Tweets
- Tweets, current page.
- Tweets & replies
- Media
You blocked @jonasLyk
Are you sure you want to view these Tweets? Viewing Tweets won't unblock @jonasLyk
-
So, even though we ran our own file in omgwtfbbq it is recorded as running from sysarm32 folder. Variants of this could be interesting to experiment with EDR. The same principles apply to the "sysnative" folder ;)pic.twitter.com/JnqyogJBxY
Show this threadThanks. Twitter will use this to make your timeline better. UndoUndo -
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
C:\Windows\sysarm32::$index_allocation will always refer to my folder, even if I am a 32bit program.pic.twitter.com/QD7PmfooAd
Show this threadThanks. Twitter will use this to make your timeline better. UndoUndo -
inside I putted cmd.exe(32 bit) and cmd64.exe(64bit) that is why I first see my folder when listing sysarm32, but after becoming 32 bit (by running a file inside) sysarm32 folder now becomes system32 and my files are gone(not really)
Show this threadThanks. Twitter will use this to make your timeline better. UndoUndo -
Allright- played around a bit and made an interesting way to spoof execution image name. For this trick we are gonna mix: 1. Every file/dir can have 2 filenames 2. For 32 bit apps \windows\sysarm32 == \windows\system32 First make \windows\omgwtfbbq with shortname sysarm32pic.twitter.com/hjLpChinO5
Show this threadThanks. Twitter will use this to make your timeline better. UndoUndo -
Jonas L Retweeted
Perfect present for 25-anniversary of Sysinternals Suite for Mark Russinovich )https://twitter.com/binitamshah/status/1452272220433223680 …
Thanks. Twitter will use this to make your timeline better. UndoUndo -
ok - I think that vail is inside the recovery.wim , it is a shielded hidden vm, it seems to be debugging the hypervisor. It is what launches other vms https://pastebin.com/raw/xz4Ah57j
Show this threadThanks. Twitter will use this to make your timeline better. UndoUndo -
It appears dtrace is loaded by the vail os - and that is not the os that I am in... vail also seems to prepare vm images and launch them....pic.twitter.com/ZEdfaTuj84
Show this threadThanks. Twitter will use this to make your timeline better. UndoUndo -
This log file I think is about the "setupos" , another os it can boot into to do updatespic.twitter.com/qNUUbTGmAU
Show this threadThanks. Twitter will use this to make your timeline better. UndoUndo -
I think maybe this file enabling altering the bootflow, my recovery wim file grows to 700 from 400 and I think it always boot into the os in there first? This do not seem like a good idea as by default the recovery partition allow unprivileged users to writepic.twitter.com/81iG55uxY9
Show this threadThanks. Twitter will use this to make your timeline better. UndoUndo -
bootsvc.dll - used for booting up into a layered filesystem disc - part of storage spaces I thinkpic.twitter.com/QtIkfNGyAb
Show this threadThanks. Twitter will use this to make your timeline better. UndoUndo -
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
This I think is the "container os", then nested virtualization is used in additiononpic.twitter.com/BTepEPF84N
Show this threadThanks. Twitter will use this to make your timeline better. UndoUndo -
https://pastebin.com/raw/DcpWEvRX there is a new trustlet that is used for a cross vm pki hierarchy
Show this threadThanks. Twitter will use this to make your timeline better. UndoUndo -
So, in the "bootos" we find this: This indicate that there is at minimum capability to deploy shielded VMs. I think they would be deployed using the new TPM 2.0 deployment method.pic.twitter.com/GMGpfMrB5m
Show this threadThanks. Twitter will use this to make your timeline better. UndoUndo -
The same enviroment used for WDAG/Sandbox. I havent figured out exactly how the boot process works-or maybe I have, I just need to verify.
Show this threadThanks. Twitter will use this to make your timeline better. UndoUndo -
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
This uefi enviroment establishes a vmbus where a complete vm and filesystem can boot of. The following patent describe it: https://uspto.report/patent/app/20210182078 …pic.twitter.com/MQS9x9Q5r6
Show this threadThanks. Twitter will use this to make your timeline better. UndoUndo -
The host-based VPN is focused around requiring a VPN for the higher privileged VM if it needs to connect to the internet. For the host-based VPN, Hysolate can run VPN authentication in the hypervisor VM so that the user cannot tamper with the VPN and credentials aren’t exposed.
Show this threadThanks. Twitter will use this to make your timeline better. UndoUndo
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.