Press "Enter" to skip to content

Posts published in “Debugging”

Using Intel’s Streaming SIMD Extensions 3 (MONITOR\MWAIT) As A Kernel Debugging Trick

Sinaei 0

  Introduction MONITOR and MWAIT are using when the CPU needs to be stopped executing the instruction and enter an implementation-dependent optimized state until some special event happens. MONITOR sets up an address range used to monitor write-back stores while MWAIT enables a logical processor to enter into an optimized state while waiting for a write-back store to the address range set up by MONITOR instruction.   MWAIT and MONITOR may be executed only at privilege level 0, if you use these…

Inside Windows Page Frame Number (PFN) – Part 2

Sinaei 0

Hey there, In the previous part, I’d explained about Page Frame Number and its importance in the OSs architecture. In this part, I’ll trace PFN more practically. I strongly recommend to read the first part, to make sure you didn’t miss anything about basic concepts. As I described in the previous part, the PFN database is located at nt!MmPFNDatabase, in the previous versions of Windows (<Windows 10) it was statically located at 0xFFFFFA8000000000 but in Windows 10, it’s subject to ASLR.…

Inside Windows Page Frame Number (PFN) – Part 1

Sinaei 0

Introduction (Page Frame Number) Windows and almost all the OSs use Page Frame Number Database in order to have a track of virtually allocated pages to know which page must be freed or evicted or if a page needs to be cached and etc. All of these kinds of stuff manages through a list, called Page Frame Number (PFN). A long list of explanation about the states of every physically and virtually allocated pages and its corresponding attributes. In the rest…

Defeating malware’s Anti-VM techniques (CPUID-Based Instructions)

Sinaei 0

[The picture of this post is taken by one of my best friends, Ahmad Ghazi in Chitgar Lake !] Introduction You should by now be aware of everything, cause the topic’s title clearly describes the contents of this post. As you know, almost all of the modern malware programs use some bunch of packers or protectors and using such tools cause malware to be weaponized with Anti-VM techniques which makes it impossible for reverse-engineers and analyzer to detect what’s happening inside the…

PyKD Tutorial – part 2

Sinaei 0

The content of this post is the second part of PyKD Tutorials, so make sure to read this topic first, then continue reading this topic. Breakpoints Breakpoints are such useful things and can give you the power of analyzing programs in a better and easier way by using PyKD. In the API Reference they introduce setBp function in the following way : [crayon-5cbca24785578865016005/] As you can see, setBp can give a pointer as its first argument and a python function as the second…