| Tweetovi |
|
gerhart
@gerhart_x
|
12 h |
|
Short tracing of securekernel!IumAllocateSystemHeap size parameter.
Problem, that Windows 10 Hyper-V XScheduler, which controls guest exception in Host OS, has very ugly (in terms of integration) realization. Many hardcoded offsets must be used in your own driver for work🤔 pic.twitter.com/3wevdQjNix
|
||
|
|
||
|
gerhart
@gerhart_x
|
22 h |
|
But in Win10, build 20H1 preview, it was replaced to switch-case statements. Hmm, good job.
|
||
|
|
||
|
gerhart
@gerhart_x
|
22 h |
|
It's interesting to see in Win10, build 1909, Hyper-V XScheduler component many, many if-else statements🤔 pic.twitter.com/rhUEWvpacM
|
||
|
|
||
|
gerhart
@gerhart_x
|
5. velj |
|
Must be working still
twitter.com/gerhart_x/stat…
|
||
|
|
||
|
gerhart
@gerhart_x
|
5. velj |
|
Hyper-V virtual machine worker process (vmwp.exe) logical components from presentation. twitter.com/dwizzzleMSFT/s… pic.twitter.com/5JMklMSjIS
|
||
|
|
||
|
gerhart
@gerhart_x
|
5. velj |
|
Oh, one more exploit was added to big Microsoft internal database of exploits ...
|
||
|
|
||
| gerhart proslijedio/la je tweet | ||
|
Mathieu Tarral
@mtarral
|
3. velj |
|
Video of my talk with @rageagainsthepc @fosdem is available:
mirror.cyberbits.eu/fosdem/2020/K.…
Slides:
fosdem.org/2020/schedule/…
For all FOSDEM 2020 #rust talks:
reddit.com/r/rust/comment…
Enjoy 👍
|
||
|
|
||
|
gerhart
@gerhart_x
|
3. velj |
|
Windows 10 Hyper-V XScheduler, which is must used in Windows 10 instead standard message delivering through nt!KiHvInterrupt in Windows Server 2019, is pretty hard to intercept for stable debugging...
|
||
|
|
||
|
gerhart
@gerhart_x
|
30. sij |
|
Information about Red Hat from Gartner HCI 2019 report.
Problem, that Gartner retired clear virtualization Magic Quadrant - gartner.com/en/documents/3… pic.twitter.com/0yu2rlKJgc
|
||
|
|
||
|
gerhart
@gerhart_x
|
29. sij |
|
Windows Server 2019 securekernel live debugging demo
youtu.be/tRLQwsJQ-hU
|
||
|
|
||
|
gerhart
@gerhart_x
|
27. sij |
|
Yes, but popularity increase is very slow in last year. pic.twitter.com/kz80VV3iZ4
|
||
|
|
||
|
gerhart
@gerhart_x
|
27. sij |
|
Hyper-V is part of Microsoft Hyper-converged infrastructure docs.microsoft.com/en-us/windows-….
And this infrastructure is not popular now according Gartner say.
There was a completely different picture in 2015.🤔 pic.twitter.com/Y6YrPQqFcX
|
||
|
|
||
|
gerhart
@gerhart_x
|
27. sij |
|
Uhh, contest is lost )
securitylab.ru/contest/504415…
Article about web app vulns win:
securitylab.ru/contest/499971…
Big thanks Securitylab and Positive Technologies for incentive prizes! twitter.com/gerhart_x/stat…
|
||
|
|
||
|
gerhart
@gerhart_x
|
27. sij |
|
There is no symbol named KdVersionBlock inside securekernel.exe. Nothing to find...
|
||
|
|
||
|
gerhart
@gerhart_x
|
26. sij |
|
WinDBG is not successfully adopted to windows securekernel, because there is no KdVersionBlock inside it, but can still give useful information about modules. pic.twitter.com/dWyLfE82CT
|
||
|
|
||
|
gerhart
@gerhart_x
|
26. sij |
|
!peb command works in WinDBG Preview on Windows 20H1 build. Try use it or copy dbg*.dll files from WinDBG Preview install dir (f.e. C:\Program Files\WindowsApps\Microsoft.WinDbg_1.2001.2001.0_neutral__8wekyb3d8bbwe\amd64) to WinDBG folder. pic.twitter.com/YwB8YgJh71
|
||
|
|
||
|
gerhart
@gerhart_x
|
25. sij |
|
Good whitepaper about windows 10 secure kernel:
"Live forensics on the Windows 10 securekernel (2017)"
ntnuopen.ntnu.no/ntnu-xmlui/bit…
|
||
|
|
||
|
gerhart
@gerhart_x
|
24. sij |
|
Btw, good idea to experiment with virtual Dr0..DR7 registers in Hyper-V with LiveCloudKd EXDi plugin🤔
|
||
|
|
||
|
gerhart
@gerhart_x
|
24. sij |
|
VMware already has embedded GDB debugger. WinDBG SDK has EXDi ExdiGdbSrvSample sample. It looks like it can be adopted to VMware GDB, and you can debug VMware VM using WinDBG and VMware hardware breakpoints (debugStub.hideBreakpoints = "TRUE" in .vmx config).
|
||
|
|
||
|
gerhart
@gerhart_x
|
24. sij |
|
It is usage Hyper-V embedded guest OS reading\writing operations. Guest OS patchguard can detect kernel code modification as usual.
|
||
|
|
||