Twitter | Search | |
Alex Ionescu
Windows Internals Expert, Speaker, Trainer and Security Researcher.
5,077
Tweets
1,158
Following
28,157
Followers
Tweets
Alex Ionescu 19h
Petr is a national treasure. Someone give him a medal. I think there are 100 hand rolled manual/buggy versions of this in people’s own individual repos... without the Javadoc.
Reply Retweet Like
Alex Ionescu 19h
Replying to @OphirHarpaz
I’m really disappointed your VP doesn’t know of me.
Reply Retweet Like
Alex Ionescu Jul 13
Thanks man, I feel the same. It’s great to see you reaching out to researchers while also doing cool stuff with packets and finding broken perimeters
Reply Retweet Like
Alex Ionescu Jul 12
I have one BlackHat black card remaining and would love to help you attend! I assume your large multi national corporation would be eager to have you learn new skills and network with others?
Reply Retweet Like
Alex Ionescu Jul 12
Replying to @pwsh_guy
It will be on my GitHub soon
Reply Retweet Like
Alex Ionescu retweeted
Dmitri Alperovitch Jul 11
Great job and for getting this going! is excited to support and participate!
Reply Retweet Like
Alex Ionescu Jul 12
Cease and desist from this line of thinking immediately
Reply Retweet Like
Alex Ionescu Jul 12
Replying to @richturn_ms
I’m a bit like Raymond (Chen). I queue things up years/months in advance :)
Reply Retweet Like
Alex Ionescu Jul 12
Replying to @aionescu
Those blue traces, for anyone watching, are actually loader snaps (DbgPrint) from inside the picoVM’s NTDLL (loader) being printed into a monitor window on the host. So yes, DbgPrint (interrupt 2Ch) is fully supported :)
Reply Retweet Like
Alex Ionescu Jul 12
Replying to @AdmVonSchneider
Actually, it’s not running ntoskrnl in the picoVM — it’s using the one on the host. This type of emulation is obviously unsafe for malware, but has certain uses. NTDLL and all of user space are in the VM, and the picoVM implements a system call and interrupt shim to the host OS.
Reply Retweet Like
Alex Ionescu Jul 12
Replying to @AmarSaar
cc now you won't sleep for days.
Reply Retweet Like
Alex Ionescu Jul 12
A virtual machine emulator that can load cmd.exe up until its main() entrypoint (including running all of NTDLL, COMBASE, OLE32, KERNEL32, etc's) with less than 11KB of code? Thanks to the new Windows Hypervisor Platform (WHP) APs, it's indeed possible! A tease of 🔥SimpleLator🔥
Reply Retweet Like
Alex Ionescu retweeted
mdowd Jul 11
Excited to announce that Azimuth Security has been acquired!
Reply Retweet Like
Alex Ionescu Jul 11
Replying to @parityzero @standa_t
I think VS is adding ninja support soon I hear :)
Reply Retweet Like
Alex Ionescu Jul 11
Replying to @standa_t @parityzero
Cc you guys still build with VS?
Reply Retweet Like
Alex Ionescu retweeted
Satoshi Tanda Jul 11
If you work with large Visual Studio solution files that are slooow to load and want to know which projects are actually slow, you will find this useful.
Reply Retweet Like
Alex Ionescu Jul 11
Replying to @aionescu
This is reallly pathetic given that in over 200K of purchases in the last 14 years on the other side of the pond I’ve never had this happen outside of 2 rare occurrences where the rep immediately identified & fixed the issue. The LIES of your UK reps are what make this disgusting
Reply Retweet Like
Alex Ionescu Jul 11
. I moved to the UK for 2 months this summer after 14 years as a US/Canada Amazon (now Prime) customer. Out of 30 orders, 4 were “delivered” but never showed up, while 5 others were delayed for 7days+ with no tracking number or reason. CSR repeatedly lie about status.
Reply Retweet Like
Alex Ionescu Jul 11
Replying to @ARichardMSFT
It depends what flags are passed to PssCaptureSnapshot looks like. But in general if a trace is running it looks like dbghelp/faultrep will add it to the dump as long as the flag is set. So I guess the answer is “maybe”? :)
Reply Retweet Like
Alex Ionescu Jul 10
Replying to @parityzero
No — there are HAL and Ke changes required.
Reply Retweet Like