пятница, 30 января 2015 г.

modernexecserver.dll RPC interface

version info says "Modern Execution Server". I don`t know what this means
8EC21E98-B5CE-4916-A3D6-449FA428A007 version 0.0
19 methods:
  • FmMuxSrvRegisterCoreUIEndpoints
  • FmMuxSrvLaunchTask
  • FmMuxSrvResumeTask
  • FmMuxSrvPauseTask
  • FmMuxSrvCancelTask
  • FmMuxSrvAbortTask
  • FmMuxSrvGetTaskPid
  • FmMuxSrvSetTaskDehydrationEligibility
  • FmMuxSrvResolveApplicationUri
  • FmMuxSrvGetActivationPolicy
  • FmMuxSrvShutdown
  • FmMuxSrvSetForegroundTaskInstanceId
  • FmMuxSrvGenerateActivationInstanceId
  • FmMuxSrvActivationPrerequisitePhase
  • FmMuxSrvIsCBETask
  • FmMuxSrvIsValidTaskPid
  • FmMuxSrvResumePrerequisitePhase
  • FmMuxSrvGetForegroundTaskInstanceId
  • FmMuxSrvActivationBypass

среда, 21 января 2015 г.

interrupts in w10 build 9879 64bit

it seems that Microsoft completely removed KiInterruptTemplate in this version of windows and interrutps now stored in KPRCB (like in w8.1)
Lets see on function KiConnectInterrupt

среда, 7 января 2015 г.

apisetschema.dll from windows 10 build 9879 64bit

only api-ms-win-core-ums-l1-1-0 was added

apisetschema.dll from windows 10 build 9879

Yep, they did it again - apisetschema.dll now has version 5. One hard evening of reversing and you can enjoy the results
Btw - there are module in kernel mode which is missed in apisetschema.dll:ext-ms-win-ntos-ksigningpolicy-l1-1-0.dll in cia.dll. I have no ideas about how translation of ext-ms- names happens in kernel mode