Category : kernel

I am trying programmatically to monitor windows system calls in real-time. I’ve come across a log provider called "Microsoft-Windows-Kernel-Audit-API-Calls". Event data looks like this: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Microsoft-Windows-Kernel-Audit-API-Calls" Guid="{e02a841c-75a3-4fa7-afc8-ae09cf9b7f23}" /> <EventID>5</EventID> <Version>0</Version> <Level>4</Level> <Task>0</Task> <Opcode>0</Opcode> <Keywords>0x0</Keywords> <TimeCreated SystemTime="2017-06-01T11:59:05.831179100-0500" /> <Correlation ActivityID="{00000000-0000-0000-0000-000000000000}" /> <Execution ProcessID="1860" ThreadID="9628" ProcessorID="1" KernelTime="210" UserTime="1260" /> <Channel /> <Computer /> </System> ..

Read more

How would I get the base address of a specific dll loaded by a program? PsGetProcessSectionBaseAddress does not work for my situation and I’m not able to use an Image load notifier as I’m working with an uefi driver. C++ Usermode implementation: DWORD GetModuleBase(DWORD processId) { wchar_t szModuleName[] = { ‘c’,’l’,’i’,’e’,’n’,’t’,’.’,’d’,’l’,’l’, 0 }; DWORD moduleBase ..

Read more

#include <iostream> using namespace std; struct Topology { int numTargets; char a; }; class Parent { public: string name; int age; Parent() : name("parent"), age(0) { cout << "parent ctorn"; }; Parent(const Parent& p) { name = p.name; age = p.age; cout << "parent copy ctorn"; } ~Parent() {}; protected: }; class Child : public ..

Read more

Microsoft deprecated cross-signing certificates, however, it’s not clear from the docs what’s the new procedure. From the docs above MS is the sole provider but their support claims you can still get one from other vendors (e.g. Digicert, Globalsign, etc…) Does anybody know what’s the process for signing production kernel drivers for Windows 11 & ..

Read more