Martin Fischer
Martin Fischer
So, being busy reverse engineering PDH, I have figured out how to hide GPU usage and released version 1.5.1 with that feature. I have implemented the hook in `pdh.dll`, not...
I can't find out anything useful about that "`PROCESS_CREATION_MITIGATION_POLICY_BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON`", except that it's used in `UpdateProcThreadAttribute` prior to a call to `CreateProcess`. Since I never had any problems injecting processes, I...
Does this "Bad Image" error ocurr when you inject using a normal injector, or does it also happen when using the reflective loader (Test Console / full installation) ? By...
You can run the installer, or better yet, the shellcode installer by looking at [this](https://github.com/bytecode77/r77-rootkit/blob/master/%24Examples/InstallShellCode.cpp) and [this](https://github.com/bytecode77/r77-rootkit/blob/master/%24Examples/InstallShellCode.cs) example. The shellcode installer is described in the documentation (link on the main...
There's a ton of tools. After a quick [search](https://www.google.com/search?q=convert+file+into+byte+array+c%2B%2B), I have found [this](https://mischianti.org/online-converter-file-to-cpp-gzip-byte-array-3/) one. Didn't try it, but it should be a simple task to include a file this way.
A user has lots of traces all over the system, such as its files, an entire registry hive, etc. etc... What's your intention? Why do you consider `net.exe` to be...
Thanks for doing some research upfront. I've checked what this function is doing. It eventually calls `NdrClientCall3`, which is a RPC. Call stack: `netapi32.dll!NetUserEnum` calls `samcli.dll!NetUserEnum`, which calls `samlib.dll!SamEnumerateUsersInDomain` **This...
Have you tried hooking `NdrClientCall3`? I didn't try, but I think it's always called, regardless of which app. You always want to hook the lowest level, not the higher level...
I've disassembled `rpcrt4.dll` and found the function definition: ``` CLIENT_CALL_RETURN NdrClientCall3(MIDL_STUBLESS_PROXY_INFO *pProxyInfo, unsigned int nProcNum, void *pReturnValue, ...) ``` So first, `nProcNum`is an `int`, which is 4 bytes in a...
IDA is a nice thing to learn, if you regularly work with hooks, exploits, etc... You can hook a function that isn't exported, as long as you know the function...