Fun with another PatchGuard-compliant Hook
Overview In this article, we’ll be covering a fun alternative to the treasured InfinityHook from Nick Peterson. This alternative method was discovered by Aidan Khoury following the release and subsequent patch of the EtwpGetCycleCount target by Microsoft without any acknowledgements to the original authors. This method has been tested from early Windows 10 to latest Windows […]
Applied Reverse Engineering: Accelerated Assembly [P2]
Overview After reading feedback from the first part to the Accelerated Assembly guide, I’ve decided to take on a custom target, and call back to high-level languages when we encounter obscure or new pieces in the assembly. I realize that the level of detail in my last article may have been cumbersome to some readers, […]
Applied Reverse Engineering: Accelerated Assembly [P1]
Overview In this article you’ll be guided through a course on the x86 Instruction Set. This article serves at as a quick fix to the problem of not knowing where to start when learning Assembly. We’ll be covering instruction format briefly, and then jump right in to the instructions. This is like learning another language, […]
Applied Reverse Engineering: Exceptions and Interrupts
Overview To continue learning important topics within the OS and architecture, and before diving into the deep end of the application, we’re going to cover a topic that is relevant to reverse engineering and development in general: exceptions and interrupts. In this article, you’ll learn about exceptions/interrupts from the ground up. What they are, the […]
Applied Reverse Engineering: The Stack
Overview This article is written for new reverse engineers who have a hard time understanding the stack, its layout, how it works, and the various requirements for proper function. It can be a confusing concept to wrap your head around at first, but after reading this article you should have a very deep understanding of […]
Applied Reverse Engineering: Basic Architecture
Overview Thanks for joining me in my newest series Applied Reverse Engineering. I decided to write this new series concurrently with the EPT series except I pushed out the first five for this one and haven’t started the other. Typical. Anyways, I have to give a little preface to the article and series as well […]
Applied Reverse Engineering Series
Series Overview This series is intended for readers who are interested in reverse engineering but have only opened a debugger a handful of times. If you have trouble with certain concepts of reverse engineering, tooling, disassembly or debugging then you’ve come to the right place. Starting from the ground up we’ll work our way to […]
Syscall Hooking via Extended Feature Enable Register (EFER)
Since the dawn of KVA Shadowing (KVAS), similar to Linux’s KPTI, which was developed by Microsoft to mitigate Meltdown vulnerabilities, hooking syscalls among other potentially malicious things has become increasingly difficult in Windows. Upon updating my virtualization toolset which utilizes syscall hooking strategies to assist in control flow analysis, I had trouble when trying to […]
Detecting Hypervisor Presence on Windows 10
Detecting a hypervisor on Windows 10 is relatively simple, but due to the simplistic nature of the currently published detection vectors it’s likely that they are also relatively simple to spoof or remove. In this article we’ll detail a few ways of detecting a hypervisors presence on Windows 10, determining if it’s a Microsoft hypervisor, […]
Hiding Drivers on Windows 10
Disclaimer: All experiments and development were performed on Windows 10 x64 (Version 1703, Build 15063.540). Any attempt to replicate results on a different version or operating system may yield inconsistent results. —– It’s a pretty common objective in the game hacking community to load and attempt to hide their kernel modules from prying eyes. The […]