Jonas L

@jonasLyk

viking

Joined February 2015
497 Photos and videos Photos and videos

Tweets

You blocked @jonasLyk

Are you sure you want to view these Tweets? Viewing Tweets won't unblock @jonasLyk

  1. Nov 1

    So, even though we ran our own file in omgwtfbbq it is recorded as running from sysarm32 folder. Variants of this could be interesting to experiment with EDR. The same principles apply to the "sysnative" folder ;)

    2 replies 4 retweets 36 likes
    Show this thread
    Show this thread
    Undo
  2. Nov 1

    2 replies 14 likes
    Show this thread
    Show this thread
    Undo
  3. Nov 1

    C:\Windows\sysarm32::$index_allocation will always refer to my folder, even if I am a 32bit program.

    1 reply 1 retweet 6 likes
    Show this thread
    Show this thread
    Undo
  4. Nov 1

    inside I putted cmd.exe(32 bit) and cmd64.exe(64bit) that is why I first see my folder when listing sysarm32, but after becoming 32 bit (by running a file inside) sysarm32 folder now becomes system32 and my files are gone(not really)

    1 reply 1 retweet 11 likes
    Show this thread
    Show this thread
    Undo
  5. Nov 1

    Allright- played around a bit and made an interesting way to spoof execution image name. For this trick we are gonna mix: 1. Every file/dir can have 2 filenames 2. For 32 bit apps \windows\sysarm32 == \windows\system32 First make \windows\omgwtfbbq with shortname sysarm32

    3 replies 135 retweets 362 likes
    Show this thread
    Show this thread
    Undo
  6. Retweeted
    Oct 24

    Perfect present for 25-anniversary of Sysinternals Suite for Mark Russinovich )

    Microsoft no longer signs Windows drivers for Process Hacker :
    1 reply 6 retweets 30 likes
    Undo
  7. Aug 30

    ok - I think that vail is inside the recovery.wim , it is a shielded hidden vm, it seems to be debugging the hypervisor. It is what launches other vms

    2 replies 12 likes
    Show this thread
    Show this thread
    Undo
  8. Aug 30

    It appears dtrace is loaded by the vail os - and that is not the os that I am in... vail also seems to prepare vm images and launch them....

    3 replies 1 retweet 7 likes
    Show this thread
    Show this thread
    Undo
  9. Aug 30

    This log file I think is about the "setupos" , another os it can boot into to do updates

    3 replies 6 likes
    Show this thread
    Show this thread
    Undo
  10. Aug 30

    I think maybe this file enabling altering the bootflow, my recovery wim file grows to 700 from 400 and I think it always boot into the os in there first? This do not seem like a good idea as by default the recovery partition allow unprivileged users to write

    2 replies 11 likes
    Show this thread
    Show this thread
    Undo
  11. Aug 30

    bootsvc.dll - used for booting up into a layered filesystem disc - part of storage spaces I think

    1 reply 5 likes
    Show this thread
    Show this thread
    Undo
  12. Aug 30

    Quite some kernel extensions are used:

    2 replies 8 likes
    Show this thread
    Show this thread
    Undo
  13. Aug 30

    1 reply 8 likes
    Show this thread
    Show this thread
    Undo
  14. Aug 30

    This I think is the "container os", then nested virtualization is used in additionon

    2 replies 1 retweet 9 likes
    Show this thread
    Show this thread
    Undo
  15. Aug 30

    there is a new trustlet that is used for a cross vm pki hierarchy

    1 reply 1 retweet 8 likes
    Show this thread
    Show this thread
    Undo
  16. Aug 30

    So, in the "bootos" we find this: This indicate that there is at minimum capability to deploy shielded VMs. I think they would be deployed using the new TPM 2.0 deployment method.

    1 reply 2 retweets 13 likes
    Show this thread
    Show this thread
    Undo
  17. Aug 30

    The same enviroment used for WDAG/Sandbox. I havent figured out exactly how the boot process works-or maybe I have, I just need to verify.

    1 reply 1 retweet 13 likes
    Show this thread
    Show this thread
    Undo
  18. Aug 30

    This enable a vm to boot up like this:

    1 reply 1 retweet 13 likes
    Show this thread
    Show this thread
    Undo
  19. Aug 30

    This uefi enviroment establishes a vmbus where a complete vm and filesystem can boot of. The following patent describe it:

    2 replies 3 retweets 14 likes
    Show this thread
    Show this thread
    Undo
  20. Aug 30

    The host-based VPN is focused around requiring a VPN for the higher privileged VM if it needs to connect to the internet. For the host-based VPN, Hysolate can run VPN authentication in the hypervisor VM so that the user cannot tamper with the VPN and credentials aren’t exposed.

    1 reply 3 retweets 12 likes
    Show this thread
    Show this thread
    Undo

@jonasLyk hasn't Tweeted yet.

Loading seems to be taking a while.

Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.

    You may also like

    ·