Quote:
Btw , i've finished to add to my sys the anti drx & anti int3
probably in next day i'll be able to run it with sice so i'll start to
debug it.
|
You already know what the sys does? I already traced the first ioctl
message sended to the device (ioctl code = 1800h).
It gets some procedures addresses from ntoskrnl:
-PsGetCurrentProcessId
-IoGetCurrentProcess
-Ke386IoSetAccessProcess
-ObReferenceObjectByHandle
-PsProcessType
-Ke386SetIoAccessMap
Saves vector 1 and 3 of IDT. Changes the access flags of
some blocks of memory allocated at runtime and IDT page from
super-visor to user-mode.
The ioctl 1800h returns some data in the 50h chars long buffer,
including locations of those allocated memory blocks.
Besides of other to-study-or-not-facts....
There are other ioctls parsed with id: 1801,1802,1A00.
Making some memory shared between the device and the exe
is an open door to lotsa things I guess...
gotta do more tracing
later
