Twitter | Pretraživanje | |
gerhart
Hyper-V reseach hobby
706
Tweetovi
100
Pratim
949
Osobe koje vas prate
Tweetovi
gerhart 12 h
Short tracing of securekernel!IumAllocateSystemHeap size parameter. Problem, that Windows 10 Hyper-V XScheduler, which controls guest exception in Host OS, has very ugly (in terms of integration) realization. Many hardcoded offsets must be used in your own driver for work🤔
Reply Retweet Označi sa "sviđa mi se"
gerhart 22 h
Odgovor korisniku/ci @gerhart_x
But in Win10, build 20H1 preview, it was replaced to switch-case statements. Hmm, good job.
Reply Retweet Označi sa "sviđa mi se"
gerhart 22 h
It's interesting to see in Win10, build 1909, Hyper-V XScheduler component many, many if-else statements🤔
Reply Retweet Označi sa "sviđa mi se"
gerhart 5. velj
Odgovor korisniku/ci @subTee
Must be working still
Reply Retweet Označi sa "sviđa mi se"
gerhart 5. velj
Hyper-V virtual machine worker process (vmwp.exe) logical components from presentation.
Reply Retweet Označi sa "sviđa mi se"
gerhart 5. velj
Odgovor korisniku/ci @saidelike @dwizzzleMSFT @metr0
Oh, one more exploit was added to big Microsoft internal database of exploits ...
Reply Retweet Označi sa "sviđa mi se"
gerhart proslijedio/la je tweet
Mathieu Tarral 3. velj
Video of my talk with is available: Slides: For all FOSDEM 2020 talks: Enjoy 👍
Reply Retweet Označi sa "sviđa mi se"
gerhart 3. velj
Odgovor korisniku/ci @commial
Windows 10 Hyper-V XScheduler, which is must used in Windows 10 instead standard message delivering through nt!KiHvInterrupt in Windows Server 2019, is pretty hard to intercept for stable debugging...
Reply Retweet Označi sa "sviđa mi se"
gerhart 30. sij
Odgovor korisniku/ci @BomberUnix
Information about Red Hat from Gartner HCI 2019 report. Problem, that Gartner retired clear virtualization Magic Quadrant -
Reply Retweet Označi sa "sviđa mi se"
gerhart 29. sij
Windows Server 2019 securekernel live debugging demo
Reply Retweet Označi sa "sviđa mi se"
gerhart 27. sij
Odgovor korisniku/ci @pronichkin
Yes, but popularity increase is very slow in last year.
Reply Retweet Označi sa "sviđa mi se"
gerhart 27. sij
Hyper-V is part of Microsoft Hyper-converged infrastructure . And this infrastructure is not popular now according Gartner say. There was a completely different picture in 2015.🤔
Reply Retweet Označi sa "sviđa mi se"
gerhart 27. sij
Uhh, contest is lost ) Article about web app vulns win: Big thanks Securitylab and Positive Technologies for incentive prizes!
Reply Retweet Označi sa "sviđa mi se"
gerhart 27. sij
Odgovor korisniku/ci @WhatAintInside
There is no symbol named KdVersionBlock inside securekernel.exe. Nothing to find...
Reply Retweet Označi sa "sviđa mi se"
gerhart 26. sij
WinDBG is not successfully adopted to windows securekernel, because there is no KdVersionBlock inside it, but can still give useful information about modules.
Reply Retweet Označi sa "sviđa mi se"
gerhart 26. sij
Odgovor korisniku/ci @corelanc0d3r
!peb command works in WinDBG Preview on Windows 20H1 build. Try use it or copy dbg*.dll files from WinDBG Preview install dir (f.e. C:\Program Files\WindowsApps\Microsoft.WinDbg_1.2001.2001.0_neutral__8wekyb3d8bbwe\amd64) to WinDBG folder.
Reply Retweet Označi sa "sviđa mi se"
gerhart 25. sij
Good whitepaper about windows 10 secure kernel: "Live forensics on the Windows 10 securekernel (2017)"
Reply Retweet Označi sa "sviđa mi se"
gerhart 24. sij
Odgovor korisniku/ci @sparky_parrot
Btw, good idea to experiment with virtual Dr0..DR7 registers in Hyper-V with LiveCloudKd EXDi plugin🤔
Reply Retweet Označi sa "sviđa mi se"
gerhart 24. sij
Odgovor korisniku/ci @sparky_parrot
VMware already has embedded GDB debugger. WinDBG SDK has EXDi ExdiGdbSrvSample sample. It looks like it can be adopted to VMware GDB, and you can debug VMware VM using WinDBG and VMware hardware breakpoints (debugStub.hideBreakpoints = "TRUE" in .vmx config).
Reply Retweet Označi sa "sviđa mi se"
gerhart 24. sij
Odgovor korisniku/ci @sparky_parrot
It is usage Hyper-V embedded guest OS reading\writing operations. Guest OS patchguard can detect kernel code modification as usual.
Reply Retweet Označi sa "sviđa mi se"