Guide | How To [Theory] Native Windows API (NTAPI)

The associated guide may contain user-generated or external content.
W

Wave

Thread author
Hello and welcome to my first thread on Programming with C++. :)

[DISCLAIMER]
The code presented at the bottom of this thread is NOT dangerous if used correctly, of course if you are stupid with it then it can cause problems… E.g. if you use the last code part to force BSoD your system then it can cause data loss/corruption (since this is what BSOD crashes can do), or if you use the NtTerminateProcess code to terminate a critical windows process then a BSOD crash can occur… Please use it responsibly and for good purposes.

If you don’t know what you’re doing but are a programmer and want to learn then just stick to using a Virtual Machine so you avoid the possibility of messing stuff up.

I have intentionally set the font size to 3 because this thread is very long and with the normal font size it may actually be even more of a pain to go through... I highly recommend you zoom in once in your browser, and it will appear much nicer to read the text (as opposed to reading it without zooming in once or as it is by default).

If you find any false information/mistakes in this thread then please let me know so I can fix them.
[/DISCLAIMER]

In this thread we will be learning about the Native API (NTAPI) and how we can go about using NTAPI functions from within C++. Throughout this tutorial, I will be working with Visual Studio 2015 Community Edition with an Empty project template (C++). This thread will have multiple parts to it: the first part will evolve around theory and then the second part will be source code to using some NTAPI functions which have been commented.


Part 1 - Theory
In Windows we have 4 different rings: ring 0; ring 1; ring 2; and ring 3.

Ring 0 is the lowest ring available and the purpose of this ring is to hold the kernel (of the Operating System) in memory. Whereas, the third ring (ring 3) is used for user-mode on our systems (e.g. Windows kernel will be executed from within Ring 0, however our standard programs will be executing from within Ring 3). The reason we have different rings is for the protection of our system (memory, ports, and the safety of other resources in general), since it restricts what our standard programs can do on the system, but grants kernel-mode the highest privileges which it needs to control and operate the system correctly. The kernel must be executed from ring 0 because it needs to be able to access our hardware, it’s a layer to the hardware. However, our standard programs do not need such privileges and giving it to them can cause big problems, they are restricted by being executed in ring 3 which does not have access directly to hardware… Not to mention the fact that if Ring 3 software (user-mode software) was running from ring 0 then it can cause conflicts with the kernel.

Ring 0 needs to be protected because if a crash occurs it will result in a crash of the entire system and the reason for this is down to the kernel being executed there in memory. Thankfully, when a standard program crashes in user-mode (ring 3), our systems don’t need to be completely restarted and this is down to memory management – each piece of software executing from ring 3 has its own memory allocated to it, therefore when something goes wrong (the memory for that software messes up) only that memory is affected, thus only that program crashes. In ring 0 it’s a different story, you have access to all the memory on the system, complete control… Therefore, a crash will affect the entire system, and all the memory. Ring 0 is essentially an abstract layer to access the hardware, and ring 3 is essentially the place for


In Windows there is something called the NTAPI (Native API) and it’s basically an Application Programming Interface which is more lower-level than the Win32 which I’m sure we are all familiar with. The way it works is when you call specific Win32 API functions, it becomes passed down and traces back to the Native API equivalent of the function, and then this proceeds by transitioning over to kernel-mode (ring 0).

There is a lot of misinformation about ring 1 and 2 and honestly I used to be wrong about it as well due to the misinformation I had read previously online whilst learning a few years back. The purposes of ring 1 and 2 is actually for device drivers, they do not actually become loaded in ring 0 itself. The reason for ring 1 and 2 being used for device drivers is simply down to the fact that they may need to access microcontrollers and the such of hardware, and if they were loaded from ring 3 then they wouldn’t have the guaranteed control to do what they really need to do. However, device drivers in ring 1 and 2 have the most control next to the kernel in ring 0. Device drivers stay in ring 1 and 2 to grant them the privileges they require without giving them too much freedom and control which they don’t really need, and if they don’t need the same control as ring 0, then putting them in ring 0 can just cause problems. Ring 0 is for the kernel only, device drivers are to work from ring 1 and 2 (and work closely with the kernel of course), and then ring 3 is for user-mode.

