Created
November 21, 2014 17:20
-
-
Save tandasat/58bf8c6ff0cad8371137 to your computer and use it in GitHub Desktop.
(Suspended) Answers of exercises in Practical Reverse Engineering Chapter 3
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Susupended because of other project. | |
/////////////////////////////////////////////////////////////////////////////// | |
// | |
// p123 | |
// | |
I used Windows 8 kernel version 16628. | |
//////////////////////////////// 1-6 | |
I did only the first one function for each exercises since those were extreamly | |
boring repetitions. Note that I could not find | |
BootApplicationPersistentDataProcess() so worked on CmpCallCallBacks() instead. | |
//////////////////////////////// 7 | |
Did not see any outstanding differences except for int 29h things, which is an | |
answer of the next exercise. What am I supposed to find? | |
//////////////////////////////// 8 | |
The code construct observed as: | |
mov rcx, 3 | |
int 29h | |
is an inlined function called RtlFailFast(). This is invoked when validation of | |
a given LIST_ENTRY object failed, and this validation was introduced since Win8 | |
to detect data corruption as fast as possible and to prevent the system from | |
being exploited. | |
An interruption handler 0x29 is nt!_KiRaiseSecurityCheckFailure, and it causes | |
bug check with code [KERNEL_SECURITY_CHECK_FAILURE](http://msdn.microsoft.com/en-us/library/windows/hardware/jj569891%28v=vs.85%29.aspx) (Type 3) when it was called | |
from the kernel-mode. | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment