Re: Kernel Object Hijack
PostPosted:Sun Feb 26, 2012 10:33 am
You are saying cross check..again, we come to the device io control...TDL3 infect driver detection to sample code?
KernelMode.info
A forum for reverse engineering, OS internals and malware analysis
https://www.kernelmode.info/forum/
Kernel Object Hijack
Page 2 of 2
Re: Kernel Object Hijack
PostPosted:Sun Feb 26, 2012 3:10 pm
How this screenshot is related to heuristic detection of TDL3/4? Alex has already given you the entire Xuetr detection route.
Re: Kernel Object Hijack
PostPosted:Sun Feb 26, 2012 4:25 pm
Where do I use this routines? I don't write driver for detector. I need a example to detector driver.. Trying to tell it...
Re: Kernel Object Hijack
PostPosted:Mon Feb 27, 2012 1:46 pm
Where do I use this routines?In driver, since to list driver/device objects you need to touch kernel memory.
I need a example to detector driver..Copy-pasting is not welcomed. Show your work. Currently I only see nonsense screenshots with OllyDbg.
I don't write driver for detectorThen what you do?
Re: Kernel Object Hijack
PostPosted:Mon Feb 27, 2012 5:50 pm
DriverEntry proc pDriverObject:PDRIVER_OBJECT, pusRegistryPath:PUNICODE_STRING
.if I can do it != I want to sample
invoke DbgPrint, $CTA0("This is my work.
")
mov I'mProgramer, FALSE
.endif
.if I'mProgramer == FALSE
invoke DbgPrint, $CTA0(" HELP ")
.endif
mov eax, STATUS_DEVICE_CONFIGURATION_ERROR
ret
DriverEntry endp
.if I can do it != I want to sample
invoke DbgPrint, $CTA0("This is my work.
")mov I'mProgramer, FALSE
.endif
.if I'mProgramer == FALSE
invoke DbgPrint, $CTA0(" HELP ")
.endif
mov eax, STATUS_DEVICE_CONFIGURATION_ERROR
ret
DriverEntry endp
Re: Kernel Object Hijack
PostPosted:Tue Feb 28, 2012 2:17 am
Oh I see. Forget about TDL. You are too inexperienced for it. You should start from something simpler. And the first step should be abandon ASM as language for drivers developing. See http://www.kernelmode.info/forum/viewto ... f=14&t=374 as one of the start points. Thread has exhausted itself and closed.