Now we’ve covered some basic theory about the OS rings and their purposes we can start to talk about the Native Windows API (NTAPI) and the Windows API (Win32 API).

Within the Windows Kernel we have something known as the Native API (NTAPI) and this is essentially a bunch of functions used within the Windows Kernel and the software running on our systems. As an alternate to using the NTAPI, we have the Win32 API, which is more tuned for less sophisticated software. In fact, Microsoft recommend you use the Win32 API as opposed to directly using the NTAPI because the Win32 is much more stable and tuned for general usage ad using the NTAPI can cause unexpected results and instability. Regardless of the NTAPI not being such a good idea to use for everything, it has some very nice uses when it comes to security (and generally speaking, for security software) since it’s a bit lower-level compared to the Win32 API.

When we use the Win32 API and call specific functions, these can trace back to the NTAPI equivalent of the function. To explain this a bit better, let’s take a look at the Win32 API function called TerminateProcess, which is found in the module Kernel32.dll. Below I will post the function syntax (also available at MSDN from the above link):

Code:
BOOL WINAPI TerminateProcess(
  _In_ HANDLE hProcess,
  _In_ UINT   uExitCode
);

First off, we notice that the function type is of a Boolean (BOOL), which means the function will return TRUE or FALSE (based on the function success).

After this we have a greeting of WINAPI (but we already know this) and then the function name, along with the parameters that the function takes in (a HANDLE to the target process we want to terminate and then an exit code of a type UINT (Unsigned Integer)).

This is actually the exact same function that Task Manager calls from the Details tab when you try and terminate a function - *just a quick fact I should point out.

Anyway, moving on, this function will eventually land at the stub of the Native API equivalent of the function, which is Nt*/ZwTerminateProcess. (a stub is basically a part of code, in this case the function of ZwTerminateProcess, located within NTDLL.DLL).

Once the function call has traced back down to the NTAPI function equivalent it will end up transitioning the function call into kernel-mode (ring 0) and the work will be finished there.

In kernel-mode we have something known as the SSDT (System Service Dispatch/Descriptor Table) and this is basically a huge table containing the Kernel Functions and the addresses to where the functions reside in memory, and this table is exported by ntoskrnl.exe (KeDescriptorTable - on x86 systems only, it’s not exported on x64 systems due to PatchGuard/Kernel Patch Protection purposes). When you call a function it will go through the SSDT I believe.

As another example, let’s look at the function OpenProcess (Kernel32.dll once again, Win32 API function):
Code:
HANDLE WINAPI OpenProcess(
  _In_ DWORD dwDesiredAccess,
  _In_ BOOL  bInheritHandle,
  _In_ DWORD dwProcessId
);

This function will end up at its NTAPI equivalent which is Nt*/ZwOpenProcess:
Code:
NTSTATUS ZwOpenProcess(
  _Out_    PHANDLE            ProcessHandle,
  _In_     ACCESS_MASK        DesiredAccess,
  _In_     POBJECT_ATTRIBUTES ObjectAttributes,
  _In_opt_ PCLIENT_ID         ClientId
);

As we can see, NTAPI syntax is now being used since it’s a Native API function. Instead of getting the WINAPI and BOOL/Win32 data structures, we’re getting the NTAPI ones.

All Native API functions will return an NTSTATUS value – there are so many that I cannot list them, but to list the most common ones: STATUS_SUCCESS (0x00000000); STATUS_UNSUCCESSFUL (0xC0000001); and STATUS_ACCESS_DENIED (0xC0000022).

I can think of a few reasons as to why using the NTAPI instead of just passing through the Win32 API can be useful, such as needing to use an NTAPI function without needing the use of the Win32 API function which may use other functions as well, or to bypass any Win32 hooks (but NTAPI function stubs can also be hooked anyway), so I recommend you just use the Win32 APIs unless you really need to use the NTAPI instead since it can cause instability depending on what you need to do.

