Twitter | Pretraživanje | |
Amardeep
Security Architect [Device Drivers, Windows Internals]
42
Tweetovi
179
Pratim
82
Osobe koje vas prate
Tweetovi
Amardeep 5 h
Odgovor korisniku/ci @SBousseaden
But it doesn'tt actually load it again. The behaviour of LoadLibrary returns you the existing base address of the module if it's already loaded, allowing you to use it as an info-leak, or calling ntoskrnl!exports
Reply Retweet Označi sa "sviđa mi se"
Amardeep 4. velj
Odgovor korisniku/ci @mirageopenguins
Better be ready for when adversaries bypass your various kernel callbacks and hooks.
Reply Retweet Označi sa "sviđa mi se"
Amardeep 25. sij
Odgovor korisniku/ci @SandboxBear
Lmao I was offered the same thing from MS, Canada then US. MS won't even attempt a H1B which gives you a 6yr work visa, which is a shame on there part.
Reply Retweet Označi sa "sviđa mi se"
Amardeep 25. sij
Odgovor korisniku/ci @SandboxBear
Going to the US? Depending on the type of work visa, H1B, L1, etc, some are based lamely on luck from the immigration office, so not guaranteed even if the company really wants it.
Reply Retweet Označi sa "sviđa mi se"
Amardeep 18. sij
See how to parse ACLs, SDs, and ACEs from a kernel driver, and dive into the security model.
Reply Retweet Označi sa "sviđa mi se"
Amardeep 18. sij
Odgovor korisniku/ci @sskras @0xrepnz @Ivanlef0u
Tis my life nowadays. Imagine developing for drivers and firmware where VMs can't pass through direct CPU I/O.
Reply Retweet Označi sa "sviđa mi se"
Amardeep 9. sij
Odgovor korisniku/ci @PetrBenes
Sometimes when you get seemingly random BSOD error code that don't describe the actual issue you caused, they're often a side effect of your issue, making it even harder to pin point ha.
Reply Retweet Označi sa "sviđa mi se"
Amardeep 6. sij
Odgovor korisniku/ci @iximeow
True they're might be bad implementations inside SMI. But the saving regs for example occurs on a context switch regardless, and normal practice is to restore it, but you can of course inside the SMI change what the OS will see when restored.
Reply Retweet Označi sa "sviđa mi se"
Amardeep 6. sij
Odgovor korisniku/ci @iximeow
SMI context switches don't really fiddle with anything. The Intel implementation simply saves and restores all CPU registers pre and post transition. So no RIP, timer reg etc changes from OS perspective, but during SMI the registers are obviously updating to exec asm.
Reply Retweet Označi sa "sviđa mi se"
Amardeep 5. sij
Odgovor korisniku/ci @fdiskyou
Well the modern DDK samples contain SAL 2.0 notations for all projects, and MSDN usually states the role classification if available at the footer of the MSDN page of an API. Both helpful imo.
Reply Retweet Označi sa "sviđa mi se"
Amardeep 31. pro
Odgovor korisniku/ci @PetrBenes
Can the work be done asynchronously? If so schedule a worker thread (runs at passive) from your APC callback.
Reply Retweet Označi sa "sviđa mi se"
Amardeep 25. pro
Odgovor korisniku/ci @_zisis
You can use MASM to assemble separate files, and have linker link the object in to your C code. I like it TBH, keeps the ASM separate in a project. I try to use compiler intrinsics where possible though and you can see all intrinsics MSVC supports in "intrin.h"
Reply Retweet Označi sa "sviđa mi se"
Amardeep proslijedio/la je tweet
Bromium 22. stu
As of September 19th 2019, Bromium has become part of HP Inc. To stay up to date on all our news and information, please follow us on HP LinkedIn, HP Facebook, and Twitter
Reply Retweet Označi sa "sviđa mi se"
Amardeep 6. pro
Odgovor korisniku/ci @steventseeley
X64dbg and scyllahide plugin. Or manually break at TLS initialisation in x64dbg options, instead of the default Entry Point.
Reply Retweet Označi sa "sviđa mi se"
Amardeep 30. stu
Odgovor korisniku/ci @vxunderground
Run it in a VM, and does it crash the host?
Reply Retweet Označi sa "sviđa mi se"
Amardeep 15. stu
Been dealing with a whole lot of PNP recently. Interested in the Kernel and PNP Manager device enumeration, and still using good old WDM? Then check out my blog. Comments welcome, errors pointed out appreciated.
Reply Retweet Označi sa "sviđa mi se"
Amardeep 29. lis
Odgovor korisniku/ci @theevilbit
Coincidentally the symbol server was down from yesterday
Reply Retweet Označi sa "sviđa mi se"
Amardeep 28. lis
Odgovor korisniku/ci @theevilbit
Literally came on Twitter to see if anyone else has an issue. Symsrv times out downloading symbols.
Reply Retweet Označi sa "sviđa mi se"
Amardeep 18. lis
Odgovor korisniku/ci @zemnmez
And a month later they come back and state 'we don't understand any of this, can you simplify'.
Reply Retweet Označi sa "sviđa mi se"
Amardeep 15. lis
Odgovor korisniku/ci @geoffchappell
Rephrasing for clarity. So this P check won't occur in nonpaged pool right as MM runs at IRQL 1. But when a page fault occurs to a VA page, does CPU hand of some processing to OS to analyze the P bit by MM, before handing back to CPU (all at IRQL 1, without increasing codes RIP)
Reply Retweet Označi sa "sviđa mi se"