Medijski sadržaj
- Tweetovi
- Tweetovi i odgovori
- Medijski sadržaj, trenutna stranica.
-
If you wanna know how effective it is to have a cache in your processor, then set up a Windbg local debugging and then clear the 11th bit of the IA32_MTRR_DEF_TYPE MSR (0x2ff) and just you can't bear your computer anymore.
pic.twitter.com/bCahZA6P8R
-
-
(3/3) And then it would be possible to point to other _OBJECT_TYPEs like ALPC_OBJECT and trigger this vulnerability as it was possible to control the behavior of callbacks in these objects.pic.twitter.com/Z20PFJpPj0
Prikaži ovu nit -
(2/3) Take a look at the following slides from
@NTarakanov : http://www.powerofcommunity.net/poc2018/nikita.pdf … Seems that if they didn't XORed TypeIndex with nt!ObHeaderCookie , then it was possible to modify the nt!_OBJECT_HEADER.TypeIndex of each object (for example in the case of a pool overflow),pic.twitter.com/1fviLAvkCo
Prikaži ovu nit -
(1/3) If you read the first part of "Reversing Windows Internals" then you probably read this paragraph: in or example we see that (TypeIndex : 0x7a) and its index is not 0x7a! It turns out that in Windows 10 they decided to not directly point to the index Let me tell you why !pic.twitter.com/2gn4MDm1XW
Prikaži ovu nit -
[5/7] HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SysmonDrv\Parameters in the registry which is responsible for Sysmon configuration and at last, I execute the following PoC and it completely bypasses Sysmon \pic.twitter.com/rPiBnAkHmn
Prikaži ovu nit -
[2/7] event which indicates that updates are changed. During the past days, I was working to see how Sysmon works, it turns out that there are 4 IOCTLs for this tool, The most interesting for our case is 0x83400008. This IOCTL is for updating rules, \pic.twitter.com/LGoojYKoz5
Prikaži ovu nit -
[1/7] Hey, if you use Sysmon in your EDR or any other security products then you should not trust “16. Sysmon config states change” as it comes from a user-mode app directly and an attacker can update the Sysmon’s configuration without generating any \pic.twitter.com/WLYJskzuRP
Prikaži ovu nit -
If you need a fast/light way to instrument and save each instruction (with general purpose & r/e flags) in all levels of execution (User-mode/Kernel-mode/Hypervisor) then use my new customized version of QEMU. https://github.com/SinaKarvandi/misc/blob/master/custom-qemu-for-instrumentation/readme.md …pic.twitter.com/UnURU8fADY
-
(1/2) I remember a few weeks ago and during a conference, I asked Prof. Onur Mutlu about timing measurements in Intel. The question was why major OSs like Windows, Linux won’t forget about RDTSC & RDTSCP in User-mode (some exact timing features in user-mode will not work anymore)pic.twitter.com/S97AycaYWI
Prikaži ovu nit -
This is a Windbg JavaScript code + IDAPython Script, you can save the code coverages and use them later with other information like registers and memory contents in IDA comment. Really thanks to my friends
@amdgzi and@Shahriare8 for their help. Demo :https://www.youtube.com/watch?v=7A1uaLQkRlw …Prikaži ovu nit -
The first version of my new plugin (Windbg2IDA) is released. Using this plugin, you’ll be able to dump each step in Windbg then see the code coverage results in IDA, you can also compare two or more dumps w/ different colors & lots of other cool features. https://windbg2ida.ntdebug.com pic.twitter.com/QOnsqYRrTF
Prikaži ovu nit -
This is the guilty function that causes the error in all my Hypervisor tests. It's neither in the context of my process nor in the codes of Hypervisor driver and sometimes before this error, all processes start to (stack overflow). It happens in all revisions of my EPT codes.pic.twitter.com/JCNORo5lVQ
Prikaži ovu nit -
(5/6) with TRIPLE FAULT VM-Exit. It won’t give you the exact error. This bug occurs every time I loaded my hypervisor driver and start my VMM so try to fix it guys. Here is mine :pic.twitter.com/PvaBl6sjt9
Prikaži ovu nit -
(4/6) But seems that in Windows 10 1903, Microsoft compiler decides to use MOV Cr3,RSP (I didn’t see this in Windows before.) and as you saved trash instead of RSP (or you saved RSP of host which is not valid.) then you change CR3 to an invalid value and it silently crashespic.twitter.com/W8zl7y3UrS
Prikaži ovu nit -
(3/6) Almost every case that I see is ignoring RSP and save some trash instead of it, that’s because RSP of guest is already saved in GUEST_RSP in VMCS and after VMRESUME it’s loaded automatically and you know, our current RSP is invalid (it’s host RSP).pic.twitter.com/wipLBctazD
Prikaži ovu nit -
(1/6) If you’re a
#hypervisor developer, please pay attention to these tweets as it wastes a significant amount of time for me to find the cause and fix the bug and I see the same bug in many of the open source hypervisors available on GitHub.pic.twitter.com/Ulo3cgAskE
Prikaži ovu nit -
It seems there is some kind of problem with UIPI in Windows. When you SendMessage from a low integrity process, even UIPI allows some kind of messages like WM_GETTEXT but it still set 0x5 (access denied) in GetLastError(). This is oppose to what MSDN describes, alsopic.twitter.com/ym4of0GsSu
Prikaži ovu nit
Čini se da učitavanje traje već neko vrijeme.
Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.





