Twitter | Search | |
Alex Ionescu
Windows Internals Expert, Security Ninja, and Embedded ARM Kernel Guru.
4,330
Tweets
962
Following
24,932
Followers
Tweets
Alex Ionescu Jan 21
"Sightings". You keep using that word. I do not think it means what you think it means.
Reply Retweet Like
Alex Ionescu Jan 20
Yep :)
Reply Retweet Like
Alex Ionescu Jan 20
Think about it. ImageFileName only has 15 bytes.
Reply Retweet Like
Alex Ionescu Jan 20
seauditprocesscreateinfo
Reply Retweet Like
Alex Ionescu Jan 18
Replying to @argvee @parityzero
Remember that the S in IoT stands for security
Reply Retweet Like
Alex Ionescu Jan 16
Replying to @knweiss @fugueish
That’s easy — only the software registered as the user’s AV component in security center is supposed to set this key. Many vendors don’t follow the procedure to register in this center though (because of strict requirements).
Reply Retweet Like
Alex Ionescu Jan 16
Replying to @MalwareJake
It’s made even worse by the lack of true KASLR on x86 and the tiny kernel address space. You can meltdump it in seconds. But without brining segmentation back there’s no easy fix.
Reply Retweet Like
Alex Ionescu Jan 16
Replying to @flintginger
Je BEZ le BIZ mec.
Reply Retweet Like
Alex Ionescu Jan 16
Replying to @scripterv
Using INVPCID for Variant 3.
Reply Retweet Like
Alex Ionescu Jan 16
In a world where most “next gen” vendors didn’t even bother to set the registry key to allow the Windows and patches (or any future ones), we not only made sure we’d set the key, but also built a dashboard to help customers fully understand their patch status.
Reply Retweet Like
Alex Ionescu Jan 14
Replying to @tehcaster @tehjh and 2 others
Hardware**
Reply Retweet Like
Alex Ionescu Jan 14
Replying to @agl__ @Taiki__San
Windows in fact checks for that bit and MSR to decide that Variant 3 has been fixed in software
Reply Retweet Like
Alex Ionescu Jan 14
No modifications needed
Reply Retweet Like
Alex Ionescu Jan 14
Should work on any OS with some minor structure differences
Reply Retweet Like
Alex Ionescu Jan 14
There’s easy info leaks to find them
Reply Retweet Like
Alex Ionescu Jan 14
I assumed unprivileged creds/guest account/etc, vs getting admin creds. But you’re right you still need to be in that box in some way.
Reply Retweet Like
Alex Ionescu Jan 14
No need to fish or provide creds. Your PE exploit gets detected and blocked by EDR/NGAV and leaves a trail. And gets patched. The reason these vulns are different is that none of that holds true. But I agree the sky isn’t falling.
Reply Retweet Like
Alex Ionescu Jan 14
How does your attacker elevate privileges?
Reply Retweet Like
Alex Ionescu Jan 14
Replying to @kelvin1272011
They stuff the RSB because returns can bypass the BTB if it’s full.
Reply Retweet Like
Alex Ionescu Jan 14
Yep that’s correct!
Reply Retweet Like