Forums

Hi all, this is my analysis of GanDiao.sys, an ancient kernel driver based malware. It only works in WinXP as it is unsigned.  This driver was used by various malware families and it allowed any userland application to kill other protected processes. This doc also includes a custom userland app source code to use GanDiao and test its capabilities. ENGLiSH VERSiON: http://lucadamico.dev/papers/malware_analysis/GanDiao.pdf iTALiAN VERSiON: https://www.lucadamico.dev/papers/malware_analysis/GanDiao_ITA.pdf As usual, I'm also attaching both PDF files here, just in case.  Enjoy. GanDiao.pdf GanDiao_ITA.pdf

Use async and await. // sleep time expects milliseconds async function sleep (time) { await new Promise((resolve) => setTimeout(resolve, time)); } window.addEventListener('load', async (event) => { await sleep(500); ...my code... });  

Hi, thanks for checking. I have big differences using Brave / Chromium and Firefox with my script. I tried this now. I disabled uBO completely from both browsers and then I disabled all cookies (Firefox settings) for that specific website and in Brave too. In case of Firefox my script does not create a button but in Brave it does. Why this? If I allow cookies on that website in Firefox then it works and my script does create the button. Really strange behaving. Do you have any explanation for this? Brave: Block All Cookies | no uBO | My Script | = Working to create button Firefox: Block All Cookies | no uBO | My Script | = Failed to create button (Uncaught TypeError: document.getElementById(...) is null) It does not get the element by ID in FF. By the way, the does not work better or at all. It does not work if I use it instead of "load". Somehow pretty frustrating right now not getting it work for both browser yet. No idea how to deal with that.   EDIT: I see problem when using... window.addEventListener('load', (event) => { ...my code... }); ...so sometimes it works sometimes not, its like 50/50. Now I was looking for some sleep function I could place at the top in my script and found just this one... // sleep time expects milliseconds function sleep (time) { return new Promise((resolve) => setTimeout(resolve, time)); } // Usage! sleep(500).then(() => { // Do something after the sleep! }); ....and if I se this function with sleep of 1 seconds and let execute my code inside then it works! So the problem is that I need to wait a while longer in Firefox (not in Brave) to find that element as you did mention already. Seems I have to work with sleep functions etc. Question: Is there also a method to sleep at any line I want (like in coding you call sleep function with time X and in this time all stops before next code get executed / no threads)? The problem is I have to put all my code inside of this sleep function but I would prefer to stop right there. Otherwise if you have any other and better ideas how to tell JS to sleep or how to continue after website and all components are fully loaded then tell me. Thanks. greetz

Your examples work fine. I guess the issue is that you have ublock set too strictly, blocking even javascript. just add an exception for the page or disable javascript blocking in the settings. Testing in a restrictive environment probably isn’t the best way to practice. and  for "document.getElementById(...) is null", that's normal if the element isn't found. So the issue could be related to timing for example, if the element is loaded dynamically and the check happens before it has been created. You could try using 'DOMContentLoaded' instead of 'load'.  

OK, so I have this problem trying to find a element by ID which is there but I get this error in Firefox... Uncaught TypeError: document.getElementById(...) is null ....if I try to execute a simple command.... let url = document.getElementById("url").querySelector("source").src; if (url) { console.log(url); }else{ console.log("Failed to find url ID element!"); return } ...so it does not get the element but its there. I don't understand that. I found another strange thing. So if I use the debugger in browser to set BP on the line above then it works to read the element and source. Pretty strange! No idea what the problem is and why it works in debug mode and not in normal mode in Firefox.   greetz