Internals Blog – Winsider Seminars & Solutions Inc.
Porting Cycle-Based CPU Usage to ARM64
In this post I will share my story porting System Informer’s cycle-based CPU usage to ARM64. I’ll explain the difference in CPU cycle tracking on Windows ARM64, compare time-based vs cycle-based measurements, and describe how System Informer calculates and displays this information....
2023-02-04 - Johnny Shaw
Secure Kernel Research with LiveCloudKd
Let’s say you want to research the secure kernel. You heard about hypervisors and VTL1 and you’d like to see it for yourself, and static analysis is just not always good enough. You need a debugger. You immediately run into a problem: you can’t debug the secure kernel. Or secu...
2024-05-02 - Yarden Shafir
Troubleshooting a System Crash
One day my system started crashing. A lot. Multiple blue screens per day, with a few different error codes. The worst part – even though my system was configured to collect full memory dumps, no crash dumps were generated (not even mini dumps). They failed to get written every...
2024-01-29 - Yarden Shafir
KASLR Leaks Restriction
In recent years, Microsoft has focused its efforts on mitigating bug classes and exploitation techniques. In latest Windows versions this includes another change that adds a significant challenge to attackers targeting the Windows kernel — restricting kernel address leak...
2023-11-26 - Yarden Shafir
Investigating Filter Communication Ports
If you spent any time writing or researching filter drivers, you may have run into filter communication ports. This is a standard communication method between a filter driver and its user-mode process, implemented and managed by the filter manager (FltMgr.sys). The ports allow...
2023-01-04 - Yarden Shafir
An End to KASLR Bypasses?
Edit: this post initially discussed the new changes only in the context of KASLR bypasses. In reality this new event covers other suspicious behaviors as well and the post was edited to reflect that. The title is left as it was for convenience. In recent years, in addition to...
2022-11-23 - Yarden Shafir
Understanding a New Mitigation: Module Tampering Protection
A few months ago, I spoke at Paranoia conference about obscure and undocumented mitigations. Following the talk, a few people asked how I found out about these mitigations and how I figured out what they did and how they worked. So I thought I’d try to focus on one of those mi...
2022-08-16 - Yarden Shafir
One I/O Ring to Rule Them All: A Full Read/Write Exploit Primitive on Windows 11
This blog post will cover the post-exploitation technique I presented at TyphoonCon 2022. For anyone interested in the talk itself, I’ll link the recording here when it becomes available. This technique is a post exploitation primitive unique to Windows 11 22H2+ – there are no...
2022-07-05 - Yarden Shafir
One Year to I/O Ring: What Changed?
It’s been just over a year since the first version of I/O ring was introduced into Windows. The initial version was introduced in Windows 21H2 and I did my best to document it here, with a comparison to the Linux io_uring here. Microsoft also documented the Win32 functions. Si...
2022-04-29 - Yarden Shafir
HyperGuard Part 3 – More SKPG Extents
Hi all! And welcome to part 3 of the HyperGuard chronicles! In the previous blog post I introduced SKPG extents – the data structures that describe the memory ranges and system components that should be monitored by HyperGuard. So far, I only covered the initialization extent...
2022-04-19 - Yarden Shafir
An Exercise in Dynamic Analysis
Analyzing the PayloadRestrictions.dll Export Address Filtering This post is a bit different from my usual ones. It won’t cover any new security features or techniques and won’t share any novel security research. Instead, it will guide you through the process of ana...
2022-03-19 - Yarden Shafir
HyperGuard – Secure Kernel Patch Guard: Part 2 – SKPG Extents
Welcome to Part 2 of the series about Secure Kernel Patch Guard, also known as HyperGuard. This part will start describing the data structure and components of SKPG, and more specifically the way it’s activated. If you missed Part 1, you can find it right here. Inside Hy...
2022-02-17 - Yarden Shafir
HyperGuard – Secure Kernel Patch Guard: Part 1 – SKPG Initialization
This will be a multi-part series of posts describing the internal mechanisms and purpose of Secure Kernel Patch Guard, also known as HyperGuard. This first part will focus on what SKPG is and how it’s being initialized. Overview In the world of Windows security, PatchGuard is...
2022-01-01 - Yarden Shafir
IoRing vs. io_uring: a comparison of Windows and Linux implementations
A few months ago I wrote this post about the introduction of I/O Rings in Windows. After publishing it a few people asked for a comparison of the Windows I/O Ring and the Linux io_uring, so I decided to do just that. The short answer – the Windows implementation is almost iden...
2021-10-09 - Yarden Shafir
I/O Rings – When One I/O Operation is Not Enough
Introduction I usually write about security features or techniques on Windows. But today’s blog is not directly related to any security topics, other than the usual added risk that any new system call introduces. However, it’s an interesting addition to the I/O world in Window...
2021-05-24 - Yarden Shafir
Thread and Process State Change
a.k.a: EDR Hook Evasion – Method #4512 Every couple of weeks a new build of Windows Insider gets released. Some have lots of changes and introduce completely new features, some only have minor bug fixes, and some simply insist on crashing repeatedly for no good reason. A few m...
2021-04-20 - Yarden Shafir
Exploiting a “Simple” Vulnerability, Part 2 – What If We Made Exploitation Harder?
Introduction In a previous post I went over vulnerability CVE-2020-1034, which allows arbitrary increment of an address, and saw how we can use some knowledge of ETW internals to exploit it, give our process SeDebugPrivilege and create an elevated process. In this post I will...
