Normal view

There are new articles available, click to refresh the page.
Before yesterdayLow Level Pleasure

Practical Reverse Engineering Solutions

✇Low Level Pleasure
27 December 2019 at 16:33
Hey, Here I save all the solutions to the windows kernel chapter of the practical reverse engineering book. The exercises in this book are pretty insightful. The target audience of these posts are: People that want to read cool stuff about windows kernel reverse engineering People that want to learn how to break down reverse engineering tasks effeciently People that actually do the exercises and need a reference to the solutions.

AuxKlibQueryModuleInformation

✇Low Level Pleasure
27 December 2019 at 16:33
In this article I’m going over the solution to reverse engineering AuxKlibQueryModuleInformation. This exercise is one of the easiest exercises in the book. Exercise: In the walk-through, we mentioned that a driver can enumerate all loaded modules with the documented API AuxKlibQueryModuleInformation. Does this API guarantee that the returned module list is always up-to-date? Explain your answer. Next, reverse engineer AuxKlibQueryModuleInformation on Windows 8 and explain how it works. How does it handle the case when multiple threads are requesting access to the loaded module list?

Windows Library Code

✇Low Level Pleasure
9 December 2019 at 12:00
Intro I thought I will make a guide about windows library code.. The target audience are beginners that want to understand more about windows reverse engineering, development and compilation. I tried to make this guide as simple as possible. A “Library” is a term used in computer science for a collection of pre-written code / variables. Libraries are pretty useful for developers because it saves development time. There are 2 types of libraries:

Abusing Signed Windows Drivers

✇Low Level Pleasure
12 November 2019 at 23:23
The Problem We all know the “Driver Signature Enforcement” feature in windows. This security feature won’t allow you to load unsigned drivers into the windows kernel. To bypass this protection, many attackers use vulnerable signed drivers like turla. They try to find vulnerabilities in these drivers and exploit them. What people don’t think about is the fact that it’s way simpler than finding an exploitable memory corruption bug in a software driver - sometimes the driver just exposes the functionality via DeviceIoControl and this can be used to perform malicious operations in kernel mode.

Autochk Rootkit Analysis

✇Low Level Pleasure
1 November 2019 at 11:00
Introduction Finally had time to write about this rootkit I saw last week. This rootkit is a very simple, it does not employ any uber fancy methods or something, but I do find it nice so I wanted to share. The name of the driver is “autochk.sys” - that’s why we’ll call it the autochk rootkit. The sample is already known (28924b6329f5410a5cca30f3530a3fb8a97c23c9509a192f2092cbdf139a91d8), but I haven’t found any public analysis. The rootkit was compiled on the 27/8/2017 according to the PE timestamp.

Reverse Engineering Optimizations: Division By Multiplication

✇Low Level Pleasure
26 October 2019 at 15:06
Intro Reverse engineering compiler optimizations can delay a reverse engineer a-lot. By learning how the compiler optimizes certain things, you can save lots of time. Knowning the pattern, the next time you see this optimization you’ll recognize right away how to decompile it. In this blog post series I’ll document how to decompile certain compiler optimizations, I hope it’ll save some time for you. Division By Multiplication There’s no heavy math in this post lol.

About Me

✇Low Level Pleasure
19 October 2019 at 16:37
Hey! My name is Ori Damari, and I love low level code. I hope you find this blog interesting and learn new stuff .. I do low level research for living. My main interests are: Malware Operating Systems Windows Internals Reverse Engineering Kernel Development Software Development repnz is my nickname (I pronounce it rep notzero..) - I like assembly. You can contact me easily using twitter messages: @0xrepnz

Random PDC Driver

✇Low Level Pleasure
8 October 2019 at 13:37
Found this funny driver: The pdc.sys windows driver has a DriverUnload routine but it calls KeBugCheckEx causing a bluescreen. Just run "sc stop pdc" and see for yourself ;) I wonder why they registered DriverUnload if the driver does not support unload.. 🤔 pic.twitter.com/TNpKIZGvZX — Ori Damari (@0xrepnz) October 8, 2019
❌
❌