Research Blog

Breaking Down System Routines #2 [NtQuerySystemInformation]

System Routine Overview NtQuerySystemInformation is a system routine that gathers system information specific to the class value provided. During this breakdown, we’ll look at it in much more depth because, like the previous system routine documented, it’s just a wrapper for an internal kernel routine that actually gathers the system information. However, the internal routine it […]

Read More

Breaking Down System Routines #1 [NtQuerySection]

NtQuerySection is a system routine for the Windows operating system that queries information related to a section object and provides the information regarding that object by filling a buffer passed to the function. As an important note, all disassembly and reversing took place on Windows 10 x64 Professional. It requires 4 arguments, 5 if you […]

Read More

Hiding Strings from Disassemblers

Developers attempt to obscure or obfuscate any reverse engineers view of strings through the use of compile-time encryption techniques, packing, virtualization, and the like. In this post, I briefly describe a method to prevent strings from entering the .rdata segment of the executable by using a method of indirect initialization forcing the various characters and […]

Read More

SizeOfStackReserve Denial of Service

In this post I will be referencing information I’ve found through reversing and through waleedassars blog article titled SizeOfStackReserve Anti-Attaching Trick. It should be noted that the following was tested on Windows 10. The routine RtlCreateUserStack in ntoskrnl.exe is called following a call to CreateRemoteThread, CreateThread, and/or of course NtCreateThreadEx. The RtlCreateUserStack is called far later in a […]

Read More

TEB Structure for Windows 10 Pro x64

A lot of structures that are extremely useful happen to be partially documented by MSFT. I decided to rebuild the TEB structure to it’s fullest extent with the proper members and the associated structures as well. Skim through this post for the structures and their full definitions. If you believe something is missing please do […]

Read More

Using Flags of RTL_USER_PROCESS_PARAMETERS for Anti-Debugging

OverviewThere are various flags in the PEB associated with a specific process such as the CrossProcessFlags, the BitField (4th member of the PEB), AppCompatFlags, and so forth. I’d always tried looking for differences in the flags when operating in a standard runtime environment vs. a debugged runtime environment and after many failed attempts to find […]

Read More