I guess this happens to everyone: you need to write a test project to see if some features work and you’re stuck in poor documentation and google has no examples for you … Recently I was trying to call WerRegisterRuntimeExceptionModule(…) to register my custom exception filtering module and I was stuck in registering module as [...]
Archive of posts filed under the reversing category.
Modifying EIP in WinDbg on fly in order to test different branches of code
Sometimes during debugging it happens that you just got some function failed and you want to re-try it again. After this function fails you might have a BSOD, for example, ntRetVal = FileOpen(&hFile, szPath); if (!NT_SUCCESS(ntRetVal)) { #ifdef DBG KeBugCheckEx(0×0, 0, 0, 0, id_of_the_problem); #endif } Now, as you can see in above code it [...]
How to find cause of BSOD without dump file
Sometimes it happens that BSOD occures without any dump file generated. It could take some time to figure out why there is no dump file generated and what to do. If this happens on customer side, sometimes it is really problematic due to different policies, restrictions, etc. On the other hand, it is possible to [...]
Why calling WTSEnumerateSessions in NT service initialization routine is a bad idea
Recently in tests I noticed that my NT service stopped working in Windows Vista machine. There were no crashes, just entry in Event Log saying: “Error 1053: The service did not respond to the start or control request in a timely fashion“. These type of things are slightly more difficult to debug than usual crashes [...]
How to BSOD Trend Micro Internet Security in 10 minutes
(Prequel: Hot to BSOD Norton Antivirus in 10 minutes) Recently I have noticed that some of the well known brands like Norton, VmWare, Juniper, Trend Micro and some others have stability issues with their drivers. It seems like these brands neglect to pass Driver Verifier tests, thus releasing quite unstable code. It is worth mentioning [...]
WDK 7.x is not compatible with Windows 2000 anymore …
A new version of Windows Driver Kit was released recently, the 7600.16385.0 and probably some of you’ve noticed that it does not support Windows 2000 Build Environment. This is a bad news for me, as I still need to support Windows 2000 in some of my projects. Before, with WDK 6.x versions you had a [...]
Norton’s quality of code in drivers
http://www.youtube.com/watch?v=k5wzFY88Wiw
Life of every driver developer is complicated by the fact that the code you write should be stable (read: bugs free) and compatible with any other third party drivers. It is very important for any driver to be bugs free, as any error in kernel leads (directly or indirectly) to a blue screen of death [...]
Phishing on Saturday …
It’s quite often to happen with average user on the Internet – to recieve spam. Sometimes it advertises some junk, but sometimes it asks user to run some executable which does some magic, for example, it allows to send sms to any mobile operator for free . As every human being is a little bit naive, [...]
SMB traffic not captured in TDI filter driver
Recently I met a problem in one of my TDI filters when filtering SMB traffic. The filter driver was able to see outgoing TDI_CONNECT requests to 139 and 445 ports, but during the heavy file upload there was no TDI_SEND requests issued. Usually in such cases you start to googlize for a solution, and I [...]
A case of mysterious BSOD at tcpip!TcpIndicateData+22b
1. The causes Recently I was observing strange BSODs on my Vista machine quite periodically when dealing with network applications: 2. Investigations As you can see the BSOD happens because the tcpip.sys is trying to access some wrong address. Luckily, I was able to access the dump file generated during this BSOD. When I try [...]
Mysterious ExUuidCreate function
I was inspired to write this post after being confused by behaviour of ExUuidCreate function in Windows Vista. This function is used to generate GUIDs at kernel mode. According to documentation: “ExUuidCreate returns STATUS_SUCCESS if successful; otherwise, if the system is not ready to generate a new UUID, it returns STATUS_RETRY.” Practically, if you call [...]
A change for SoftIce
As SoftIce is officially dead, you might want to find its substitution. There is one product which aims to fully substitute SoftIce – Syser debugger, which proposes pretty close user interface, and “live” debugging of kernel on a host machine: According to documentation, all command line commands are fully softice compatible (you can check [...]
Bug in MSDN: TDI_EVENT_RECEIVE_DATAGRAM & it’s handler
If you ever wanted to handle TDI_EVENT_RECEIVE_DATAGRAM (http://msdn2.microsoft.com/en-us/library/ms801156.aspx) event handler in TDI, you would notice that it’s declaration is a bit strange(http://msdn2.microsoft.com/en-us/library/ms801622.aspx): NTSTATUS ClientEventReceive( IN PVOID TdiEventContext, IN CONNECTION_CONTEXT ConnectionContext, IN ULONG ReceiveFlags, IN ULONG BytesIndicated, IN ULONG BytesAvailable, OUT ULONG *BytesTaken, IN PVOID Tsdu, OUT PIRP *IoRequestPacket ); Guess what? It’s declaration is the [...]
DRIVER_VERIFIER_IOMANAGER_VIOLATION in Windows Server 2003 SP2 with latest updates ON
Recently, I’ve received following error when trying to test my TDI filter driver on Server 2003 SP2 with latest updates ON: DRIVER_VERIFIER_IOMANAGER_VIOLATION (c9) Arguments: Arg1: 00000208, (Fatal error) This IRP is about to run out of stack locations. Someone may have forwarded this IRP from another stack. (IRP specified.) This violation message appeared, when I [...]
The case of Task Manager that does not kill
Quite long time ago, my friend Vadym Stetsiak described a bug of Task Manager, which allows to disallow (!) the killing of a process, if it’s name is lsass.exe. In order to test this bug, you can rename any executable file into lsass.exe, run it, and than try to kill it from Task Manager. You [...]
Undefeatable files & folders in Windows XP SP2 – a bug in SHFileOperationW
Recently I was surprised with one interesting behavior of my Windows XP box. I was playing with long name files and noticed that major part of my shell extensions do not work with files, whose path is longer then 260 symbols. I also noticed, that Windows Shell does not allow me to create long file [...]
PDBExt plugin (32 bit) v(0.2) for IDA Pro v(5.0 and higher) is released
As I promised, here is the next version of plugin. This version introduces extended set of settings. In addition to ‘local’ settings (which are specific per project) there are so called “global” settings. This feature seems to be very useful for me, because when I worked under several projects I constantly was forced to specify [...]
PDBExt plugin (32 bit) v(0.1) for IDA Pro v(5.0 and higher) is released
IDA Pro allows you to load symbols for windows components. However, this feature is not fully suitable for me, because it constantly loads them from internet. Looks inefficient, especially if you use IDA on different machines – symbols get downloaded for each of them. I prefer everything that can be controlled, so my idealistic vision [...]
The case of IE7 that would not run
Yesterday I met an interesting behavior of IE7. On one of my computer which runs Windows Server 2003 SP1 I was trying to publish a post to my blog (‘the power of IDA’). But I failed to do that. IE7 was crashing when I tried to write something in the editor. Moreover, IE7 does not [...]
The power of IDA
One the most wonderful instruments I ever used is IDA – interactive disassembler. If your job is connected with reversing, then IDA is a “must have” instrument. It really helps saving a lot of time when there is a need to understand the logics implemented in 3rd party code. Since you don’t have the source [...]
