Signed Windows Drivers
12 November 2019 at 23:23
The Problem We all know the βDriver Signature Enforcementβ feature in windows. This security feature wonβt allow you to load unsigned drivers into the windows kernel. To bypass this protection, many attackers use vulnerable signed drivers like turla. They try to find vulnerabilities in these drivers and exploit them. What people donβt think about is the fact that itβs way simpler than finding an exploitable memory corruption bug in a software driver - sometimes the driver just exposes the functionality via DeviceIoControl and this can be used to perform malicious operations in kernel mode.
Windows Library Code
9 December 2019 at 12:00
Intro I thought I will make a guide about windows library code.. The target audience are beginners that want to understand more about windows reverse engineering, development and compilation. I tried to make this guide as simple as possible.
A βLibraryβ is a term used in computer science for a collection of pre-written code / variables. Libraries are pretty useful for developers because it saves development time.
There are 2 types of libraries:
AuxKlibQueryModuleInformation
27 December 2019 at 16:33
In this article Iβm going over the solution to reverse engineering AuxKlibQueryModuleInformation. This exercise is one of the easiest exercises in the book.
Exercise:
In the walk-through, we mentioned that a driver can enumerate all loaded modules with the documented API AuxKlibQueryModuleInformation. Does this API guarantee that the returned module list is always up-to-date? Explain your answer. Next, reverse engineer AuxKlibQueryModuleInformation on Windows 8 and explain how it works. How does it handle the case when multiple threads are requesting access to the loaded module list?
Practical Reverse Engineering Solutions
27 December 2019 at 16:33
Hey, Here I save all the solutions to the windows kernel chapter of the practical reverse engineering book. The exercises in this book are pretty insightful.
The target audience of these posts are:
People that want to read cool stuff about windows kernel reverse engineering People that want to learn how to break down reverse engineering tasks effeciently People that actually do the exercises and need a reference to the solutions.
Reversing DPC: KeInsertQueueDpc
5 January 2020 at 19:33
Exercise:
Explain how the following functions work: KeInsertQueueDpc, KiRetireDpcList, KiExecuteDpc, and KiExecuteAllDpcs. If you feel like an overachiever, decompile those functions from the x86 and x64 assemblies and explain the differences.
If I want to explain the complete solution Iβll have to divide this exercise to 2 posts. The first post is pretty simple.. we are going to reverse engineer KeInsertQueueDpc. In future posts weβll continue exploring DPC and we will write code that dumps the DPC queues.
Dumping DPC Queues: Adventures in HIGH_LEVEL IRQL
17 January 2020 at 23:30
This post is part of the Practical Reverse Engineering Exercises series.
To understand more about the basics of DPCs, read Reversing KeInsertQueueDpc
(Source code below.)
Exercise: Write a driver to enumerate all DPCs on the entire system. Make sure you support multi-processor systems! Explain the difficulties and how you solved them.
Sounds fun! letβs start. I thought about dividing this post to 2 posts, but nah
Using Undocumented APIs in Windows First of all, we need to understand that accessing the DPC queue from a real product is an extremely bad idea because itβs a pretty undocumented data structure.
APC Series: User APC API
17 May 2020 at 00:00
Hey! Long time no see.
Coronavirus makes it harder for me to write posts, I hope Iβll have the time to write - I have a lot I want to share!
One of the things I did in the last few weeks is to explore the APC mechanism in Windows and I wanted to share some of my findings. The purpose of this series is to allow you to get a systematic understanding of APC internals.
APC Series: User APC Internals
2 June 2020 at 21:00
Hey! This is the second part of the APC Series, If you havenβt read it I recommend you to read the first post about User APC API. where I explore the internals of APC objects in Windows. In this part Iβll explain:
How to queue user APCs from kernel mode? How user APCs are implemented in the windows kernel? How user APCs are delivered to user mode? In this blog I wonβt cover the internals of Special User APCs, because Special User APCs rely on Kernel APC to perform their operation - Iβll explore this type in a future post after I explain about Kernel APCs.
APC Series: KiUserApcDispatcher and Wow64
28 June 2020 at 00:00
I recommend to read the previous posts before reading this one:
User APC API: We discussed the user mode API of user APC User APC Internals: We discussed the implementation of user APC in the kernel Letβs continue our discussion about APC internals in windows: This time weβll discuss APC dispatching in user mode and how APC works in Wow64 processes:
The evolution of KiUserApcDispatcher Modifications to APC functions to support Wow64 Wow64 APC injection techniques The evolution of KiUserApcDispatcher NTDLL contains a set of entry points that the kernel uses to run code in user mode like: KiUserExceptionDispatcher, KiUserCallbackDispatcher, β¦
