Discovery reversing the kernel memory [Archive] - RCE Messageboard's Regroupment

View Full Version : Discovery reversing the kernel memory

Opcode

March 29th, 2004, 06:26

Hi, Reversers !

While reversing some structures in the XP kernel, I found a new
way to get some hidden variables without having to scan the
kernel.

Take a look at
hxxp://www.rootkit.com/vault/Opc0de/GetVarXP.pdf
and
hxxp://www.rootkit.com/vault/Opc0de/GetVariables.zip

Regards,
Opcode

dELTA

March 29th, 2004, 17:40

Cool, thanks for the info.

Opcode

March 29th, 2004, 19:38

I updated the article because I found an error

Instead of:

Code:



mov eax, 0ffdff034h

mov eax, [eax+078h]

The currect code is:

Code:



mov eax, 0ffdff034h

mov eax, [eax]

mov eax, [eax+078h]

Sorry.

Opcode