This patch allows you to use more than 3/4GB of RAM on an x86 Windows system. Works on Windows Vista SP2, Windows 7 SP0, Windows 7 SP1, Windows 8, Windows 8.1 and Windows 10 (build 10586). Instructions and source code included. Download: Source code: https://github.com/wj32/PatchPae2 Before using this patch, make sure you have fully removed […]
Continue reading →Note: An updated version for Windows 10 is available. This patch allows you to use more than 3/4GB of RAM on an x86 Windows system. Works on Windows Vista SP2, Windows 7 SP0, Windows 7 SP1, Windows 8 and Windows 8.1. Instructions and source code included. Download: Before using this patch, make sure you have […]
Continue reading →Note: An updated version for Windows 8.1 is available. This patch allows you to use more than 3/4GB of RAM on an x86 Windows system. Works on Vista, 7, 8, has been tested on Windows Vista SP2, Windows 7 SP0, Windows 7 SP1 and Windows 8 SP0. Instructions and source code included. Download: Before using […]
Continue reading →Recently I became frustrated with Cobian Backup. It was the only free software I could find that: supported incremental backups, supported Volume Shadow Copy, and didn’t install a bunch of extra, useless startup entries and services. However, two things sucked: Incremental backups only seemed to work properly when it used the “archive” attribute. This meant […]
Continue reading →Note: An updated version for Windows 8 is available. This patch allows you to use more than 3/4GB of RAM on an x86 Windows system. Works on Vista and 7, has been tested on Windows Vista SP2, Windows 7 SP0 and Windows 7 SP1. Instructions and source code included. Download: Note: I do not offer […]
Continue reading →Note: An updated version for Windows 7 SP1 is available. This patch allows you to use more than 3/4GB of RAM on an x86 Windows system. Works on Vista and 7, has been tested on Windows Vista SP2 and Windows 7. Instructions and source code included. Download:
Continue reading →Process Explorer 12 includes a new feature whereby you can view service names associated with threads. To find out how this works, read this article by Alex Ionescu. You won’t be completely satisfied, though. You still don’t know how to use I_QueryTagInformation. First step: Getting the service tag for a thread This is simple; use […]
Continue reading →On Vista and above there is an information class for NtQuerySystemInformation which I call SystemProcessImageNameInformation (88). (Note that I reverse-engineered this, so it is probably not the correct name for the information class.) The structure definition is below: typedef struct _SYSTEM_PROCESS_IMAGE_NAME_INFORMATION { HANDLE ProcessId; UNICODE_STRING ImageName; } SYSTEM_PROCESS_IMAGE_NAME_INFORMATION, *PSYSTEM_PROCESS_IMAGE_NAME_INFORMATION; This information class allows you to […]
Continue reading →You’ve probably seen code like this: NTSTATUS MyRootkitNtQuerySystemInformation( ULONG SystemInformationClass, PVOID SystemInformation, ULONG SystemInformationLength, PULONG ReturnLength ) if (SystemInformationClass == 5) // SystemProcessInformation { // do some pointer manipulation to hide our rootkit process … } else { return OriginalNtQuerySystemInformation(…); } } For example, this is what Hacker Defender does to hide itself. What most […]
Continue reading →Writing a system utility but annoyed by the fact that you can’t open the processes of security software and rootkits, instead receiving “Access Denied” errors? This is commonly due to security software and rootkits hooking ZwOpenProcess. There are many ways they can do this: SSDT modification, inline hooking (detours), sysenter hooks, etc. There is a […]
Continue reading →