I am currently attempting to reverse engineer some malware that creates and runs a kernel mode driver. It has many, many anti-debug techniques but the Scylla Hide plugin is able to bypass them all. Is there anyway to make those changes permanent?
The end goal is to run windbg so I can see the service that creates and runs the kernel mode driver but the malware is currently detecting the presence of windbg.
Thanks in advance!
Related
I'm trying to find a way of replicating the action / instruction that a physical button being pushed on a control panel sends to the software of a CNC machine of ours.
Ultimately I would like to integrate this instruction into an executable file I could make using AutoIT, but that is further down the line!
After some googling, resulting in all kinds of weird and wonderful results, I'm at a loss of how to begin this task. I believe I need to either use debugging software to find the instruction as it takes place, or possibly Process Monitor?
The machine runs off of a Windows XP machine.
Unfortunately obtaining this information from the manufacturer is not an option.
If anyone could help point me in the right direction that would be appreciated,
Thanks
Edit: I have since come across Windows Hooks, Detours and Interception, but still haven't made much progress!
Your topic is too broad ... You might as well be asking "How do I reverse engineer?" First thing I would do would be to load up the program in a debugger, put a breakpoint in the callback function and find out what the button is doing. What you will most likely find is that it's pushing some information onto the stack and making a call to an external .DLL such as an API or device driver ( you could probably find out which DLL using Process Monitor too ). Just load that .DLL up into your new program and make the same call.
Today, i observed an interesting behavior. I am using windows XP-sp3 OS.
When i open a new tab in Google Chrome & view the task manager, a new process is created.
But, after some time, this process is terminated.
Why it is showing such kind of behavior? Is it due to system call vfork()? Does the child process immediately call exec()?
Does it happen only with Google Chrome or all other browsers behave in a similar fashion?
AFAIK Chrome maintains one process for each tab, also one process for some plugins too. They preferred multi-process architecture over multi-threaded one because when you are making network application which communicate with network all the time, you can expect to receive packets which can garble the memory. So having multi-process will prevent all but one process, as opposed to multi-threaded will kill the the tabs.
You can enlighten your self on following blog:
http://blog.chromium.org/2008/09/multi-process-architecture.html
I'm developing a Chrome App (as a packaged app/extension) which purpose is to act as the base platform for several fullscreen apps to be build on top of. Chrome will be running on Ubuntu Linux.
And no trouble so far. But then I was told, that an intended app it is to be the platform for requires the source code to be updated with very short notice, as it probably is to be deployed for large scale use before the system has been tested through (even though it's a bad idea to deploy software that's not completely stable, but we're on a tight schedule). The problem is, that the "a few hours" interval for the autoupdating mechanism just isn't good enough.
So I somehow need to have the updating interval changed. I know this can be done with the --extensions-update-frequency command line switch, but as apps cannot access the command line (for obvious security reasons), and I'd prefer that the intended background page was to handle all the "administration", I don't think that switch is possible to use.
Is it somehow possible to update at a higher frequency? Or at times when it's ordered to?
There is now a method chrome.runtime.requestUpdateCheck():
Requests an update check for this app/extension.
It will return a status, which can be either "no_update", "update_available" or "throttled".
Unfortunately, the docs do not specify the limits for frequency that will trigger "throttled".
Your best option will be to have the extension manually check with your servers for an updated version. If there is an updated version show the user a desktop notification to manually update.
Potentially you could write a NPAPI plugin to modify the update frequency.
This may cause issues with CSP but you can try to live load JavaScript from your server that executes in the extension. In this case to "update" your extension you would simply update the JS hosted on your servers and the extension would automatically start using it on next load.
Battlelog was released by EA alongside Battlefield 3 recently, and I'm curious how it is able to launch games, such as Battlefield 3, from a web browser?
More generally, how does a website launch programs locally?
I'm one of the developer responsible for the launch part of Battlelog. It's handled by a combination of the installed web browser plugin and JavaScript. Launching the game basically goes through these steps.
We figure out where you've installed the BF3.exe by using a registry key
We use the plugin to launch that exe with a couple of command line options
When the game client has launched, it opens a connection back to the plugin, for two-way communication between Battlelog and the game.
Game client sends state info and error messages back through the connection, so we can show progress and errors in Battlelog, and also know when the game has closed down.
It is thanks to the plugin you installed at battlelog. Websites are not allowed to execute programs on your local machine due to the HUGE security risk that would present. Plugins have to be used if you want to accomplish virtually anything outside the context of the browser, which is why you have to explicitly give them permission to install when they try to run.
I think that there are two options. First, the link points to a file which has an extension understandable only to that program, like when you click a .pdf link a pdf viewer will open. My second guess is that the link may use another protocol associated to the program in question, does the link start really with http://?
Im almost 100% sure it uses the plugin you have to install to manage the launch process as it also controls whether the game is minimised or not.
This is an odd freeze. When I switch from source view to design view for an HTML or ASPX file, the client area freezes, but I can still click on other tabs and menus.
What am I missing here? Really don't feel like reinstalling VS2008.
I had the same problem, and found one resolution.
In VS 2008, In a page that was using a master page, the either frequency while working in source view or switching to design view, IDE would freeze for 10-20 seconds.
In my master template, I had references to the Google hosted JQuery, Jquery UI, and one or two more scripts off site. These were placed directly in my master page's head section.
I downloaded the js and then by deleting any offsite references, my IDE would be smooth again in both design and source mode.
I also discovered I could put the scripts inside my ToolkitScriptManager (I'm using AjaxControlToolkit) and added the Mode="Release", and could place the http://www.google.com references for the scripts. The IDE is still working fine for me.
This is often due to the Design mode downloading external resources that are timing out. As #JonK mentioned, for him it was jQuery references. I have seen this when the ConnectionString was set to production databases that could not be accessed on my development machine, even though I wasn't debugging (running) the site only editing code, it would still try to connect and because it couldn't it would stall waiting for the timeout.
VS2008 is mostly single-threaded for UI operations like this, so if it is downloading a slow or non-existent network path it hangs like this.
VS2008 can make all kinds of network requests, so these two examples may not solve it for you. The best way I have found to diagnose the problem is to use the Microsoft tool Process Monitor, filter by the Process webdev.exe, and watch for I/O requests that are long running and/or throwing errors. In my case, I could find the place that was having a problem because there would be a 20 second gap in between the hundreds of I/O entries in Process Monitor. Then, just back-tracked from when that gap began and I eventually found the request that was causing the problem.
This may not be possible for you, but if you can, an upgrade to VS2010 would help; it does a much better job of running process on multiple threads in more places so you don't have to worry about this as much.
Have you tried restarting your computer and then reopening your project?