A forum for reverse engineering, OS internals and malware analysis 

Discussion on reverse-engineering and debugging.
 #29162  by myid
 Thu Sep 01, 2016 6:03 pm
Hi, I want to know how does PCHunter enumerate ports. I try these ways to test, all failed:
1.Hook IRP_MJ_DEVICE_CONTROL of TCPIP.SYS(NT5) or TDX.SYS(NT6).
2.Hook IRP_MJ_DEVICE_CONTROL of TCPIP.SYS(NT5) or TDX.SYS(NT6), delete TCPIP.SYS(NT5) or TDX.SYS(NT6) to prevent PCHunter get original address.
3.Hook NETIO!NsiGetAllParametersEx and NETIO!NsiGetParameterEx, return STATUS_UNSUCCESSFUL (test on NT6).
All these ways can bypass NETSTAT.EXE, but no effect for PCHunter.
 #29163  by EP_X0FF
 Fri Sep 02, 2016 5:17 am
Maybe it is locating TCB Table in nonpaged memory, something similar to various forensic tools like volatility etc.
 #29166  by myid
 Fri Sep 02, 2016 10:49 am
EP_X0FF wrote:Maybe it is locating TCB Table in nonpaged memory, something similar to various forensic tools like volatility etc.
What is "TCB Table"? Could you give me a name? I want to explore it by WINDBG.