timestop is a tool which hooks KUSER_SHARED_DATA via PDE/PTE modifications, and freezes time or GetTickCount by fakeing page for user process
SoftICE extension to dump memory from SoftICE, and source code
Bootable ISO image which displays my avatar in 320x200 (aka mode 13h) and then boots your system
SoftICE plugin to display information about PDE/PTE for PAE systems...
Driver uses Intel VT to take control when cpuid is executed. Once cpuid is executed, and context of proper process is located (using cr3) then int 3 event is
injected into guest system. Make sure that i3here on is set in SoftICE before loading target with cpuid_loader.exe. Check readme.txt for more limitations!!
Use dr7.GD to fake drX access, allow softice only to modify those registers. single/mutli cpu supported...
I recently published code which can detect hook of rdtsc in all public version of rdtsc faking. Well at the same time this simple code can be used to detect presence of VMWare as it wrongly handles TF when rdtsc is executed. This driver solves this detection problem for real system and for VMWare. You may find more if you open fakerdtsc.c in your favorite text editor :)
Example how to log LastBranchToIp and LastBranchFromIp.
SoftICE plugin to stop SecuROM from detecting single steping
If dr7 is cleared then windows won't update hardware breakpoints. I don't use this code anymore, but still it could be good code to learn something from it.
This code was introduced in "Anti-Anti Dump and Noninrusive Tracers" as code which will present ultimate r3 tracer where there will be no chance to detect presence of nonintrusive tracer, if any protection ever will check KiUserExceptionDispatcher for hooks.
Code used to spy themida IOCTL, it can be used to spy any other driver, but not very useful. Good example of inline hooks in r0 memory.
Code dumps only ring0 memory, and was used to dump themida 1.0.0.5 r0 hooks for better analyze.
Fake rdtsc by making it privileged instrucion. Making it privilege instruction will ensure that installed handle will be called which will fake content of eax and edx registers.
Fastest loader ever writen. It hook int 3h handler to handle breakpoints from r0.
Scans for hooks in exports of ntoskrnl.exe. If you have ntkrnlpa/ntkrnlmp, please change code to use their images from disk, instead of ntoskrnl.exe.
Sets int 01 and 03 handlers to 0FFFFFFFFh and handles them from hook if int 0eh, also makes IDT user visible/writable. No PAE support.
Hooks NtQuerySystemInformation and NtQueryObject, 1st hook is to avoid detection of SoftICE, and second is to make my life easier when some applications protected with armadillo debug blocker are running in background.
Hook Major functions of any driver and replace them with own handler. Can be useful for driver spying.
Loading drivers may cause BSOD, system crash or data lose, use them at your own risk