Posts

An author never does more damage to his readers than when he hides a difficulty. (Evariste Galois) You can download this tutorial and all necessary files in an archive file from here. The PDF version is also available here. File password: exists4all.github.io Table of Contents Introduction Abstract Required tools Required knowledge Purpose Windows Internal and Hard disks Device Unique Identifiers (DUIDs) for Storage Devices Looking inside kernel architecture Find hard disks objects and The responsible driver that gets disk serials Reimplementing spoofer n0Lin (@Alex3434) and btbd spoofer Logic of implementation Updating SamuelTulach project Conclusion Introduction Abstract After a long time being inactive I decided to finish my break due to some personal reasons. And one other reason was that it was getting closer to release date of Windows 24H2. After the release I noticed old spoofers cause problems and lead to BSOD so it’s the best time to write a part 2 of the static spoofer tutorial. We are going to use amazing old work of other people to make our life simpler. We are basically going to do some reverse engineering and modify old spoofers to work on a new build of Windows and explain the philosophy of it. You can download most of the used resources and important files in this tutorial on my website. I also really appreciate any suggestion, and pointing out any errors since no one is prone to making mistakes. You can do that using this form. ...

Introduction So it was a while since I did this project, however for some reason I wasn’t able to publish it. You can download the tutorial in the PDF format with necessary files here. And the password for the file is: SimpePECrypter And finally download the source code from github. Note that I did this project in a little bit of a rush, so there are little mistakes here and there. But the results are good enough. I might fix these problems in future and release this tutorial in full html format. ...

Introduction I had to work on a PE for reverse engineering for a few weeks, the PE using an extensive amount of encryption/decryption of memory fragments to make it harder to reverse engineer it. However, that PE is for another time. But I had to write a manual encrypter/decrypter for those memory fragments to be able to patch some specific parts without changing instructions size and then crypting those bytes and replacing those specific memory fragments. However it seems the key that CryptoAPI uses to do the job is not the same as the key that you could get with CryptExportKey so I decided to look inside these functions to see what the actual key is. ...

Introduction In this tutorial we are going to create a static disk drive serial number spoofer. This project will be a little long and need some basic knowledge about operation systems and reverse engineering. We are going to use visual studio community, IDA and windbg and I used windows 11 enterprise. Analyzing the Kernel Setting up WinDBG The first step is to find out how windows get that information. By googling you can see easily you have to use wmic commands. If you open CMD and execute the wmic diskdrive get serialnumber, you can retrieve all the disk serials. So that is logical analyzing wmic in windbg, however if you do that you will find out wmic tokenize commands and send them to the kernel and then retrieve data in a xml file and fetch from there. So for simplicity we are not going to analyze wmic. Instead we are going to access wmic command directly using C++ and use debug command to see which kernel API used to get those data. ...

Introduction Welcome to my kernel programming tutorial document. Be sure to read these notes before starting. Important notes Kernel programming is not anything like user mode programming, information about its structure is very limited and most of the time you have to dig very deep into MSDN documentation to understand where you need to start. Kernel mode codes have to be perfect, any flaw in them will cause serious problems and most of the time lead to BSOD ( blue screen of death) if they are not treated perfectly. ...