вторник, 15 ноября 2016 г.

W32pServiceTableFilter from windows 10 build 14951 x64

kd> ? nt!KeServiceDescriptorTableFilter
Evaluate expression: -8795428636992 = fffff800`2799b6c0

kd> dps fffff800`2799b6c0
fffff800`2799b6c0  fffff800`278f4450 nt!KiServiceTable
fffff800`2799b6c8  00000000`00000000
fffff800`2799b6d0  00000000`000001c4
fffff800`2799b6d8  fffff800`278f4b64 nt!KiArgumentTable
fffff800`2799b6e0  ffffa344`ba544bc0 win32k!W32pServiceTableFilter

fffff800`2799b6e8  00000000`00000000
fffff800`2799b6f0  00000000`0000049c
fffff800`2799b6f8  ffffa344`ba5462d4 win32k!W32pArgumentTableFilter

среда, 9 ноября 2016 г.

rfg longjumps

In IMAGE_LOAD_CONFIG_DIRECTORY64 there are two fields for setjmp/longjmp support - GuardLongJumpTargetTable & GuardLongJumpTargetCount. Lets see some module where this fields are not zero - for example hal.dll