For example, instead of using ZwSuspendThread or ZwSuspendProcess (both undocumented NTAPI functions), you can just use the Win32 API function SuspendThread (enumerate through all threads in the process and pass the thread handle to this function), which would potentially be much more stable depending on specific circumstances.


I believe that this is enough theory for the moment, now we will move onto Part 2.

Part 2 – using the NTAPI within C++
Firstly, I will be using Visual Studio 2015 (Community Edition) and I will create a new C++ project (Empty Project template) and add a new source file (main.cpp).

Below is the code for using NTAPI functions (check the comments in the code which are after the “//” for explanations).

NtTerminateProcess:
Code:
// This code works by obtaining the address of the NtTerminateProcess function, if it's valid then we open a handle to our target process with the Win32 API function OpenProcess (kernel32.dll) and then we call NtTerminatProcess. Afterwards we check the NTSTATUS result so we know if it was succesful or not.

// At the start we define the function structure with typedef for NtTerminateProcess so it knows the parameters we will be putting in.

// REMEMBER TO CHANGE THE PID IN THE OpenProcess function call
#include <iostream>
#include <Windows.h>
#include <winternl.h>
using namespace std;

// error codes for NtTerminateProcess
#define STATUS_SUCCESS 0x00000000
#define STATUS_ACCESS_DENIED 0xC0000022
#define STATUS_INVALID_HANDLE 0xC0000008
#define STATUS_OBJECT_TYPE_MISMATCH 0xC0000024
#define STATUS_PROCESS_IS_TERMINATING 0xC000010A

typedef NTSTATUS(NTAPI *pdef_NtTerminateProcess)(HANDLE ProcessHandle, NTSTATUS ExitStatus);

int main()
{
       cout << "Attempting to obtain the address of NtTerminateProcess" << endl;

       // get the address of NtTerminateProcess from ntdll
       LPVOID lpFunctionAddress = GetProcAddress(LoadLibraryA("ntdll.dll"), "NtTerminateProcess");

       if (lpFunctionAddress == 0) // if the address is NULL (0) then we cannot use it
       {
              cout << "Error: could not obtain the address of NtTerminateProcess!" << endl;
              return 0; // exit the program
       }
       cout << "Attempting to obtain a handle to the target process" << endl;
       HANDLE ProcessHandle = OpenProcess(PROCESS_TERMINATE, FALSE, 13408); // open a handle to the process with the PID we passed in (13952)
       if (ProcessHandle == 0) // compare if the handle is 0, if it is then we cannot use it (fail)
       {
              cout << "Error: could not obtain a handle to the target process!" << endl;
              return 0; // exit the program
       }
       pdef_NtTerminateProcess NtCall = (pdef_NtTerminateProcess)lpFunctionAddress; // set structure and to the address
       NTSTATUS NtRet = NtCall(ProcessHandle, 0); // call the function and pass in the handle we created earlier, the 0 is for the ExitStatus however this can stay as 0
 
if (NtRet == STATUS_SUCCESS) // check if the termination was a success
       {
              cout << "The process was successfully terminated from memory!" << endl;
       }
       else if (NtRet == STATUS_ACCESS_DENIED) // access denied
       {
              cout << "The process could not be terminated: Access Denied" << endl;
       }
       else if (NtRet == STATUS_INVALID_HANDLE) // incorrect handle
       {
              cout << "The process could not be terminated: invalid handle was passed as ProcessHandle parameter" << endl;
       }
       else if (NtRet == STATUS_OBJECT_TYPE_MISMATCH) // object mismatch
       {
              cout << "The process could not be terminated: object type mismatch" << endl;
       }
       else if (NtRet == STATUS_PROCESS_IS_TERMINATING) // process is already terminating
       {
              cout << "The process could not be terminated: the process is already terminating" << endl;
       }
       else // termination failed for another reason
       {
              // print out the error code with GetLastError() so we can look up the error code and find details on why termination failed
              cout << "The process could not be terminated: error code " << GetLastError() << endl;
       }
       getchar(); // wait for us to respond before it exits program
       return 0; // execution success
}


