wincheck rc8.57
downloadmirrorChangelog:add support of numerous versions of windows 10 insider preview - up to 16193add dumping of FilterConnectionPortsadd support of RFG (and v2 too) add dumping of...
View Articlehow to find PspUniqueJobIdTable
In his cool presentation Alex Ionescu said:PspUniqueJobIdTable - no way to open/enumerateSure there are always some ways. Lets see xrefs to...
View ArticleEPROCESS.MitigationFlags in w10 build 16215
Lets see EPROCESS.Flags3 in w10 build 16193:unsigned long Flags3;unsigned long Minimal:0:1;unsigned long ReplacingPageRoot:1:1;unsigned long DisableNonSystemFonts:2:1;unsigned long...
View ArticleDelegatedNtdll
It seems that since est. w10 build 15007 you can have more than one loaded 32bit ntdll.dllFunction LdrpLoadDelegatedNtdll query key DelegatedNtdll via LdrQueryImageFileKeyOption then appends this value...
View Articlewin32k calls filtering on w10
Lets see on some functions from W32pServiceTableFilter on w10 build 16215:stub_UserSetSensorPresence: push ebp mov ebp, esp push 2 ; call index call _IsWin32KSyscallFiltered@4 ;...
View Articlewincheck rc8.58
downloadmirrorChangelog:add support of numerous versions of windows 10 insider preview - up to 16257add -j option to dump jobsadd -dwf option to dump win32k filtering bitmapsadd support of...
View ArticleWNF IDs from perf_nt_c.dll
ripped wnf names from perf_nt_c.dllA3BC0875 - 4191012C WNF_AOW_BOOT_PROGRESSThis state is incremented when a discrete part of the AoW boot sequence has completed. Security: WNF_STATE_SUBSCRIBE (1) by...
View ArticleETW private loggers
as you know ordinary etw loggers can be checked in compmgmt.msc\performance\data collector sets\event trace sessionsBut private etw sessions cannot be showed in compmgmt.mscActually all private...
View Articlehow to find rpcrt4!GlobalRpcServer
I looked through sources of rpcview and found that they used some kind of brute-force in file RpcCore.c in function GetRpcServerAddressInProcess. It looks very strange and slow - they already has some...
View Articlerpcrt4 security providers
Count of loaded providers stored in rpcrt4!LoadedProviders and list in rpcrt4!ProviderListStructure of each provider can be partially recovered from function FindSecurityPackage:struct...
View Articlecrypt32.dll SIPs
in cool paper"subverting windows trust" was described mechanism of subject interface package (SIP)Lets see how we can extract and dump themUnfortunately list of SIPs inside crypt32.dll don't have name...
View Articlewincheck rc8.59
downloadmirrorChangelog:add support of numerous versions of windows 10 insider preview - up to ~17025add -dsip option to dump SIPs from crypt32.dlladd -dac & -dsac options to dump activation...
View Articlewincheck rc8.60
downloadmirrorChangelog:add some support of meltdown patched kernels. It seems that Microsoft backported from w10 InterruptObject to KPRCB on windows 8.1. so all offsets below this field were shifted...
View Articleinteresting case of memory leak
after three weeks of work service osqueryd.exe consumed about 150 mb of memory. so I made full memory dump with process explorer and run !heap -l in windbg298991 string in log ! lets write quick and...
View ArticleWNF IDs from perf_nt_c.dll (adk version 17692)
to compare withWNF_AAD_DEVICE_REGISTRATION_STATUS_CHANGE id1 A3BC0875 id2 41820F2CThis event is signalled when device changes status of registration in Azure Active Directory.WNF_ACC_EC_ENABLED id1...
View Articlebug in wtsapi32!WTSFreeMemoryExA
prototypeBOOL WTSFreeMemoryExA( WTS_TYPE_CLASS WTSTypeClass, PVOID pMemory, ULONG NumberOfEntries);WTS_TYPE_CLASS declared in WtsApi32.h asenum _WTS_TYPE_CLASS { WTSTypeProcessInfoLevel0 = 0x0,...
View ArticleWNF IDs from w10 build 18312
ripped from ContentDeliveryManager.Utilities.dllWNF_AAD_DEVICE_REGISTRATION_STATUS_CHANGE id1 A3BC0875 id2 41820F2CThis event is signalled when device changes status of registration in Azure Active...
View Articlesimple way to find PsKernelRangeList
It seems that since est. build 15025 to PsKernelRangeList was added absolute addresses of KUSER_SHARED_DATA.SystemCall and KUSER_SHARED_DATA.ProcessorFeaturesSo now it can be trivially found with...
View Article