swwwolf / wdbgark Goto Github PK
View Code? Open in Web Editor NEWWinDBG Anti-RootKit Extension
Home Page: https://sww-it.ru
License: Other
wdbgark's People
Contributors
Stargazers
Watchers
Forkers
pyq881120 d4nnyk johnjohnsp1 x9090 chubbymaggie tempbottle idkwim somma redcodes jxzhxch codercold killvxk ohio813 sw1ftsure nsxz modulexcite yuang1516 chandada tdr130 bushalo kumaraguruv roadwy supertanglang blaquee lslx 453483289 zhuhuibeishadiao jackbro pai-po 75f2cc dbgche helloppap ntoskrnlwin xodidox ralex1975 louwangzhiyuy fltsec cydiakk genihoust artorios heruix securityresearchstaff hobbit19 icemongus yehgdotnet cacker sckelemen songbei6 nevinhappy ip-gpu deelmind altune whb224117 jmsfire shuixi2013 de8gman1990 woozoo86 hauzlin anhkggfork mshafiqsb kumaran-git samshine explife0011 johndoe44526949 asuralove yuaom lukw00heck qrealka crackercat mmilmf 0x4e38 shangadi wanttobeno techlord-rce mr-wrmsr chuangshizhiqiang cupertinodude bb33bb wgwjifeng fcccode haidragon hymeca repsu kernullist pumpkinbro sylingyy zengkefu hadesangel waterman178 ysheldon yang-zhiyuan chinatiny fengjixuchui 951193102 y11en blasterxiao zcg19 zys0807 mblackbourne reinhardvzwdbgark's Issues
!wa_objtypecb fails
kd> !wa_objtypecb
[+] Displaying callbacks registered with ObRegisterCallbacks with type *
+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Address| Name| Symbol| Module|Suspicious|
+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
|0xfffffa80018d6d60| Process| | | |
+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
ERROR: !wa_objtypecb: extension exception 0x80004005.
"Unable to get type ID of 'dummypdb_1888!_OBJECT_CALLBACK_ENTRY_COMMON'"
kd> vertarget
Windows 7 Kernel Version 7601 (Service Pack 1) MP (1 procs) Free x64
Running WinDbg:10.0.14321.1024 AMD64 on Windows 7 x64.
build error
1>------ Build started: Project: dummypdb, Configuration: Release x64 ------
1> Building 'dummypdb' with toolset 'WindowsKernelModeDriver10.0' and the 'Desktop' target platform.
1> Generating code
1> Finished generating code
1> dummypdb.vcxproj -> C:\Users\Administrator\Documents\GitHub\wdbgark\dummypdb_build\x64\Release\dummypdb_x64.sys
1> dummypdb.vcxproj -> C:\Users\Administrator\Documents\GitHub\wdbgark\dummypdb_build\x64\Release\dummypdb_x64.pdb (Full PDB)
1>SIGNTASK : SignTool error : No certificates were found that met all the given criteria.
2>------ Build started: Project: wdbgark, Configuration: Debug x64 ------
2>C:\Program Files (x86)\MSBuild\Microsoft.Cpp\v4.0\V140\Platforms\x64\PlatformToolsets\v140\Toolset.targets(36,5): error MSB8036: The Windows SDK version 10.0.15063.0 was not found. Install the required version of Windows SDK or change the SDK version in the project property pages or by right-clicking the solution and selecting "Retarget solution".
========== Build: 0 succeeded, 2 failed, 0 up-to-date, 0 skipped ==========
How to solve it?:)
ide : vs2015 up3
Fix IDT/GDT
Fix IDT/GDT displaying.
Fix SDT/SSDT names
Fix KiServiceTables and W32pServiceTables. Check for SubXXX, etc...
Unhook SDT/SSDT
Add possibility to unhook routines in system tables.
Add educational comments
Describe various Windows internal structures, lists and so on. It should be clear and clean.
Write good Wiki
Add real world malware examples. Various scenarios and so on.
g_CiEnabled & g_CiOptions & g_CiCallbacks
Add a separate command for the g_CiEnabled & g_CiOptions & g_CiCallbacks.
Remove callbacks
Add possibility to remove callbacks in a system lists.
FsRtlRegisterFileSystemFilterCallbacks and more
Add various callbacks.
First of all is FsRtlRegisterFileSystemFilterCallbacks.
kd> dt nt!_DRIVER_EXTENSION 0x8a7eca00
+0x000 DriverObject : 0x8a7ec958 _DRIVER_OBJECT
...
+0x018 FsFilterCallbacks : (null)
+0x01c KseCallbacks : (null)
+0x020 DvCallbacks : (null)
Add more callbacks #1
KdRegisterPowerHandler (+)
HalDispatchTable (+)
HalPrivateDispatchTable (+)
DbgkLkmdRegisterCallback (WINDOWS 7+) (+)
IoRegisterIoTracking (IopPerfIoTrackingListHead) (+)
EmpCallbackListHead(+)
CrashdmpCallTable (+)
ObRegisterCallbacks (+)
Research ExRegisterExtension
Reasearch ExRegisterExtension. It's a list ExpHostList.
{
0x0 _LIST_ENTRY ListEntry;
...
0x1c PVOID SomeRoutine;
...
0x2C PVOID TableOfRoutines;
}
kd> dd ExpHostList
819f7ee8 8340abe0 84f978f0 935c3608 8de3b040
819f7ef8 00000000 00000000 00000007 00000000
819f7f08 00000000 00000000 00000000 00000000
819f7f18 00000000 00000000 00000001 00000000
819f7f28 00000000 00040001 00000000 819f7f34
819f7f38 819f7f34 00000000 00000001 00000000
819f7f48 00000000 00000000 00000000 00000000
819f7f58 00000000 00000000 00000113 81a1d300
kd> dd 8340abe0+1c
8340abfc 81b3a105 00000000 00000000 00000000
8340ac0c 82ff7070 0a04020e 6e54624f 06030208
8340ac1c 6944624f 8340ac60 84f81ec0 1f8c7605
8340ac2c 00001000 06050203 6d4e624f 00700054
8340ac3c 006f0057 006b0072 00720065 00610046
8340ac4c 00740063 0072006f 00000079 06030205
8340ac5c 6944624f 83407f18 84f6ef70 5cf4b14f
8340ac6c 000f0000 06060203 6d4e624f 006f0043
kd> ln 81b3a105
(81b3a105) nt!ExpPcwHostCallback | (81b3b2c7) nt!PcwRegister
Exact matches:
nt!ExpPcwHostCallback ()
kd> dd 8340abe0+2c
8340ac0c 82ff7070 0a04020e 6e54624f 06030208
8340ac1c 6944624f 8340ac60 84f81ec0 1f8c7605
8340ac2c 00001000 06050203 6d4e624f 00700054
8340ac3c 006f0057 006b0072 00720065 00610046
8340ac4c 00740063 0072006f 00000079 06030205
8340ac5c 6944624f 83407f18 84f6ef70 5cf4b14f
8340ac6c 000f0000 06060203 6d4e624f 006f0043
8340ac7c 0070006d 0073006f 00740069 006f0069
kd> dps 82ff7070
82ff7070 82ff4678 pcw!PcwRegister
82ff7074 82ff46e0 pcw!PcwUnregister
82ff7078 82ff46f8 pcw!PcwCreateInstance
82ff707c 82ff475c pcw!PcwCloseInstance
82ff7080 82ff4772 pcw!PcwAddInstance
...
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.