Ok thanks. One last thing, on the link http://j00ru.vexillium.org/win32k_syscalls/ , the system calls are on 4*4 bits, but in the hardcoded sample, we have only 3*4 bits. The first "1" which is on every syscall is missing. So where has it gone? ...
A forum for reverse engineering, OS internals and malware analysis
Searched query: j00ru
Ok thanks. One last thing, on the link http://j00ru.vexillium.org/win32k_syscalls/ , the system calls are on 4*4 bits, but in the hardcoded sample, we have only 3*4 bits. The first "1" which is on every syscall is missing. So where has it gone? ...
Here is a list with indexes of SSDT of different OS'es - Windows WIN32K.SYS System Call Table (NT/2000/XP/2003/Vista/2008/7) and here is an example how to hook SSDT - HookShadowSSDT.rar and finally some description Chapter 5 - Monitoring Native API Calls (source - Undocumented Windows 2000 Secrets ).
http://j00ru.wordpress.com/2009/07/04/dllmain-and-its-uncovered-possibilites/ Has some ideas about how the parameter may be used. •Passing information between two or more static modules As Gynvael Coldwind suggested, the fact ...
Here is a j00ru's TraceHook v0.0.1 which try to dump whole process's user mode address space. i think should use NtXxx function address directly You can't be sure that NtXxx functions are safe, before using them as any other significant ...
... plans on sharing the source? Let me enclose two kernel screenshots from the Windows XP SP3 and Windows Vista SP2 kernels ;) Windows XP SP3: http://j00ru.vexillium.org/dump/Windows_XP_SP3.PNG Windows Vista SP2: http://j00ru.vexillium.org/dump/Windows_Vista_SP2.PNG Overall, good job ;)
Hello, MemMAP is a tool inspired by j00ru's KernelMAP (see here ). I've written my own version with a couple more interesting features. A list follows: More memory types included (kernel thread stacks and GDI objects) Ability to visualize the ...
... • microsoft.public.win32.programmer.kernel • microsoft.public.windbg KernelmodeInfo Blog CURRENT_IRQL :-) j00ru//vx tech blog Coding, reverse engineering, OS internals Blog http://j00ru.vexillium.org/ Nynaeve http://www.nynaeve.net/ DumpAnalysis Blog http://www.dumpanalysis.org/ ...
a Small project I've been working on for a long time called Sin32 which is a LPC/(L)RPC server If you want to know more about LPC see j00ru's posting about csrss, or my Posting about minimal RPC,or my various posts about Sin32 on http://www.woodmann.com . I recently found this open source ...
... crash, guess what? The exact same screen corruption occured, the BSOD with the F-whatever error came up and a minidump was saved. Over here http://j00ru.vexillium.org/ I was reading up on csrss.exe (but it is over my head to be honest, I just cannot connect the dots as a non programmer, but maybe ...
... code privilege from user-land to ring0. The idea was turned into some PoC exploits, and finally, into the paper presented below..." by Matthew "j00ru" Jurczyk and Gynvael Coldwind: http://vexillium.org/dl.php?call_gate_exploitation.pdf <- Paper http://vexillium.org/dl.php?ldtsource.zip <- Source ...