chaelim

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\E0010404]
"Layout File"="KBDUS.DLL"
"Layout Text"="Chinese (Traditional) - Phonetic (IME)"
"IME file"="phon.ime"
"Layout Display Name"="@%SystemRoot%\\system32\\input.dll,-5066"

chaelim

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Console]
"ColorTable00"=dword:00000000
"ColorTable01"=dword:00800000
"ColorTable02"=dword:00008000
"ColorTable03"=dword:00808000
"ColorTable04"=dword:00000080
"ColorTable05"=dword:00800080
"ColorTable06"=dword:00008080

chaelim

#if _MSC_VER
    #define COMPILER_CHECK(expr, msg)  typedef char COMPILE_ERROR_##msg[1][(expr)]
#else
    #define COMPILER_CHECK(expr, msg)  typedef char COMPILE_ERROR_##msg[1][(expr)?1:-1]
#endif

chaelim

    // Note From MSDN:
    //    In past versions of the Visual C++ compiler, the _ReadWriteBarrier
    //    and _WriteBarrier functions were enforced only locally and did not
    //    affect functions up the call tree. In Visual C++ 2005 and later,
    //    these functions are enforced all the way up the call tree.


// Intel and AMD (x86 and AMD64) enforces strong ordering (program ordering)
// except a store followed by a load (the store becomes visible before
// the load executes) http://en.wikipedia.org/wiki/Memory_ordering

chaelim

#include <windows.h>
#include <process.h>
#include <stdio.h>
#include <intrin.h>

#define DO_FLUSH

unsigned __stdcall thread(void* p)
{
   unsigned __int64 t1 = __rdtsc();

chaelim

/****************************************************************************
*
*   BrokenGuardPage.cpp
*  
*   Just use following commands for compile:
*       cl BrokenGuardPage.cpp
*
*   Written by CS Lim (9/26/2006)
*
***/

chaelim

VC stdlib.h macro

/* _countof helper */
#if !defined(_countof)
#if !defined(__cplusplus)
#define _countof(_Array) (sizeof(_Array) / sizeof(_Array[0]))
#else
extern "C++"
{
template <typename _CountofType, size_t _SizeOfArray>

chaelim

========================================================================
FIND PAGE FAULT IDT (KiTrap0E)
========================================================================
kd> !pcr 0
    Find "KPCR for Processor 0 at fffff80001176000:"
kd> dt _KPCR fffff80001176000
    Find "+0?38 IdtBase          : 0xfffff800`03694070  _KIDTENTRY64"
    
kd> r? $t0=(_KIDTENTRY64 *)0xfffff800`03694070; .for (r $t1=0; @$t1 <= 13; r? $t0=(_KIDTENTRY64 *)@$t0+1) { .printf "Interrupt vector %d (0x%x):\n", @$t1, @$t1; ln @@c++(@$t0->OffsetHigh*0x100000000 + @$t0->OffsetMiddle*0x10000 + @$t0->OffsetLow); r $t1=$t1+1 }

chaelim

Opened log file 'FlushProcessWriteBuffers.log'
0: kd> x nt!*FlushProcessWriteBuffers*
fffff800`0226da70 nt!KeFlushProcessWriteBuffers = <no type information>
fffff800`0225a9d0 nt!NtFlushProcessWriteBuffers = <no type information>
fffff800`022a0720 nt!ZwFlushProcessWriteBuffers = <no type information>
fffff800`0226e3cc nt!KiFlushProcessWriteBuffersTarget = <no type information>
0: kd> u fffff800`0225a9d0
nt!NtFlushProcessWriteBuffers:
fffff800`0225a9d0 33c9            xor     ecx,ecx
fffff800`0225a9d2 e999300100      jmp     nt!KeFlushProcessWriteBuffers (fffff800`0226da70)

chaelim

Obfuscating memory pointer using EncodePointer/DecodePointer APIs

https://msdn.microsoft.com/en-us/library/bb432254%28v=vs.85%29.aspx
https://msdn.microsoft.com/en-us/library/bb432242(v=vs.85).aspx