Comments for inREVERSE http://www.inreverse.net Mon, 29 Aug 2011 13:20:26 +0000 hourly 1 http://wordpress.org/?v=3.5.1 Comment on More on callbacks: ObRegisterCallbacks by swirl http://www.inreverse.net/?p=1740&cpage=1#comment-249 swirl Mon, 29 Aug 2011 13:20:26 +0000 http://www.inreverse.net/?p=1740#comment-249 thanks for the unknown field :) Sure there are several ways to bypass MmVerifyCallbackFunction, also passing the address of a xor eax, eax retn 8 gadget inside some verified driver and then changing the address in the CallbackList later to the real function.

]]> Comment on More on callbacks: ObRegisterCallbacks by Dmitry Varshavsky http://www.inreverse.net/?p=1740&cpage=1#comment-248 Dmitry Varshavsky Mon, 29 Aug 2011 13:15:56 +0000 http://www.inreverse.net/?p=1740#comment-248 Unknown field is EX_RUNDOWN_REF used to wait for all callback function to be finished before ObUnRegisterCallbacks returns.
Also, callbacks can be inserted by hand without calling any api and fooling MmVerifyCallbackFunction ( DKOM : ObjectType -> CallbackList and ObjectType -> TypeLock for synchronization ).
Reverse deeper :)
But still nice.

]]> Comment on More on callbacks: ObRegisterCallbacks by swirl http://www.inreverse.net/?p=1740&cpage=1#comment-221 swirl Sun, 10 Jul 2011 18:34:35 +0000 http://www.inreverse.net/?p=1740#comment-221 the must be stable enough to use in production :)
Don’t know why Microsoft didn’t enable other object types..

]]> Comment on More on callbacks: ObRegisterCallbacks by mj0011 http://www.inreverse.net/?p=1740&cpage=1#comment-220 mj0011 Sun, 10 Jul 2011 18:26:15 +0000 http://www.inreverse.net/?p=1740#comment-220 the newest version of sandboxie has already use this tech to filter file/token/section/…..

]]> Comment on More on callbacks: ObRegisterCallbacks by swirl http://www.inreverse.net/?p=1740&cpage=1#comment-219 swirl Sun, 10 Jul 2011 18:15:50 +0000 http://www.inreverse.net/?p=1740#comment-219 thanks and fixed :)

]]> Comment on More on callbacks: ObRegisterCallbacks by s4tan http://www.inreverse.net/?p=1740&cpage=1#comment-218 s4tan Sun, 10 Jul 2011 17:44:14 +0000 http://www.inreverse.net/?p=1740#comment-218 As always great post :)

P.S.
there is a little typo in the link to d.hatena.ne.jp

]]> Comment on CARO2011 – Java Malware Presentation by Hooter http://www.inreverse.net/?p=1687&cpage=1#comment-214 Hooter Thu, 09 Jun 2011 16:55:09 +0000 http://www.inreverse.net/?p=1687#comment-214 thx 4 sharing. good work :)

]]> Comment on Crimepack 3.1.3 – checking vital signs by why http://www.inreverse.net/?p=1401&cpage=1#comment-211 why Tue, 31 May 2011 19:05:58 +0000 http://www.inreverse.net/?p=1401#comment-211 where i can get your python beta tool?

]]> Comment on Driver packer by swirl http://www.inreverse.net/?p=327&cpage=1#comment-209 swirl Wed, 18 May 2011 16:31:30 +0000 http://www.inreverse.net/?p=327#comment-209 fixed, thanks :)

]]> Comment on Driver packer by why http://www.inreverse.net/?p=327&cpage=1#comment-208 why Wed, 18 May 2011 01:18:36 +0000 http://www.inreverse.net/?p=327#comment-208 +0×024 UNICODE_STRING DriverPath
+0×000 Len
+0×004 Max // errror – +0×002
+0×008 Buffer // +0×004

]]>