NtRaiseHardError/RtlAdjustPrivilege:
Code:
#include <iostream> // Input and Output stream
#include <Windows.h> // Win32 API
#include <winternl.h> // this includes NTAPI data structures and other information

using namespace std;

#define SeShutdownPrivilege 19 // we need SeShutdownPrvilege to cause the BSoD

// First off we will define the structure of the functions we will be using (NtRaiseHardError + RtlAdjustPrivilege).
// We will be using RtlAdjustPrivilege to enable the SeShutdownPrvilege so we have permission to shutdown the system, and then we will use NtRaiseHardError to force BSOD the system via NTAPI.
// After we have defined our functions we will use the main() function which is called by the CRT Startup function to get the addresses of the functions we will be using and then we will check if the addresses are valid or not (if !=0 then it is fine).
// Then we call the functions.

// function definitions
typedef NTSTATUS(NTAPI *pdef_NtRaiseHardError)(NTSTATUS ErrorStatus, ULONG NumberOfParameters, ULONG UnicodeStringParameterMask OPTIONAL, PULONG_PTR Parameters, ULONG ResponseOption, PULONG Response);

typedef NTSTATUS(NTAPI *pdef_RtlAdjustPrivilege)(ULONG Privilege, BOOLEAN Enable, BOOLEAN CurrentThread, PBOOLEAN Enabled);

int main()

{
       // get the address of RtlAdjustPrivilege
       LPVOID lpFuncAddress = GetProcAddress(LoadLibraryA("ntdll.dll"), "RtlAdjustPrivilege");
       if (!lpFuncAddress)
       {
              cout << "Could not get the address of RtlAdjustPrivilege" << endl;
              getchar();
              return 0;
       }

       BOOLEAN bEnabled;
       pdef_RtlAdjustPrivilege NtCall = (pdef_RtlAdjustPrivilege)lpFuncAddress;
       NTSTATUS NtRet = NtCall(SeShutdownPrivilege, TRUE, FALSE, &bEnabled); // Enable SeShutdownPrivilege via RtlAdjustPrivilege

       // here you can check if NtRet == 0x00000000 (STATUS_SUCCESS) if you want
       LPVOID lpFuncAddress2 = GetProcAddress(GetModuleHandle("ntdll.dll"), "NtRaiseHardError"); // GetModuleHandle as ntdll.dll was loaded earlier with first GetProcAddress function use
       if (!lpFuncAddress2)
       {
              cout << "Could not get the address of NtRaiseHardError" << endl;
              getchar();
              return 0;
       }

       ULONG uResp;
       pdef_NtRaiseHardError NtCall2 = (pdef_NtRaiseHardError)lpFuncAddress2;
       NTSTATUS NtRet2 = NtCall2(STATUS_ASSERTION_FAILURE, 0, 0, 0, 6, &uResp); // cause the BSoD crash
       if (!NtRet2)
       {
              cout << "The force BSoD crash failed" << endl;
              getchar();
       }
       return 0;
}

// THE ABOVE CODE WILL FORCE BSOD YOUR SYSTEM.. USE VM PLEASE!

If you want code for a specific function like ZwSuspendProcess (which is actually an undocumented function) then feel free to let me know and I’ll PM it to you, but only if you have over 300+ spam-free posts.


Damn I've just read through my post and honestly I am disappointed because it could be so much better, hopefully it's enough for someone to learn some things though.

Hope this helped.
Wave. :)
 
Last edited by a moderator:
L

LabZero

Thread author
Thanks for this great tutorial! :)
I am always "malware-oriented" and reading your thread I think of a kernel-mode malware (rootkit) installed on a system that it can do whatever it wants by using the more simple hooking technique: the hook of SSDT table used to switch from user mode code (ring 3) to kernel mode code (ring 0).
 
