Internals Blog – Winsider Seminars & Solutions Inc.
Porting Cycle-Based CPU Usage to ARM64
In this post I will share my story porting System Informer’s cycle-based CPU usage to ARM64. I’ll explain the difference in CPU cycle tracking on Windows ARM64, compare time-based vs cycle-based measurements, and describe how System Informer calculates and displays this information....
Secure Kernel Research with LiveCloudKd...
Let’s say you want to research the secure kernel. You heard about hypervisors and VTL1 and you’d like to see it for yourself, and static analysis is just not always good enough. You need a debugger. You immediately run into...
Troubleshooting a System Crash...
One day my system started crashing. A lot. Multiple blue screens per day, with a few different error codes. The worst part – even though my system was configured to collect full memory dumps, no crash dumps were generated (not even mini dumps). They failed to get written every single time, so I couldn’t analyze them...
KASLR Leaks Restriction...
In recent years, Microsoft has focused its efforts on mitigating bug classes and exploitation techniques. In latest Windows versions this includes another change that adds a significant challenge to attackers targeting the Windows kernel — restricting kernel address leaks to user mode....
Investigating Filter Communication Ports...
If you spent any time writing or researching filter drivers, you may have run into filter communication ports. This is a standard communication method between a filter driver and its user-mode...
An End to KASLR Bypasses?...
Edit: this post initially discussed the new changes only in the context of KASLR bypasses. In reality this new event covers other suspicious behaviors as well and the post was edited to reflect that. The title is left as it was for convenience....
Understanding a New Mitigation: Module Tampering Protection...
A few months ago, I spoke at Paranoia conference about obscure and undocumented mitigations. Following the talk, a few people asked how I found out about these mitigations and how I figured out what they d...
One I/O Ring to Rule Them All: A Full Read/Write Exploit Primitive on Windows 11...
This blog post will cover the post-exploitation technique I presented at TyphoonCon 2022. For anyone interested in the talk itself, I’ll link the recording here when it becomes available. This technique is a post exploitation primitive unique to Windows...
One Year to I/O Ring: What Changed?...
It’s been just over a year since the first version of I/O ring was introduced into Windows. The initial version was introduced in Windows 21H2 and I did my best to document it here, with a comparison to the...
HyperGuard Part 3 – More SKPG Extents...
Hi all! And welcome to part 3 of the HyperGuard chronicles! In the previous blog post I introduced SKPG extents – the dat...
An Exercise in Dynamic Analysis...
Analyzing the PayloadRestrictions.dll Export Address Filtering This post is a bit different from my usual ones. It won’t cover any new security features or techniques and won’t share any novel security research. Instead, it will guide you through the process of analyzing an unknown mitigation th...
HyperGuard – Secure Kernel Patch Guard: Part 2 – SKPG Extents...
Welcome to Part 2 of the series about Secure Kernel Patch Guard, also known as HyperGuard. This part will start describing the data structure and components of SKPG, and more specifically the way it’s activated. If you missed Part 1, you can find it right...
HyperGuard – Secure Kernel Patch Guard: Part 1 – SKPG Initialization...
This will be a multi-part series of posts describing the internal mechanisms and purpose of Secure Kernel Patch Guard, also known as HyperGuard. This first part will focus on what SKPG is and how it’s being initialized. Overview...
IoRing vs. io_uring: a comparison of Windows and Linux implementations...
A few months ago I wrote this post about the introduction of I/O Rings in Windows. After publishing it a few people asked for a comparison of the Windows I/O Ring and the Linux io_uring, so I decided to do just t...
I/O Rings – When One I/O Operation is Not Enough...
Introduction I usually write about security features or techniques on Windows. But today’s blog is not directly related to any security topics, other than the usual added risk that any new system call introduces. However, it’s an interesting addition to the I/O world in Windows that could be useful for developers and I thought it would...
Thread and Process State Change...
a.k.a: EDR Hook Evasion – Method #4512 Every couple of weeks a new build of Windows Insider gets released. Some have lots of changes and introduce completely new features, some only have minor bug fixes, and some simply insist on crashing repeatedly for no good reason. A few months ago one of those builds h...
Exploiting a “Simple” Vulnerability, Part 2 – What If We Made Exploitation Harder?...
Introduction In a previous post I went over vulnerability CVE-2020-1034, which allows arbitrary increment of an address, and saw how we can use some knowledge o...
Exploiting a “Simple” Vulnerability – Part 1.5 – The Info Leak...
