Some of you probably know that there is no easy way to read, write or enumerate memory regions of native x64 processes from x86 process that is running under WOW64 layer. Probably the only way it can be done is to use hack that I’ve described few months ago (Mixing x86 with x64 code). In that case there will be need to get address of x64 version of NtReadVirtualMemory / NtWriteVirtualMemory / NtQueryVirtualMemory and call it through X64Call(). Including all those hacky lines of code into even very small project doesn’t sound good even for me :) So I’ve decided to wrap it into glossy, shiny library called WOW64Ext.dll. Continue reading →
Recently I was writing small piece of code that uses both versions of PEB structure (x86 and x64). Being tired of having two separate definitions I decided to look into the Windows Research Kernel (WRK) sources and check how Microsoft is handling this structure. Original definition is in “pebteb.h” file and it is pretty smart, everything is defined through a series of macros and then included in a very “specific” way: Continue reading →
According to ForensicWiki (http://www.forensicswiki.org/wiki/SuperFetch):
SuperFetch is a performance enhancement introduced in Microsoft Windows Vista to reduce the time necessary to launch applications (…)
Data for SuperFetch is gathered by the %SystemRoot%\System32\Sysmain.dll, part of the Service Host process, %SystemRoot%\System32\Svchost.exe, and stored in a series of files in the %SystemRoot%\Prefetch directory. These files appear to start with the prefix Ag and have a .db extension. The format of these files is not known…
When I read above statement I just couldn’t resist and I’ve decided to take up a challenge. Below you can read what I’ve found, as a bonus I’ve also prepared simple dumper for SuperFetch .db files (attached at the end of this post).
Continue reading →
Probably some of you may remember that over 6 years ago I’ve created MD5 implementation for MASM (there was also separate file for FASM adapted by Reverend). Few days ago I’ve received e-mail from Hannes Beinert, he found my old code and he adapted it for GNU Assembler. Moreover he also wrote comments for almost every line of algorithm, so it can be now used for some educational purposes. I’ve decided to put it all together online on code.google.com, so everyone can benefit from it:
You can also download it as a separate zip archive:
Few months ago I was doing some small research about possibility of running native x64 code in 32-bits processes under the WoW64 layer. I was also checking it the other way round: run native x86 code inside 64-bits processes. Both things are possible and as far as I googled some people used it already:
Unfortunately I wasn’t aware of any of above results when I was doing my research, so I’ll just present my independent insights ;)
Post moved from OpenRCE, original date: Thursday, August 9 2007
I’m proud to present source code of my last project: x86 Virtualizer. It is licensed under GNU General Public License (like DLLPackager).
Post moved from OpenRCE, original date: Sunday, June 17 2007
Finally source code is available for anyone interested. It is licensed under GNU General Public License (see gpl.txt).
Continue reading →