|
Amardeep
@
AstralVX
|
|
Security Architect @HP [Device Drivers, Windows Internals]
|
|
|
42
Tweetovi
|
179
Pratim
|
82
Osobe koje vas prate
|
| Tweetovi |
|
Amardeep
@AstralVX
|
5 h |
|
But it doesn'tt actually load it again. The behaviour of LoadLibrary returns you the existing base address of the module if it's already loaded, allowing you to use it as an info-leak, or calling ntoskrnl!exports
|
||
|
|
||
|
Amardeep
@AstralVX
|
4. velj |
|
Better be ready for when adversaries bypass your various kernel callbacks and hooks.
|
||
|
|
||
|
Amardeep
@AstralVX
|
25. sij |
|
Lmao I was offered the same thing from MS, Canada then US. MS won't even attempt a H1B which gives you a 6yr work visa, which is a shame on there part.
|
||
|
|
||
|
Amardeep
@AstralVX
|
25. sij |
|
Going to the US? Depending on the type of work visa, H1B, L1, etc, some are based lamely on luck from the immigration office, so not guaranteed even if the company really wants it.
|
||
|
|
||
|
Amardeep
@AstralVX
|
18. sij |
|
See how to parse ACLs, SDs, and ACEs from a kernel driver, and dive into the security model.
astralvx.com/index.php/2019… pic.twitter.com/SS8RqP4Tp8
|
||
|
|
||
|
Amardeep
@AstralVX
|
18. sij |
|
Tis my life nowadays. Imagine developing for drivers and firmware where VMs can't pass through direct CPU I/O.
|
||
|
|
||
|
Amardeep
@AstralVX
|
9. sij |
|
Sometimes when you get seemingly random BSOD error code that don't describe the actual issue you caused, they're often a side effect of your issue, making it even harder to pin point ha.
|
||
|
|
||
|
Amardeep
@AstralVX
|
6. sij |
|
True they're might be bad implementations inside SMI. But the saving regs for example occurs on a context switch regardless, and normal practice is to restore it, but you can of course inside the SMI change what the OS will see when restored.
|
||
|
|
||
|
Amardeep
@AstralVX
|
6. sij |
|
SMI context switches don't really fiddle with anything. The Intel implementation simply saves and restores all CPU registers pre and post transition. So no RIP, timer reg etc changes from OS perspective, but during SMI the registers are obviously updating to exec asm.
|
||
|
|
||
|
Amardeep
@AstralVX
|
5. sij |
|
Well the modern DDK samples contain SAL 2.0 notations for all projects, and MSDN usually states the role classification if available at the footer of the MSDN page of an API. Both helpful imo.
|
||
|
|
||
|
Amardeep
@AstralVX
|
31. pro |
|
Can the work be done asynchronously? If so schedule a worker thread (runs at passive) from your APC callback.
|
||
|
|
||
|
Amardeep
@AstralVX
|
25. pro |
|
You can use MASM to assemble separate files, and have linker link the object in to your C code. I like it TBH, keeps the ASM separate in a project. I try to use compiler intrinsics where possible though and you can see all intrinsics MSVC supports in "intrin.h"
|
||
|
|
||
| Amardeep proslijedio/la je tweet | ||
|
Bromium
@bromium
|
22. stu |
|
As of September 19th 2019, Bromium has become part of HP Inc. To stay up to date on all our news and information, please follow us on HP LinkedIn, HP Facebook, and @HP Twitter
|
||
|
|
||
|
Amardeep
@AstralVX
|
6. pro |
|
X64dbg and scyllahide plugin. Or manually break at TLS initialisation in x64dbg options, instead of the default Entry Point.
|
||
|
|
||
|
Amardeep
@AstralVX
|
30. stu |
|
Run it in a VM, and does it crash the host?
|
||
|
|
||
|
Amardeep
@AstralVX
|
15. stu |
|
Been dealing with a whole lot of PNP recently. Interested in the Kernel and PNP Manager device enumeration, and still using good old WDM? Then check out my blog. Comments welcome, errors pointed out appreciated. astralvx.com/index.php/2019…
|
||
|
|
||
|
Amardeep
@AstralVX
|
29. lis |
|
Coincidentally the symbol server was down from yesterday twitter.com/aluhrs13/statu…
|
||
|
|
||
|
Amardeep
@AstralVX
|
28. lis |
|
Literally came on Twitter to see if anyone else has an issue. Symsrv times out downloading symbols.
|
||
|
|
||
|
Amardeep
@AstralVX
|
18. lis |
|
And a month later they come back and state 'we don't understand any of this, can you simplify'.
|
||
|
|
||
|
Amardeep
@AstralVX
|
15. lis |
|
Rephrasing for clarity. So this P check won't occur in nonpaged pool right as MM runs at IRQL 1. But when a page fault occurs to a VA page, does CPU hand of some processing to OS to analyze the P bit by MM, before handing back to CPU (all at IRQL 1, without increasing codes RIP)
|
||
|
|
||