Category: windows 10

Beyond Process and Object Callbacks: An Unconventional Method

Overview In this article, I wanted to introduce a fun approach to performing functions similar to those enabled by Windows Object Callbacks but through an alternative means. It’s well known that anti-malware, anti-cheat, and generic monitoring tools on Windows systems often use these callbacks. However, their usability is limited to parties with signed modules, and […]

Read More

Fun with another PG-compliant Hook

Overview In this article, we’ll be covering a fun alternative to the treasured InfinityHook from Nick Peterson. This alternative method was discovered by Aidan Khoury¬†following the release and subsequent patch of the EtwpGetCycleCount target by Microsoft without any acknowledgements to the original authors. This method has been tested from early Windows 10 to latest Windows […]

Read More

Reading MSRs from UserMode

After speaking with some pals online about Windows 10’s policy requiring drivers to be digitally signed in order to load the lot of us began digging into tools that use signed drivers – you know… to see if there was any fun to be had with drivers that don’t validate UserMode addresses that are passed […]

Read More

Recovering Deleted Windows Files [Breakdown and Theory]

When you delete a file on Windows, specifically Windows 10 Professional x64, it is removed from the user’s view and placed in the recycle bin for permanent deletion. Once that permanent deletion is performed, some ask the question “is the file really gone?” The answer is no, not immediately, and even after permanent deletion it’s […]

Read More

Usermode Debugger Check Prevention

It’s easy enough to use OllyDbg or any other debugger to bypass debugger checks, but any sort of anti-debugging technique that utilizes the time stamp counter such as QueryPerformanceCounter, GetTickCount, and others, can be bypassed by setting the 2nd bit in control register 4 (CR4) which disables the TimeStamp Counter from working for applications operating […]

Read More

Breaking Down System Routines #2 [NtQuerySystemInformation]

System Routine Overview NtQuerySystemInformation¬†is a system routine that gathers system information specific to the class value provided. During this breakdown, we’ll look at it in much more depth because, like the previous system routine documented, it’s just a wrapper for an internal kernel routine that actually gathers the system information. However, the internal routine it […]

Read More