Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
The Something Awful Forums > Discussion > Serious Hardware/Software Crap > YOSPOS > the windows internals fiber; ExRaiseStatus(STATUS_MUTANT_NOT_OWNED);
«16 »
 
  • Locked thread
Notorious b.s.d.
Jan 25, 2003

by Reene

Forums Terrorist posted:

winders 2000 had a cooler name thus it is the better choice

and a better logo
* # ? Dec 10, 2014 02:37
  • Quote
Adbot
ADBOT LOVES YOU

# ? Apr 26, 2024 18:09
  • Quote
Jabor
Jul 16, 2010

#1 Loser at SpaceChem
im the New Technology Technology

* # ? Dec 10, 2014 04:33
  • Quote
Sapozhnik
Jan 2, 2005

Nap Ghost
even windows 7 looks presentable when you set it to use the Classic theme

locked in a VM ghetto

where it loving belongs

* # ? Dec 10, 2014 06:24
  • Quote
Daman
Oct 28, 2011
 so I've had a curious windows internals issue recently.

I have some target software whose very obfuscated usermode component loads a packed driver that proceeds to unpack itself, destroy its PE header, etc. It does something to detect windbg being attached and proceeds to destroy various kernel stuff before causing an irql_not_less_or_equal bugcheck.

So ideally I would set windbg to breakpoint on module load so I could patch out whatever's detecting windbg before any of the module's code executes. I have no idea how windbg detects the load module event, but it never triggers for the loading of this driver. The bugcheck occurs, analysis shows no clues.

Probably have these options:
tick all the boxes in rohitab API monitor and dig through a huge log to figure out what they're doing in userland to load the kernel module
find the specific kernel function that creates the initial kernel thread or whatever for modules and breakpoint there, then set breakpoints on the module's entry points as it'll be known then

both options sorta suck, lotta stuff to look through just to get debugging working.

* # ? Dec 13, 2014 13:58
  • Quote
Last Chance
Dec 31, 2004

Notorious b.s.d. posted:

windows has had text anti-aliasing since at least windows 3.0, probably earlier

i meant subpixel rendering or whatever. i just know that i tried win 2000 on an old laptop and it looked like dogshit

* # ? Dec 13, 2014 14:25
  • Quote
Soricidus
Oct 21, 2010
freedom-hating statist shill

Notorious b.s.d. posted:

windows has had text anti-aliasing since at least windows 3.0, probably earlier

lol nope, the first windows that could antialias text was 95, and even then only if you bought the ultimate edition plus! pack

* # ? Dec 13, 2014 14:31
  • Quote
Alereon
Feb 6, 2004

Dehumanize yourself and face to Trumpshed
College Slice

Soricidus posted:

lol nope, the first windows that could antialias text was 95, and even then only if you bought the ultimate edition plus! pack
the font smoother was actually a free download from microsoft as well, like most components of the plus! pack. though the microsoft website was so bad back then even for finding critical updates (winnuke patch lol) that "free download" meant a lot of time on a dialup modem.

* # ? Dec 13, 2014 16:18
  • Quote
The_Franz
Aug 8, 2003

Soricidus posted:

lol nope, the first windows that could antialias text was 95, and even then only if you bought the ultimate edition plus! pack

not that it really mattered since blurry 15" CRT monitors did that for you.

* # ? Dec 13, 2014 21:05
  • Quote
Silver Alicorn
Mar 30, 2008

𝓪 𝓻𝓮𝓭 𝓹𝓪𝓷𝓭𝓪 𝓲𝓼 𝓪 𝓬𝓾𝓻𝓲𝓸𝓾𝓼 𝓼𝓸𝓻𝓽 𝓸𝓯 𝓬𝓻𝓮𝓪𝓽𝓾𝓻𝓮
15 inches?? luxury

* # ? Dec 13, 2014 21:23
  • Quote
omeg
Sep 3, 2012

Daman posted:

so I've had a curious windows internals issue recently.

I have some target software whose very obfuscated usermode component loads a packed driver that proceeds to unpack itself, destroy its PE header, etc. It does something to detect windbg being attached and proceeds to destroy various kernel stuff before causing an irql_not_less_or_equal bugcheck.

So ideally I would set windbg to breakpoint on module load so I could patch out whatever's detecting windbg before any of the module's code executes. I have no idea how windbg detects the load module event, but it never triggers for the loading of this driver. The bugcheck occurs, analysis shows no clues.

Probably have these options:
tick all the boxes in rohitab API monitor and dig through a huge log to figure out what they're doing in userland to load the kernel module
find the specific kernel function that creates the initial kernel thread or whatever for modules and breakpoint there, then set breakpoints on the module's entry points as it'll be known then

both options sorta suck, lotta stuff to look through just to get debugging working.

try breaking on nt!NtLoadDriver

* # ? Dec 14, 2014 00:41
  • Quote
Adbot
ADBOT LOVES YOU

# ? Apr 26, 2024 18:09
  • Quote
Daman
Oct 28, 2011

omeg posted:

try breaking on nt!NtLoadDriver

this worked! specifically within this on win7 x64 is nt!IopLoadDriver+0xa04 which calls the entry point for new drivers.

interestingly enough, this driver isn't listed in the module list at that point. its unpacking routine handles adding it to that.

* # ? Dec 14, 2014 21:42
  • Quote
  • Locked thread
The Something Awful Forums > Discussion > Serious Hardware/Software Crap > YOSPOS > the windows internals fiber; ExRaiseStatus(STATUS_MUTANT_NOT_OWNED);
«16 »