W

Wave

Thread author
@tim one

Thanks for this great tutorial! :)
I am always "malware-oriented" and reading your thread I think of a kernel-mode malware (rootkit) installed on a system that it can do whatever it wants by using the more simple hooking technique: the hook of SSDT table used to switch from user mode code (ring 3) to kernel mode code (ring 0).
I think you think of these things when you read my threads because a few years ago when we first met on this forum, I was always talking about hooking and rootkits (and still do). So you probably just got used to reading about it from me and had that stuck in your brain since then, haha. :p

I'm writing a new programming thread now on process protection, should be good for people who want to learn about AV self-defence. Maybe I can post it tonight. ;) (and then I can do one on registry/file during the upcoming week).
 

tim one

Level 21
Verified
Honorary Member
Top Poster
Malware Hunter
Jul 31, 2014
1,086
@tim one


I think you think of these things when you read my threads because a few years ago when we first met on this forum, I was always talking about hooking and rootkits (and still do). So you probably just got used to reading about it from me and had that stuck in your brain since then, haha. :p

I'm writing a new programming thread now on process protection, should be good for people who want to learn about AV self-defence. Maybe I can post it tonight. ;) (and then I can do one on registry/file during the upcoming week).
Yeah! :) You are right, I think I have a particular weakness for rootkits, and I see malware everywhere; even you know I'm working on school work for the end of the year, on these topics and, because many stuff is not documented, I will take advantage also from your threads! :D;)
 
W

Wave

Thread author
Yeah! :) You are right, I think I have a particular weakness for rootkits, and I see malware everywhere; even you know I'm working on school work for the end of the year, on these topics and, because many stuff is not documented, I will take advantage also from your threads! :D;)
If you'd like I can try to post more on undocumented things (undocumented by Microsoft) in the programming area when I get the time to help. PM me to give me ideas on examples of what might help you, and of course if I have a strength in it then I can make a public thread about it. :)

Do you have to do an end-of-year project?
 

tim one

Level 21
Verified
Honorary Member
Top Poster
Malware Hunter
Jul 31, 2014
1,086
If you'd like I can try to post more on undocumented things (undocumented by Microsoft) in the programming area when I get the time to help. PM me to give me ideas on examples of what might help you, and of course if I have a strength in it then I can make a public thread about it. :)

Do you have to do an end-of-year project?
Thanks I'll PM you for sure:)

I am working on this big project about user-mode rootkits, which intercept and modify processes related to applications and overwriting memory.
Then about kernel-mode rootkits that operate at low-level of the operating system.
A kernel rootkit can take control of any function of the system directly to the more privileged level. This category of rootkit is much more dangerous and complex of the user-mode ones; they are difficult to detect and remove, however they are less common.

My project would consist in a very technical and deep analysis of these rootkits and the difficulty is to collect and analyze a lot of documentation, doing research and possibly trying not documented infection patterns and methods.
 
W

Wave

Thread author
I love C++ i should try again because is a powerful programming language, i learn little bit but i not continue learn but i should pick up again,
You should try again and continue if you can, if you're interested in and have the time then why not? You can do a lot with C++, and mixing it with C can be very useful depending on what you're trying to do, too.

If you're interested in security development then I would recommend learning both 32-bit and 64-bit Assembly, C and C++. If you're just wanting to make normal programs, then I'd just go for C++ with the Win32 API.
 
W

Wave

Thread author
I think Xcode on mac i can practice.. i dont know is good editor?
I don't use OS X and never have properly so I cannot comment about what you can/cannot do language-wise however what I can tell you is that there is no Windows API on OS X and therefore you won't be able to compile code from these tutorials for example (since this is Windows-orientated I'm afraid).

I mean yes you can code in C++ on OS X of course, however Objective-C is quite popular on OS X.
 
D

Deleted member 69059

Thread author
Exellent thread with alot of usefull information. Nevertheless I want to point out this phrase:
In Windows we have 4 different rings: ring 0; ring 1; ring 2; and ring 3.

According to my knowledge, Windows ONLY uses two rings: ring0 (kernel mode) and ring3 (user mode), however, modern CPU architectures implement more than two protection rings, like Intel x86, which If I'm not wrong provides 4 levels of protection (rings).
If I'm wrong, please let me know.
 

tim one

Level 21
Verified
Honorary Member
Top Poster
Malware Hunter
Jul 31, 2014
1,086
Wow, I've forgotten this great thread! :)

Well school times are over for me and if I think about ring, now I think about Tolken's masterpiece :p

I remember something but not in depth however we consider that AVs install .sys drivers to analyze what happens at the kernel level.

