Reverse Engineering Stack Exchange
Reverse Engineering Stack Exchange

Questions tagged [windows]

Windows refers to the Microsoft Windows series of operating systems.

Windows refers to the Microsoft Windows series of operating systems. It is a proprietary, graphical user interface based system. The latest versions are Windows 8 and Server 2012 respectively.

This tag should be used only for questions that involve attributes of the Windows platform. It should not be used for OS agnostic questions.

A list of readings concerning reverse code engineering on Windows can be found here.

834 questions
21
votes
1 answer

Windows Wiki : Books and Tutorials

This post is for collecting all the best books and tutorials that exist dealing with windows specific reverse engineering techniques and concepts. The content will be added to the Windows wiki. Any suggestions of books and tutorials should be added…
Mellowcandle
  • 4,795
  • 6
  • 34
  • 47
15
votes
2 answers

Is there a good reference for COM object signatures?

When doing RE on some Microsoft binaries I run across COM object references all the time. Is there a good central place to translate some of the GUID's that I find to some sort of object type without having to follow it back to some known parent…
Modoc
  • 429
  • 4
  • 8
8
votes
1 answer

What are general guide lines for reversing COM objects

I'm interested in revers engineer COM objects. How can I find interfaces that a particular object implements if I know what interface it is? Please tell if I need to change or rephrase the question.
PhoeniX
  • 3,052
  • 16
  • 30
8
votes
1 answer

How does services.exe trigger the start of a service?

I'm trying to work out the internals of how a Windows process starts and maintains communication with services.exe. This is on Windows 8 x64, but if you have tips for Windows 7 that is fine too. So far I figure out services.exe does something…
chentiangemalc
  • 1,235
  • 8
  • 16
7
votes
1 answer

How to find WndProc using x64dbg?

I'm trying to find a WndProc from explorer.exe that is handling these messages, I've found with Spy++: <000001> 00000000000B01C8 P message:0xC02B [Registered:"SHELLHOOK"] wParam:00000025 lParam:000F0184 <000002> 00000000000B01C8 P message:0xC02B…
Ciantic
  • 173
  • 1
  • 5
5
votes
1 answer

What tools are available to trace system resources a program is touching in windows?

What is the best tool to trace system resources a program is touching. For example, which registry keys, other files or DLLs it's loading, internet connections it's opening, etc...? I saw this question on reddit.com/r/ReverseEngineering and the mod…
Robert_Musser
  • 53
  • 1
  • 4
5
votes
0 answers

Page Fault Handler in Windows

Like almost all of my questions, I feel like I'm missing something / I understood something the wrong way, so help me figure out where I'm wrong with this. When a Page Fault occurs and nt!KiTrap0E comes to save the day, the CPU saves the current…
user3002428
  • 327
  • 1
  • 13
4
votes
1 answer

How to use Spy++ to find OnClickFolder or OnClickFile events in Windows Explorer?

I want to make a program that can intercept events (something like OnClickFolder as well as OnClickFile). Is there a way Spy++ or similar programs can do this?
Nathvi
  • 43
  • 6
4
votes
2 answers

Edit Windows protected systemfiles in VMWARE?

How can I edit Windows protected system internal files in VMWARE? On a normal PC, I can simply reboot the PC and use a different Operating System to prevent the 'access denied' error... But how do I edit those protected files when inside VMWARE?
user88004
  • 41
  • 2
3
votes
1 answer

The same notepad.exe runs in both WoW64 and x64 modes

When I run notepad.exe with x64dbg it runs as WOW64 process. But when I run it with x32dbg it runs as x64 process with x64 instructions. I am running it from the same directory C:\Windows\System32\notepad.exe, but in process explorer I see different…
SSSSSXXXXX
  • 31
  • 2
3
votes
1 answer

How do I unpack a file protected by MPRESS?

I have a file that is protected by MPRESS packer and I want to know how to unpack it on Windows. Is there a specific program for that or something else? I am new to this so every help is appreciated.
LC0
  • 31
  • 1
  • 3
3
votes
1 answer

What is *BindW*?

I am looking at a windows library in IDA pro and I came across a function call BindW(ushort **, void **) IDA pro adds the comments Binding and StringBinding respectively to the parameters when they are pushed. What is this function?
mikeazo
  • 1,072
  • 8
  • 16
3
votes
1 answer

CreateToolhelp32Snapshot() access denied (while running as admin or even NT AUTHORITY\SYSTEM)

I've come across a troublesome process which refuses to allow CreateToolhelp32Snapshot(). I also noticed that in sysinternals process explorer it shows "Access Denied" for other things too, such as file path, even when running as admin or even NT…
Cherona
  • 129
  • 1
2
votes
2 answers

Non-ASLR DLL Has Randomized Base per Runtime

I have a question about how a DLL which is marked as non-ASLR compatible can have a different base address every time I run the program that loads it. Basically, this DLL, which is not ASLR compatible (confirmed via both WinDbg-narly and dumpbin)…
TheTwitchy
  • 21
  • 2
2
votes
0 answers

What is the following code will do after modifying it?

The following commands will change the files information gatherosstate.exe file. From looking at the hex values I can interpret that there are nop (0x00). The file changed in windows terminal. But what are more information can be extracted from…
i_am_learning
  • 43
  • 2
1
2 3