KernelMode.info

Buster_BSA wrote:Sometimes Buster Sandbox Analyzer stops analyzing because, as I commented, RegHive file gets locked. SYSTEM (PID 4) process has the lock and I have been unable to find any tool which unlocks the file.

Could someone write a command line tool which accepts as arguments a PID and a handle and tries to close the handle as myid´s code, please?

I want to check if that code can unlock RegHive so Buster Sandbox Analyzer can continue analysis.

Thanks in advance!

As far as I remember there is BSA.sys in your bundle. Maybe you can just extend it functionality? No other way do this trick without driver. This means it wont also work on x64, without signing of course. Also closing kernel handle may lead to uncertain consequences because we do not know the reasons why this handle is not closed by owner (sandboxie driver?).

R00tKit wrote:@EP_X0FF
this info is not Document so your info about this "new check" is based on your coding Experience for win7?( like wj32 when he develop PH for win7 )

It is based on 2 minutes looking in IDA. I never needed hacks like closing kernel handle forcibly in driver by request from user mode. Every new version of Windows always brings a lot of innovations and brainfcuks for cheaters.

hi , use this secquence of methods :
1. Open Process with ZwOpenProcess(PID)
2. ZwQueryInformation(HANDLE) // PEB (for the base addresses of the modules I want to read)
3. PsLookupProcesByProcessId // get the EP
4. KeStackAttachProcess(EP) // get inside the process context
5. read the PEB & data into a buffer 8 and handle and then ZwClose() and then Detach & cleanup

Last post 02 Jan 2013.
Your massive necroposting - what for? Thread closed.