A forum for reverse engineering, OS internals and malware analysis 

Forum for announcements and questions about tools and software.
 #23175  by EP_X0FF
 Sat Jun 21, 2014 3:18 am
alaf1234567890 wrote:Where can I get these 2 files :

"rtls\prtl.h"
"ntdll\winnative.h"
Nowhere. It is our C runtime reimplementation and native API based support routines you have to implement yourself.
 #23350  by Mr-Smash
 Mon Jul 14, 2014 6:13 am
I get handle to the device after loading driver,
but DeviceIoControl (in ControlDSE) returns incorrect output :


#define VBoxDrvDevName L"\\\\.\\VBoxDrv"


main.cpp ========================================

hDriver = NativeOpenDevice(VBoxDrvDevName);


Winnative.cpp ===================================

HANDLE NativeOpenDevice(WCHAR DevName[BUFFER_SIZE])
{
HANDLE hDriver = CreateFileW(DevName,
FILE_ALL_ACCESS,
FILE_SHARE_READ | FILE_SHARE_WRITE,
NULL,
OPEN_EXISTING,
FILE_FLAG_OVERLAPPED | FILE_ATTRIBUTE_NORMAL,
NULL);

return hDriver;
}


main.cpp -> ControlDSE ==========================

if (!DeviceIoControl(hDriver, SUP_IOCTL_COOKIE, &Cookie, SUP_IOCTL_COOKIE_SIZE_IN, &Cookie,
SUP_IOCTL_COOKIE_SIZE_OUT, &bytesIO, NULL)) goto fail;
Attachments
(6.32 MiB) Downloaded 91 times
 #23534  by TurlaBoy
 Wed Aug 06, 2014 7:25 pm
Hey EP_X0FF,

Nice work, I just wonder if MS (smoked)employees really thought someday driver signature checking would help against RKs since the begginning, you guys just need to realize you can't give users protection against undocumented stuff, and unknown attack techniques, PG is useless against thousands of attacks, and now again, a lot of malware crap are going to use this, and you guys are gonna try to protect DSE var with another USELESS stuff, and who is losing with this useless cycle?

OpenSouce projects, people who want to learn, to develop, and the cycle restarts, the snake eats it's tail
 #23536  by Vrtule
 Thu Aug 07, 2014 7:04 am
TurlaBoy wrote:Hey EP_X0FF,

Nice work, I just wonder if MS (smoked)employees really thought someday driver signature checking would help against RKs since the begginning, you guys just need to realize you can't give users protection against undocumented stuff, and unknown attack techniques, PG is useless against thousands of attacks, and now again, a lot of malware crap are going to use this, and you guys are gonna try to protect DSE var with another USELESS stuff, and who is losing with this useless cycle?

OpenSouce projects, people who want to learn, to develop, and the cycle restarts, the snake eats it's tail
I agree with you. The thing of driver signing and certificates is more about business than security. AFAIK nothing really forces you to revoke your code signing certificate when a vulnerability in your driver is found, allowing to bypass DSE etc. is found. Hence, the DSE filters out only people that are developing open source software and do not want to pay and those who cannot pass the verification process (if you have a valid passport, you won't have any problem).
 #24618  by EP_X0FF
 Mon Dec 15, 2014 4:16 pm
Small cosmetic update to reflect latest idiotic changes in Windows 10 TP 9901 build. Compiled executable cleaned from AV detection.

https://www.virustotal.com/en/file/1865 ... /analysis/
Last edited by EP_X0FF on Tue Mar 10, 2015 10:58 am, edited 1 time in total. Reason: removed attach