Sinaei

@Intel80x86

Windows Internals enthusiast, Curious about Hardware and Processors. DM is open.

Vrijeme pridruživanja: srpanj 2012.

Tweetovi

Blokirali ste korisnika/cu @Intel80x86

Jeste li sigurni da želite vidjeti te tweetove? Time nećete deblokirati korisnika/cu @Intel80x86

  1. Prikvačeni tweet
    9. pro 2019.

    I decided to create a tutorial called "Reversing Windows Internals" and explain about Windows Internals. The first part describes about Handles, Callbacks and Hidden Callbacks and ObjectTypes in Windows Thanks to for answering my questions.

    Poništi
  2. 2. velj
    Poništi
  3. 20. sij

    The 7th part of the tutorial Hypervisor From Scratch is published! In this part, I described EPT. Thanks to Petr as Hypervisor From Scratch could never have existed without his help and to Alex for patiently answering my questions.

    Poništi
  4. proslijedio/la je Tweet
    18. sij

    Just finished writing my second windows kernel Practical Reverse Engineering solution: "Dumping DPC Queues: Adventures in HIGH_LEVEL IRQL" 🥳 Writing signatures for undocumented windows kernel stuff in HIGH_LEVEL IRQL sure is fun (BSODs are also fun)😎

    Poništi
  5. proslijedio/la je Tweet
    16. sij

    After a lot of work and some crypto-related delays, I couldn't be more proud to publish 's and mine latest research - The complete overview of CET internals on Windows (so far!):

    Poništi
  6. 14. sij

    Is it too early to expect a new Windows Research Kernel (WRK)? 🤔

    Poništi
  7. 12. sij

    If you wanna know how effective it is to have a cache in your processor, then set up a Windbg local debugging and then clear the 11th bit of the IA32_MTRR_DEF_TYPE MSR (0x2ff) and just you can't bear your computer anymore. 🤓

    Poništi
  8. proslijedio/la je Tweet
    10. sij

    Things got kinda busy around Christmas time, but if anyone is interested, here is a quick blog post I did on a silently patched info leak in NtGdiEnsureDpiDepDefaultGuiFontForPlateau() which was patched in the November 2019 patches.

    Poništi
  9. 6. sij

    I don't know about you but I'm feeling 22 🥳🥳🥳😊

    Poništi
  10. proslijedio/la je Tweet
    17. pro 2019.

    New blog post outlining how to use my .NET RPC Client tooling from PowerShell and C# to test and exploit local RPC security vulnerabilities. Also an early xmas present for those who enjoy long standing design flaws in UAC :-)

    Poništi
  11. proslijedio/la je Tweet
    15. pro 2019.

    So I translated to myself 's article on Exploitation and the internals of Windows 10 RS5 (Userspace), and Saar suggested I'll upload it for everyone, so why not :) I hope this helps as it helped me, thank you Saar!

    Poništi
  12. 15. pro 2019.

    (3/3) And then it would be possible to point to other _OBJECT_TYPEs like ALPC_OBJECT and trigger this vulnerability as it was possible to control the behavior of callbacks in these objects.

    Prikaži ovu nit
    Poništi
  13. 15. pro 2019.

    (2/3) Take a look at the following slides from : Seems that if they didn't XORed TypeIndex with nt!ObHeaderCookie , then it was possible to modify the nt!_OBJECT_HEADER.TypeIndex of each object (for example in the case of a pool overflow),

    Prikaži ovu nit
    Poništi
  14. 15. pro 2019.

    (1/3) If you read the first part of "Reversing Windows Internals" then you probably read this paragraph: in or example we see that (TypeIndex : 0x7a) and its index is not 0x7a! It turns out that in Windows 10 they decided to not directly point to the index Let me tell you why !

    Prikaži ovu nit
    Poništi
  15. 9. pro 2019.

    Thanks to and , I added 3 updates to my recently published post. If you've read it before, you can search for "update 1" and see the updates. 🧐

    Poništi
  16. 26. stu 2019.

    cc , you might be interested in this

    Prikaži ovu nit
    Poništi
  17. 26. stu 2019.

    Wow, this classification about process injection APIs is amazing 👌

    Prikaži ovu nit
    Poništi
  18. 20. lis 2019.

    [7/7] The PoC for IOCTL and sample config that bypasses Sysmon is here :

    Prikaži ovu nit
    Poništi
  19. 20. lis 2019.

    [6/7] So if you’re a security product developer you have to consider any changes to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SysmonDrv\Parameters as a critical indicator of an attack. \

    Prikaži ovu nit
    Poništi
  20. 20. lis 2019.

    [5/7] HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SysmonDrv\Parameters in the registry which is responsible for Sysmon configuration and at last, I execute the following PoC and it completely bypasses Sysmon \

    Prikaži ovu nit
    Poništi

Čini se da učitavanje traje već neko vrijeme.

Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.

    Možda bi vam se svidjelo i ovo:

    ·