James Forshaw

@tiraniddo

Security researcher in Google Project Zero. Author of Attacking Network Protocols. Tweets are my own etc. .

United Kingdom
Joined July 2009

Tweets

You blocked @tiraniddo

Are you sure you want to view these Tweets? Viewing Tweets won't unblock @tiraniddo

  1. Pinned Tweet
    18 Dec 2017

    My book's finally here, just in time for Xmas. Thanks to and for all their time and effort as well as my friend for doing the forward. Hope anyone who's bought it are seeing final copies arriving. And it's a dog on the cover BTW 🙂

    Undo
  2. Retweeted

    Can your EDR detect symbolic link callback rootkits? Because ours sure as heck can't. and I wrote about these!

    Undo
  3. Retweeted
    Jan 31

    I hope my last 3 write-ups have covered the subject of filesystem bugs enough. It talks about discovery using procmon, and also poc writing now. You can just copy paste from the poc on github for a lot of bugs I guess. I hope it helps get atleast one person into the field.

    Undo
  4. Retweeted
    Jan 30

    Just published a follow-up to my Adobe Reader symbols story on the Project Zero blog. Turns out there's even more debug metadata to be found in some old (and new) builds, including private CoolType symbols. Enjoy!

    Undo
  5. Jan 29

    A quick post on why you shouldn't use SYSTEM Tokens when you sandbox a process. Part 1 of N (where I haven't decided how big N is).

    Undo
  6. Retweeted
    Jan 28

    Excited to start the new year with CVE-2020-3842 :) It's a fun one and unlike the other bugs I reported so far so I'm looking forward to (responsibly) disclosing it.

    Undo
  7. Retweeted
    Undo
  8. Jan 27

    Whatever you do don't run the PS/NtObjectManager command '[NtApiDotNet.CreateUserProcess]::Fork("IgnoreSectionObject", 0)' on Windows 10 1909. I did and I was very sad, so just don't!

    Undo
  9. Retweeted
    Jan 25

    Just finished the writeup for my learning process to replicate the CVE-2019-19470, I also public the source code for exploit and a Masquerade-PEB C#. Hope you enjoy!

    Undo
  10. Retweeted

    Advance copy. Coming soon!

    Undo
  11. Jan 24

    Interesting recent change (at least 1903) to SeTokenCanImpersonate which determines if you can impersonate an access token. The Session ID is now checked so that you can't impersonate same user session 0 tokens outside of session 0.

    Undo
  12. Retweeted

    We updated the Security Servicing Criteria for Windows today clarifying a non-boundary (Hyper-V Administrator Group) & expanding the Administrator-to-Kernel non-boundary. We do this periodically in response to research trends; feedback is always welcome.

    Undo
  13. Retweeted
    Jan 22

    This is a bigger problem than Safari's ITP introducing far more serious privacy vulnerabilities than the kinds of tracking that it's supposed to mitigate. The cross-site search and related side-channels it exposes are also abusable security vulnerabilities.

    Show this thread
    Undo
  14. Jan 22

    I know MS is not one big joined up company but this really isn't a good look from a Security POV. Especially hypocritical considering how much obfuscation MS themselves put into Windows 10 to try and prevent user preference hijacking (unless you're Edge of course).

    Undo
  15. Retweeted
    Jan 20

    The wait is finally over! Registration & schedule for 2020 are live. Places are limited so register NOW:

    Undo
  16. Retweeted
    Jan 20

    The 7th part of the tutorial Hypervisor From Scratch is published! In this part, I described EPT. Thanks to Petr as Hypervisor From Scratch could never have existed without his help and to Alex for patiently answering my questions.

    Undo
  17. Jan 18

    Thanks , for saving me from an evil PCAP!🤷‍♀️

    An error from Google Drive showing a PCAP for with an example of MS08-067 has been blocked.
    Undo
  18. Jan 17

    And this is why I wrote my blog post about spoofing named pipe PIDs, no one should be using them as a security enforcement mechanism. Wonder how TinyWall fixed it? :-)

    Undo
  19. Retweeted
    Jan 16

    To clarify the Windows crypto fail: The problem isn't in signature validation. The problem is the *root store/cache*. CryptoAPI considers an (attacker-supplied) root CA to be in the trust store if its public key and serial match a cert in the root store, Ignoring curve params.

    Show this thread
    Undo
  20. Retweeted
    Jan 16

    After a lot of work and some crypto-related delays, I couldn't be more proud to publish 's and mine latest research - The complete overview of CET internals on Windows (so far!):

    Undo
  21. Retweeted
    Jan 15

    [Blog] Avira VPN Local Privilege Escalation Uses some fun tricks to circumvent service DACL and integrity checks.

    Undo

Loading seems to be taking a while.

Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.

    You may also like

    ·