This post is the first of a serie of articles/blogposts about new System Information Class under Windows 7 (32bits ATM) used by both NtQuerySystemInformation and extended version of this API called NtQuerySystemInformationEx introduced in Windows 7 and Windows 2008 R2. First of all, here is the prototype of these functions. NTSTATUS (WINAPI *NtQuerySystemInformationEx)(SYSTEM_INFORMATION_CLASS SystemInformationClass, PULONG [ Read More ]
As said previously, it’s really easy to find proof of plagiarism when an open-source tool is released and whan this source is reimplemented into a commercial software without compliance. Andreas published a new article called The implementation by Vendor “S”. In this article, he has explained what are the differences between the implementation of XpressDecode [ Read More ]
As you probably know, Microsoft released last month several thousands pages of documentation about office file format and Windows protocols. It means numerous hundreds(thousands?) of functions/algorithms documentation and pseudo-code. But, are these pseudo-function right? It looks not. While I was reading [MS-DRSR]: Directory Replication Service (DRS) Remote Protocol Specification, I was a bit curious to [ Read More ]
In November 2007 at PacSec'07, Tokyo, Japan, Nicolas Ruff and I (Matthieu Suiche) presented how to create a readable physical memory dump from the undocumented Microsoft hibernation file. Last month, I published an open-source public version of this project called SandMan Framework. This framework allows manipulating the hibernation file for offensics (malicious) or forensics uses. [ Read More ]
