But rarely, it BSOD with errors in memory-managment, memory-corruption(PTE-data etc) with different codes, but looks like, when I patch table, another thread was read partially initialized pointer out of there, so it crash system.
Can’t I disable other processor cores in some way, patch data and after restore processor mode?
I try to implement sandbox for malware analysis, so I need some of rootkit functionality. So if you don’t have any useful information, please don’t spam in this thread.
Your questions are indistinguishable from “I’m trying to develop malware,
please help.” So sorry, no people are going to be somewhat suspicious of
your motives.
Mark Roddy
The answer is simple: google softice, understand why it is no longer a product and move on to a different project. Something that can actually be implemented.
if you don’t like that answer, use a hypervisor. Modern versions of Windows even use this technique on itself
Solution: patch SSDT with MDL, it’s safer and doesn’t cause BSOD.
p.s. I don’t know why, but try to disable interrupts and change the wp flag, lead to BSOD in the future. If someone knows. why does this happen, please tell me)
@Mark_Roddy said:
Your questions are indistinguishable from “I’m trying to develop malware,
please help.” So sorry, no people are going to be somewhat suspicious of
your motives.
Mark Roddy
Yea, making a hypervisor is the next step, but now I have this project, with this code and need to make the release of it, because of time limit I can’t start developing hypervisor right now))) And after I will port it to a hypervisor
Also, modern windows systems have PatchGuard, so I don’t think you can really make some dangerous virus with this technique))) It’s useful only for local experiments.