2021-03-11 - Yarden Shafir
Exploiting a “Simple” Vulnerability – Part 1.5 – The Info Leak
Introduction This post is not actually directly related to the first one and does not use CVE-2020-1034. It just talks about a second vulnerability that I found while researching ETW internals, which discloses the approximate location of the NonPaged pool to (almost) any user....
2021-01-28 - Yarden Shafir
CET Updates – Dynamic Address Ranges
In the last post I covered one new addition to CET – relaxed mode. But as we saw, there were a few other interesting additions. One of them is CetDynamicApisOutOfProcOnly, which is the one I will be covering in this post and which was also backported to 20H1 and 20H2. But befo...
2021-01-09 - Yarden Shafir
Exploiting a “Simple” Vulnerability – In 35 Easy Steps or Less!
Introduction In September MS issued a patch that fixed the CVE-2020-1034 vulnerability. This is a pretty cool and relatively simple vulnerability (increment by one), so I wanted to use it as a case study and look at a side of exploitation that isn’t talked about very often. Mo...
2020-11-21 - Yarden Shafir
DPWs are the new DPCs : Deferred Procedure Waits in Windows 10 21H1
With the Windows 21H1 (Iron/“Fe”) feature complete deadline looming, the last few Dev Channel builds have had some very interesting changes and additions, which will probably require a few separate blog posts to cover fully. One of those was in a surprising part of the code –...
2020-11-09 - Yarden Shafir
CET Updates – CET on Xanax
Windows 21H1 CET Improvements Since Alex and I first published our first analysis of CET, Windows’ support for user-mode CET received a few important changes that should be noted. We can easily spot most of them by looking at the changes to the MitigationFlags2 field of...
2020-10-06 - Yarden Shafir
Critical, Protected, DUT Processes in Windows 10
We are all familiar with Microsoft’s love for creating new and exciting ways to prevent certain processes from being terminated by the user. First were Critical processes in Windows XP 64-bit and Server 2003, which crashed the kernel if you killed them. Then, came Protected Pr...
2020-08-03 - Yarden Shafir
Secure Pool Internals : Dynamic KDP Behind The Hood
Starting with Windows 10 Redstone 5 (Version 1809, Build 17763), a lot has changed in the kernel pool. We won’t talk about most of these changes, that will happen in a 70-something page paper that will be published at some point in the future when we can find enough time and A...
2020-07-12 - Yarden Shafir
PrintDemon: Print Spooler Privilege Escalation, Persistence & Stealth (CVE-2020-1048 & more)
We promised you there would be a Part 1 to FaxHell, and with today’s Patch Tuesday and CVE-2020-1048, we can finally talk about some of the very exciting technical details of the Windows Print Spooler, and interesting ways it can be used to elevate privileges, bypass EDR...
2020-05-12 - Yarden Shafir & Alex Ionescu
Faxing Your Way to SYSTEM — Part Two
“Part two?”, you ask. “Where’s part one?”, you wonder. In this blog post, we are doing things backwards — first publishing a Part Two, with a theoretical “What if?” scenario, and then we’ll follow with a Part One to fill in our g...
2020-04-30 - Yarden Shafir & Alex Ionescu
Symbolic Hooks Part 4: The App Container Traverse-ty
After getting the driver in Part 3 of our blog to load and adding a DbgPrintEx statement in our hook, we managed to get all the paths that were being opened without crashing the machine. We got really excited thinking we were done. But as soon as we clicked on the Start Menu,...
2020-03-24 - Yarden Shafir & Alex Ionescu
Symbolic Hooks Part 3: The Remainder Theorem
We ended the second part with, unsurprisingly, a bugcheck. We tried to redirect all access to the C: volume to our device in order to get information about all the paths that are being accessed, but the first time anyone tried opening the C: volume itself, the I/O manager thre...
2020-03-19 - Yarden Shafir & Alex Ionescu
Symbolic Hooks Part 2 : Getting the Target Name
In our last blog part, we concluded with a working callback, but no information about the path being opened. Of course, we could get it from the stack since it should be saved there somewhere, but we thought there must be a more elegant way. We also wanted to avoid writing a b...
2020-02-18 - Yarden Shafir & Alex Ionescu
“Move aside, signature scanning!” Better kernel data discovery through lookaside lists
Introduction A while ago we did some research. That specific project might be published at some other time in the future and we won’t go into too much detail about it here. But as part of this project we wanted to gain access into an internal data structure used by some driver...
2020-02-18 - Yarden Shafir & Alex Ionescu
DKOM – Now with Symbolic Links!
You might think “What can ANYONE still say about kernel callbacks? We’ve already seen every callback possible – there are process creation callbacks, object type callbacks, image load notifications, callback objects, object type callbacks, host extensions… there can’t be...
2020-01-31 - Yarden Shafir & Alex Ionescu
R.I.P ROP: CET Internals in Windows 20H1
A very exciting thing happened recently in the 19H1 (Version 1903) release of Windows 10 – parts of the Intel “Control-flow Enforcement Technology” (CET) implementation finally began, after years of discussion. More of this implementation is being added in every Wi...
2020-01-05 - Yarden Shafir & Alex Ionescu
Hosted with ❤️ by SourceForge
System Informer
- A free, powerful, multi-purpose tool that helps you monitor system resources, debug software and detect malware.
- Copyright © Winsider Seminars & Solutions, Inc.