Only the most skilled ninjas are able to find out easter eggs… Even Alice needed to follow the rabbit to find them… “We are all mad here!” hihi O.S. Version: Windows 2003 SP1 Checked only Module: diskdump.sys ; Exported entry 10. ScsiPortGetPhysicalAddress ; SCSI_PHYSICAL_ADDRESS __stdcall ScsiPortGetPhysicalAddress ; (PVOID HwDeviceExtension, ; PSCSI_REQUEST_BLOCK Srb, ; PVOID VirtualAddress, [ Read More ]
http://www.microsoft.com/technet/security/advisory/932596.mspx Microsoft Security Advisory (932596) Update to Improve Kernel Patch Protection Published: August 14, 2007 An update is available for Kernel Patch Protection included with x64-based Windows operating systems. Kernel Patch Protection protects code and critical structures in the Windows kernel from modification by unknown code or data. This update adds additional checks to this [ Read More ]
As I explained in a previous post (Here). There are some funny programmers in Redmond who like to put some hidden strings. The following sample is from Windows 2000 Kernel. .text:004054A0 94 7F 00 C0 4F B9 60 EE 66 19 14 06 45 72 69 63 Eric .text:004054B0 46 2E 4E 65 6C 73 [ Read More ]
If one time you want to fill a buffer (here size is 0×10000) with null bytes, and put a string inside. Don’t forget the “a” between “>” and “< " kd> $$>a< "FULL_SCRIPT_PATH" BASE_ADDRESS $$ $$ Matthieu Suiche 08/2007 $$ http://www.msuiche.net $$ .if (${/d:$arg1}) { f ${$arg1} L10000 0 ea ${$arg1} "I'm a fucking string [ Read More ]
Here is a sample of script for Windbg for people who doesn’t want to waste time because they don’t find any document. Firstly, to declare a variable you must use the prefix “r”. Moreover, the name must be $t[0..n] Secondly, if you use the flag “/D” after “.printf” you can use pseudo-html code inside. Thirdly, [ Read More ]