Introduction This post is not actually directly related to the first one and does not use CVE-2020-1034. It just talks about a second vuln...
CET Updates – Dynamic Address Ranges...
In the last post I covered one new addition to CET – relaxed mode. But as we saw, there were a few other interesting additions. One of them is CetDynamicApisOutOfProcOnly, which is the one I...
Exploiting a “Simple” Vulnerability – In 35 Easy Steps or Less!...
Introduction In September MS issued a patch that fixed the CVE-2020-1034 vulnerability. This is a pretty cool and relatively simple vulnerability (increment by...
DPWs are the new DPCs : Deferred Procedure Waits in Windows 10 21H1...
With the Windows 21H1 (Iron/“Fe”) feature complete deadline looming, the last few Dev Channel builds have had some very interesting changes and additions, which will probably require a few separate blog posts to cover fully. One of those was in a surprising part of the code – object wait dispatching. The new build introduced a few new functions:...
CET Updates – CET on Xanax...
Windows 21H1 CET Improvements Since Alex and I first published our first analysis of CET, Windows’ support for user-mode CET received a few important changes that should be noted. We can easily spot most of them by looking at the changes to the MitigationFla...
Critical, Protected, DUT Processes in Windows 10...
We are all familiar with Microsoft’s love for creating new and exciting ways to prevent certain processes from being terminated by the user. First were Critical processes in Windows XP 64-bit and Server 2003, which crashed the kernel if you killed them. Then, came Protected Process Light (PPL) in Windows 8.1, which prevented you from killing them at all. Perhaps it...
Secure Pool Internals : Dynamic KDP Behind The Hood...
Starting with Windows 10 Redstone 5 (Version 1809, Build 17763), a lot has changed in the kernel pool. We won’t talk about most of these changes, that will happen in a 70-something page paper that will be published at some point in the future when we can find enough time and ADHD meds to finish it....
PrintDemon: Print Spooler Privilege Escalation, Persistence & Stealth (CVE-2020-1048 & more)...
We promised you there would be a Part 1 to FaxHell, and with today’s Patch Tuesday and CVE-2020-1048, we can finally talk about some of the very exciting technical details of the...
Faxing Your Way to SYSTEM — Part Two...
“Part two?”, you ask. “Where’s part one?”, you wonder. In this blog post, we are doing things backwards — first publishing a Part Two, with a theoretical “What if?” scenario, and then we’ll follow with a Part One to fill in our gap. Posit a DLL Hijack...
Symbolic Hooks Part 4: The App Container Traverse-ty...
After getting the driver in Part 3 of our blog to load and adding a DbgPrintEx statement in our hook, we managed to get all the paths that were being opened without crashing the machine. We got really excited thinking we were done. But as soon as we clicked on the Start Menu, we noticed th...
Symbolic Hooks Part 3: The Remainder Theorem...
We ended the second part with, unsurprisingly, a bugcheck. We tried to redirect all access to the C: volume to our device in order to get information about all the paths that are being accessed, but the first time anyone tried opening the C: volume itself, the I/O manager threw...
Symbolic Hooks Part 2 : Getting the Target Name...
In our last blog part, we concluded with a working callback, but no information about the path being opened. Of course, we could get it from the stack since it should be saved there somewhere, but we thought there must be a more elegant way. We also wanted to avoid writing a book on...
“Move aside, signature scanning!” Better kernel data discovery through lookaside lists...
Introduction A while ago we did some research. That specific project might be published at some other time in the future and we won’t go into too much detail about it here. But as part of this project we wanted to gain access into an internal data structure used by some driver. Sadly, the driver’s global pointer to this data structure is not exported,...
DKOM – Now with Symbolic Links!...
You might think “What can ANYONE still say about kernel callbacks? We’ve already seen every callback possible – there are process creation callbacks, object type callbacks, image load notifications, callback objects, object type callbacks, host extensions… there can’t be any more kinds of callbacks. Right? Right…?” Nop...
R.I.P ROP: CET Internals in Windows 20H1...
A very exciting thing happened recently in the 19H1 (Version 1903) release of Windows 10 – parts of the Intel “Control-flow Enforcement Technology” (CET) implementation finally began, aft...
Hosted with ❤️ by SourceForge
System Informer
- A free, powerful, multi-purpose tool that helps you monitor system resources, debug software and detect malware.
- Copyright © Winsider Seminars & Solutions, Inc.