Windows 10 1809 kernel sensors
After reading this article I was curious which info Mocrosoft gather in it`s telemetry. There is some theoretical possibility to ask Microsoft via MVI but link to "apply for membership" gives 404, lol....
View ArticleCfgMgr32.dll!CM_Register_Notification registered callbacks
Declaration of CM_Register_Notification:CMAPI CONFIGRET CM_Register_Notification( PCM_NOTIFY_FILTER pFilter, PVOID pContext, PCM_NOTIFY_CALLBACK pCallback, PHCMNOTIFICATION pNotifyContext); It`s easy...
View Articlewincheck rc8.61
downloadmirrorChangelog:add support of Windows 10 RS4, 1809 & 1903add support of Windows 10 build 18922, but seems that this build hangs on RPC interfaces enumerationadd dumping of...
View Articlenew RFG reloc types
It seems that est since build 18922 Microsoft turned on retpolineThis is implemented as RFG relocations with 3 new type:Type 3typedef struct _IMAGE_IMPORT_CONTROL_TRANSFER_DYNAMIC_RELOCATION { DWORD...
View Articlethere will be no more new versions of wincheck
bcs all source code belongs to my former employerI do not have time and motivation to rewrite it for freeSorry
View Articlekernel resource FUNCTIONEXTENTLIST
I commited today plugin for processing 64bit kernel resource with name "FUNCTIONEXTENTLIST" (located in RCDATA)It seems that processing of this resource happens in huge unnamed sub called from famous...
View Articlelast version of wincheck
it`s last because ofMy former employer was so so nice that he allowed me to publish this build. Btw I seek new jobDownloadMirrorChangelog: add support of Windows 1909add support of new RFG relocs. As...
View Articletypos in "Linux Device Drivers Development"
I decided in retirement to fill the gaps in my education, so now I reading book"Linux Device Drivers Development" and noticed lots of annoying typos in code samplespage 65:/* some where */spinlock_t...
View Articleusing devm_kzalloc unchecked result in linux kernel 4.18
Managed Device Resource (described in Documentation/driver-model/devres.txt) is witty technique for lazy developers. Unfortunately it does not exempt from the need to check results. I decided to see if...
View Articleusing devm_kcalloc unchecked result in linux kernel
Part IThis time I add references to linux kernel github - although I ran my naive code analyzer on version 4.18 - all found bugs have long and happy life in current source treegb_generate_enum_strings...
View ArticlePiPnpRtlCtx
since w8 Microsoft introduced for PnP devices management new structure with lots of function pointers - PiPnpRtlCtxIt`s called from lots of exported functions, but I think most comfortable for RE are...
View ArticleW32pServiceTable from windows 10 build 19577 64bit
W32pServiceLimit .eq. 0x5ADBtw what does prefix NtModerncore...
View Articlefltmgr.GLOBALS!PerfTraceRoutines
In windows 8 in fltmgr was introduced feature for filter operation Etw logging - structure WMI_FLTIO_NOTIFY_ROUTINES in GLOBALS: void (TimeStampRoutine*)(struct _ETW_KERNEL_TRACE_TIMESTAMP*, unsigned...
View ArticleVfDifThunks
It seems that in w10 build 19569 new verifier table has appeared - VfDifThunks along with new exported function DifRegisterPlugin (which is used only in VerifierExt.sys for now). List of intercepted...
View ArticleClik here to view.
static code analysis
This cool article is good case to show how you can employ static code analysis for extracting some unexported symbols from binary code - in this case we need ExNPagedLookasideLock &...
View Articlearmpatched
Several days ago I started my new pet project on GitHub, bcs quarantine is boringreading a book "ARM 64-Bit Assembly Language" without practice is uselessSo I just forked arm64 disasm called armadillo,...
View Articlebug in ida pro arm64 module
Lets see in ida pro some arm64 windows kernel, for example good old function PspSetCreateThreadNotifyRoutine: ADRP X8, #PspNotifyEnableMask@PAGE ADD X11, X8,...
View ArticleKiTpExcludedRoutines
As you can guess from name this is array of functions for which you can`t set kernel tracepoint. Curious that this lists differs in x64 and...
View ArticleIDA Pro plugin for arm64 switch tables processing
IDA Pro supports arm64 very poorly - it also cannot parse switch tables. Let`s see how they looks on arm64 - for example in function NtQueryInformationThread: CMP W1, #0x2D ;...
View ArticlePsKernelRangeList on arm64 kernel
can be found using the same old trickSure constants are now different, so now KUSER_SHARED_DATA.SystemCall is 0xFFFFF78000000308 and KUSER_SHARED_DATA.ProcessorFeatures is 0xFFFFF78000000274Commited...
View Article