Sinaei

@Intel80x86

Windows Internals enthusiast, Curious about Hardware and Processors. DM is open.

Vrijeme pridruživanja: srpanj 2012.

Medijski sadržaj

  1. 12. sij

    If you wanna know how effective it is to have a cache in your processor, then set up a Windbg local debugging and then clear the 11th bit of the IA32_MTRR_DEF_TYPE MSR (0x2ff) and just you can't bear your computer anymore. 🤓

  2. 6. sij

    I don't know about you but I'm feeling 22 🥳🥳🥳😊

  3. 15. pro 2019.

    (3/3) And then it would be possible to point to other _OBJECT_TYPEs like ALPC_OBJECT and trigger this vulnerability as it was possible to control the behavior of callbacks in these objects.

    Prikaži ovu nit
  4. 15. pro 2019.

    (2/3) Take a look at the following slides from : Seems that if they didn't XORed TypeIndex with nt!ObHeaderCookie , then it was possible to modify the nt!_OBJECT_HEADER.TypeIndex of each object (for example in the case of a pool overflow),

    Prikaži ovu nit
  5. 15. pro 2019.

    (1/3) If you read the first part of "Reversing Windows Internals" then you probably read this paragraph: in or example we see that (TypeIndex : 0x7a) and its index is not 0x7a! It turns out that in Windows 10 they decided to not directly point to the index Let me tell you why !

    Prikaži ovu nit
  6. 20. lis 2019.

    [5/7] HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SysmonDrv\Parameters in the registry which is responsible for Sysmon configuration and at last, I execute the following PoC and it completely bypasses Sysmon \

    Prikaži ovu nit
  7. 20. lis 2019.

    [2/7] event which indicates that updates are changed. During the past days, I was working to see how Sysmon works, it turns out that there are 4 IOCTLs for this tool, The most interesting for our case is 0x83400008. This IOCTL is for updating rules, \

    Prikaži ovu nit
  8. 20. lis 2019.

    [1/7] Hey, if you use Sysmon in your EDR or any other security products then you should not trust “16. Sysmon config states change” as it comes from a user-mode app directly and an attacker can update the Sysmon’s configuration without generating any \

    Prikaži ovu nit
  9. 14. lis 2019.
  10. 5. lis 2019.

    If you need a fast/light way to instrument and save each instruction (with general purpose & r/e flags) in all levels of execution (User-mode/Kernel-mode/Hypervisor) then use my new customized version of QEMU.

  11. 9. ruj 2019.

    (1/2) I remember a few weeks ago and during a conference, I asked Prof. Onur Mutlu about timing measurements in Intel. The question was why major OSs like Windows, Linux won’t forget about RDTSC & RDTSCP in User-mode (some exact timing features in user-mode will not work anymore)

    Prikaži ovu nit
  12. 24. kol 2019.

    This is a Windbg JavaScript code + IDAPython Script, you can save the code coverages and use them later with other information like registers and memory contents in IDA comment. Really thanks to my friends and for their help. Demo :

    Prikaži ovu nit
  13. 24. kol 2019.

    The first version of my new plugin (Windbg2IDA) is released. Using this plugin, you’ll be able to dump each step in Windbg then see the code coverage results in IDA, you can also compare two or more dumps w/ different colors & lots of other cool features.

    Prikaži ovu nit
  14. 12. kol 2019.

    This is the guilty function that causes the error in all my Hypervisor tests. It's neither in the context of my process nor in the codes of Hypervisor driver and sometimes before this error, all processes start to (stack overflow). It happens in all revisions of my EPT codes.

    Prikaži ovu nit
  15. 7. srp 2019.

    (5/6) with TRIPLE FAULT VM-Exit. It won’t give you the exact error. This bug occurs every time I loaded my hypervisor driver and start my VMM so try to fix it guys. Here is mine :

    Prikaži ovu nit
  16. 7. srp 2019.

    (4/6) But seems that in Windows 10 1903, Microsoft compiler decides to use MOV Cr3,RSP (I didn’t see this in Windows before.) and as you saved trash instead of RSP (or you saved RSP of host which is not valid.) then you change CR3 to an invalid value and it silently crashes

    Prikaži ovu nit
  17. 7. srp 2019.

    (3/6) Almost every case that I see is ignoring RSP and save some trash instead of it, that’s because RSP of guest is already saved in GUEST_RSP in VMCS and after VMRESUME it’s loaded automatically and you know, our current RSP is invalid (it’s host RSP).

    Prikaži ovu nit
  18. 7. srp 2019.

    (1/6) If you’re a developer, please pay attention to these tweets as it wastes a significant amount of time for me to find the cause and fix the bug and I see the same bug in many of the open source hypervisors available on GitHub.

    Prikaži ovu nit
  19. 30. lip 2019.

    It seems there is some kind of problem with UIPI in Windows. When you SendMessage from a low integrity process, even UIPI allows some kind of messages like WM_GETTEXT but it still set 0x5 (access denied) in GetLastError(). This is oppose to what MSDN describes, also

    Prikaži ovu nit
  20. 23. svi 2019.

Čini se da učitavanje traje već neko vrijeme.

Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.

    Možda bi vam se svidjelo i ovo:

    ·