Speaking of rootkits.

The information in the memory can be divided into two categories: "data" and "code".

Data refers to bytes that are not executed. Examples may be data structures directly related to the operation of the system kernel or data related to a Word document. Data are usually stored in memory regions called heaps, stacks or pools.

The Code, on the other hand, refers to the executable "instructions" that the processor must handle to perform its job.

Rootkits manage to gain invisibility by altering memory content with the aim of changing the behavior of the operating system or the way in which data is presented to the user. Rootkits work on code, data, or both categories of information stored in memory. The operation aimed at manipulating the contents of the memory is usually identified with the expression "memory patching".

When referring to the level of privileges with which an application is executed we use the term "ring". Ring 0 identifies processes running in kernel mode, ring 3 identifies applications running in user mode, such as the browser.

When the processor is operating in kernel mode, it has access to all system logs and memory.

When the CPU Unit is operating in user mode (level 3), only those areas of memory that are usable in user mode are allowed to access.

Since the code that runs in kernel mode can have indiscriminate access to all areas of the system, being able to run programs in this context is the goal that all rootkit authors look at with great interest.

If we want to get the list of processes running, the first step is to open the Task Manager. This system application, however, operates in user mode despite running kernel mode code that takes care of retrieving the list of running processes. For this type of activity, the Task Manager invokes a function called NTQuerySystemInformation that is present in the NTDLL.DLL library. A routine operating in kernel mode receives the request and draws on a special kernel structure called System Service Descriptor Table (SSDT).

Each time the system interfaces with the kernel to perform operations required by applications or through the use of the shell, you may have to deal with a potential point of attack, exploited by a rootkit with the aim of altering the normal flow of information and then undermine the proper functioning of Windows.

Before a function that can interface with the operating system kernel can be invoked, it must first be imported by the application that intends to use it. This means that the library (DLL file) containing the function must be loaded in the memory space used by the application and added to a special table called Import Address Table. This is another opportunity for a rootkit to change the normal flow of information.

Another method widely used by attackers, and rootkit developers, to alter the procedure for executing code in user mode is often referred to inline (function) patching or inserting trampolines. The rootkit, in this case, modifies the first bytes that characterize the targeting function. Thus, the rootkit can filter the data output from the function. The possibilities are endless: the rootkit can, for example, remove a file from a list of files in a given folder. So you can hide malicious files from the user, the operating system, and installed applications that are linked to the operation of the rootkit or other malware.
 
D

Deleted member 69059

Thread author
CPL1 has been used before by software which is compatible on Windows however. An example would be VirtualBox, which hosts the Guest OS's Kernel in Ring 1. You can read more about this here: Chapter 10. Technical background
I did not know that VB worked in ring1, but after reading the link you have posted, I think that It has a lot of logic from the point of view of safety and stability.

There may have been times in the past where this was not the case, but I am yet to be told otherwise regarding modern versions of Windows relying on Ring 0 and Ring 3.
From what I have read, OS/2 operated in 3 rings (ring0 for kernel, ring2 for providing acces to physical devices and ring 3 for user applications), maybe Windows 2x or 3x also supported 3 rings (at that time MS and IBM shared code), I dont know.

By the way, I see that you have a lot of knowledge about Windows at low level, but you are not participating in this forum, so, are you in another forum or have a blog in wich you publish usefull information like this?

PS: I'm not a native english speaker, so I'm sorry if syntax or use of certains words is not correct. Thanks.
 
  • Like
Reactions: vtqhtr413 and AtlBo

tim one

Level 21
Verified
Honorary Member
Top Poster
Malware Hunter
Jul 31, 2014
1,086
We can speculate and share half-baked information around the camp-fire (with marsh-mellows and hot chocolate) all night long but the lesson to be learnt here today is that if you are aimlessly posting about topics which you do not understand properly, nor have any real world experience with those topics (copy-pasting does not count and neither does pretending to have experience because you managed to run a few Google searches and read a few comments from a programming forum), it is going to end in tears.
Silly comments against me but your post doesn't change things for me and don't tell me that during your courses/job you’ve implemented everything, tried everything and came accross every problem you could find, because this is just a BULLSHIT!

