PAE patch updated for Windows 10

This patch allows you to use more than 3/4GB of RAM on an x86 Windows system. Works on Windows Vista SP2, Windows 7 SP0, Windows 7 SP1, Windows 8, Windows 8.1 and Windows 10 (build 10586). Instructions and source code included. Download: Source code: https://github.com/wj32/PatchPae2 Before using this patch, make sure you have fully removed […]

Continue reading →

PAE patch updated for Windows 8.1

Note: An updated version for Windows 10 is available. This patch allows you to use more than 3/4GB of RAM on an x86 Windows system. Works on Windows Vista SP2, Windows 7 SP0, Windows 7 SP1, Windows 8 and Windows 8.1. Instructions and source code included. Download: Before using this patch, make sure you have […]

Continue reading →

PAE patch updated for Windows 8

Note: An updated version for Windows 8.1 is available. This patch allows you to use more than 3/4GB of RAM on an x86 Windows system. Works on Vista, 7, 8, has been tested on Windows Vista SP2, Windows 7 SP0, Windows 7 SP1 and Windows 8 SP0. Instructions and source code included. Download: Before using […]

Continue reading →

Introducing WJ’s Backup

Recently I became frustrated with Cobian Backup. It was the only free software I could find that: supported incremental backups, supported Volume Shadow Copy, and didn’t install a bunch of extra, useless startup entries and services. However, two things sucked: Incremental backups only seemed to work properly when it used the “archive” attribute. This meant […]

Continue reading →

HOWTO: Use I_QueryTagInformation

Process Explorer 12 includes a new feature whereby you can view service names associated with threads. To find out how this works, read this article by Alex Ionescu. You won’t be completely satisfied, though. You still don’t know how to use I_QueryTagInformation. First step: Getting the service tag for a thread This is simple; use […]

Continue reading →

Get the image file name of any process from any user on Vista and above

On Vista and above there is an information class for NtQuerySystemInformation which I call SystemProcessImageNameInformation (88). (Note that I reverse-engineered this, so it is probably not the correct name for the information class.) The structure definition is below: typedef struct _SYSTEM_PROCESS_IMAGE_NAME_INFORMATION { HANDLE ProcessId; UNICODE_STRING ImageName; } SYSTEM_PROCESS_IMAGE_NAME_INFORMATION, *PSYSTEM_PROCESS_IMAGE_NAME_INFORMATION; This information class allows you to […]

Continue reading →

NtQuerySystemInformation: a simple way to bypass rootkits which hide processes by hooking

You’ve probably seen code like this: NTSTATUS MyRootkitNtQuerySystemInformation( ULONG SystemInformationClass, PVOID SystemInformation, ULONG SystemInformationLength, PULONG ReturnLength ) if (SystemInformationClass == 5) // SystemProcessInformation { // do some pointer manipulation to hide our rootkit process … } else { return OriginalNtQuerySystemInformation(…); } } For example, this is what Hacker Defender does to hide itself. What most […]

Continue reading →