Press "Enter" to skip to content

Posts published in “Debugging”

Why you should not always trust MSDN: Finding Real Access Rights Needed By Handles

Sina Karvandi 0

Introduction Hi guys, The title of this topic is somehow weird, if you think everything in MSDN is 100% match with what Microsoft implemented in Windows (like what I used to think), you’re definitely wrong, this post shows some proofs and in the last part, I’ll give you a solution to ACCESS_RIGHTS problem. Before starting let’s talk about some backgrounds about “ACCESS_MASK“. Most of the explanations derived from here. Backgrounds The ACCESS_MASK data type is a DWORD value that defines standard, specific, and generic…

Using Intel’s Streaming SIMD Extensions 3 (MONITOR\MWAIT) As A Kernel Debugging Trick

Sina Karvandi 0

  Introduction MONITOR and MWAIT are using when the CPU needs to be stopped executing the instruction and enter an implementation-dependent optimized state until some special event happens. MONITOR sets up an address range used to monitor write-back stores while MWAIT enables a logical processor to enter into an optimized state while waiting for a write-back store to the address range set up by MONITOR instruction.   MWAIT and MONITOR may be executed only at privilege level 0, if you use these…

Inside Windows Page Frame Number (PFN) – Part 2

Sina Karvandi 0

Hey there, In the previous part, I’d explained about Page Frame Number and its importance in the OSs architecture. In this part, I’ll trace PFN more practically. I strongly recommend to read the first part, to make sure you didn’t miss anything about basic concepts. As I described in the previous part, the PFN database is located at nt!MmPFNDatabase, in the previous versions of Windows (<Windows 10) it was statically located at 0xFFFFFA8000000000 but in Windows 10, it’s subject to ASLR.…

Inside Windows Page Frame Number (PFN) – Part 1

Sina Karvandi 0

Introduction (Page Frame Number) Windows and almost all the OSs use Page Frame Number Database in order to have a track of virtually allocated pages to know which page must be freed or evicted or if a page needs to be cached and etc. All of these kinds of stuff manages through a list, called Page Frame Number (PFN). A long list of explanation about the states of every physically and virtually allocated pages and its corresponding attributes. In the rest…

Defeating malware’s Anti-VM techniques (CPUID-Based Instructions)

Sina Karvandi 1

[The picture of this post is taken by one of my best friends, Ahmad Ghazi in Chitgar Lake !] Introduction You should by now be aware of everything, cause the topic’s title clearly describes the contents of this post. As you know, almost all of the modern malware programs use some bunch of packers or protectors and using such tools cause malware to be weaponized with Anti-VM techniques which makes it impossible for reverse-engineers and analyzer to detect what’s happening inside the…