For example.

Do you understand why a hash table needs to be rehashed ?
Yes? So you have implemented one and tried to optimize it...right!?

Do you really understand SQL indexes (and use them properly)?
Yes? So you know what data cardinality is and how it affects binary trees... right!?

Do you really understand OS scheduling?
Yes? So you have tried to implement a minimal kernel yourself and saw the problematics behind it....right!?

Do you really understand the difference between reserved and committed memory? Yes? So you have implemented even the simplest memory allocator just for the ##### of it....right!?

I firmly think and ALWAYS say that there are two kinds of knowledge:

1) the one you have because someone explained to you something and you understood that or not;
2) the one you get because you bang yourself against the same problems and you find out the best solution for the problem.

I go for the second one so I hope you understand that I don't need lessons from you or anyone else!

I'm done here.
 

JM Safe

Level 39
Verified
Top Poster
Apr 12, 2015
2,882
I've never said that during my "courses/job" I've "implemented everything, tried everything and came across every problem you could find". How is this relevant anyway?


Right. Once again, more nonsense?

You jumped onto a thread where someone had asked a question and decided to respond to them. In doing so, you shared a bunch of nonsense and then threw a temper tantrum when you were told that you were wrong/had misunderstood about some things. Now you're spamming the thread with more nonsense so you can feel "satisfied".

It looks like to me that you've thrown a temper tantrum to try and move attention away from yourself, even though you've done the complete opposite and just made more of a fool of yourself in the process of doing this. Congratulations. :X3:
I think you will not receive any like with this latest post. Do you know why? Because MT is a place where we can share knowledge and exchange opinions, not make offensive and useless posts, maybe just to demonstrate you are an experienced C/C++/ASM developer. If you are really a skilled security developer try to implement an HIPS/BB/Autosandbox technology to isolate untrusted EXE and then we can re-talk. I hope in your understanding.
 

tim one

Level 21
Verified
Honorary Member
Top Poster
Malware Hunter
Jul 31, 2014
1,086
I've never said that during my "courses/job" I've "implemented everything, tried everything and came across every problem you could find". How is this relevant anyway?


Right. Once again, more nonsense?

You jumped onto a thread where someone had asked a question and decided to respond to them. In doing so, you shared a bunch of nonsense and then threw a temper tantrum when you were told that you were wrong/had misunderstood about some things. Now you're spamming the thread with more nonsense so you can feel "satisfied".

It looks like to me that you've thrown a temper tantrum to try and move attention away from yourself, even though you've done the complete opposite and just made more of a fool of yourself in the process of doing this. Congratulations. :X3:

LOL!! As I said, your stupid opinions don't change things and relax that life is so short.
The point is that in this forum people say their opinion on technical topics.
Opinions based on their own experience and knowledge trying to help other members and this for free and with cooperation spirit.
If you have a better background, this can mean that actually you are an expert or ... you copy/paste better than me... (according to your "logic")

As you have noticed, I have not quoted the technical part of your first post, but the second one where you attack me as a rookie, copy/paste guy, etc....etc....
You can say these things to your son or brother but not to me or any other members of this forum because that means you're not part of the spirit of this forum.
I believe that no one cries if you leave MT.
 

Weebarra

Level 17
Verified
Top Poster
Well-known
Apr 5, 2017
836
Errr o_O @Deadlock, this forum and the threads within are for everyone to join in if that's what they wish to do. Their is no ownership ! @tim one posted on this thread almost 2 years and the OP was actually having a conversation with him so he hasn't exactly "hijacked" it, he has returned to an old thread which he took part in.

Please think of new members (and the current ones) who are considering joining this forum and may be reading things, they may look in and think F this. Everyone can have an opinion and has a right to voice that but there is no need to be throwing insults around, it gets you nowhere in life.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top