afd endpoints owner
Alex as usually made perfect work to bypass even paranoid EDRsThe main problem is detection of duplicated sockets. There is a hint however:all ownership of the socket still belongs to the original...
View Articlekernel pte in windows 10 64bit
Quarantine is a good time to re-read some old but useful papers and check if you can catch trick with making KUSER_SHARED_DATA writable againSo lets see what we need:some logic to extract PTE base from...
View ArticleCOMPlus_ETWEnabled
There is nice trick to hide that your .NET assemblies does not have ETW loggingLets see if we can detect this not from environment varsETW logging inited in mscorwks.dll!CEtwTracer::Register: lea...
View Articleundocumented env vars in mscorwks.dll
There are lots of env vars with prefix COMPlus_So lets see only not presented in this documentMain function constructing name of env var is ?EnvGetString@REGUTIL@@SAPEAGPEBGH@Z called...
View Articlearm64 pc-relative literals
Lets see for example non-exported function function SepInitializeCodeIntegrity from arm64 kernel: STP X19, X20, [SP,#-0x20+var_10]! STP X21, X22, [SP,#0x10+var_s0] STR...
View Articlesve/sve2 instructions for arm64
Today I finished adding of sve/sve2 instructions to my pet-project armpatchedI used as reference ISA_A64_xml_futureA-2019-09_OPT.pdfSure code is full of bugs, incomplete and has terrible style - all...
View Articlesearch references in arm64 code
Let's assume that you want to find address of non-exported CrashdmpCallTable in kernel. Usual old school way is to find unicode string "\SystemRoot\System32\Drivers\crashdmp.sys" and then to find...
View Articlewhat`s wrong with Etw
Disclaimer: as I am aware that the given code examples can be dangerous for Etw-based EDR products - all code was made for least popular version of windows - for arm64Let's assume that we have some...
View Article_TlgProvider_t
let's continue to dissect ETW and consider one of the many usermode tracing structures - _TlgProvider_t. It is even officially documented in platform sdk in header TraceLoggingProvider.h (sample of...
View Articleetw tracing handles in kernel
let's continue to dissect ETW (part 1& 2). This time consider how tracing is implemented in the kernel itself. I made PoC to find all tracing handles in arm64 kernel and now give short explanation...
View Articleetw part 4: _TlgProvider_t in kernel
let's continue to dissect ETW (parts 1,2& 3)Basically structure _TlgProvider_t in kernel almost the same as in user mode but field RegHandle points to ETW_REG_ENTRY. You can easily find them using...
View ArticleIMAGE_LOAD_CONFIG_DIRECTORY from sdk 20190
just as illustration to paper about XFGsize is 0xB8 for 32 bit and 0x130 for 64 bittypedef struct _IMAGE_LOAD_CONFIG_DIRECTORY32 { DWORD Size; DWORD TimeDateStamp; WORD MajorVersion;...
View Articleetw part 4½: MCGEN_TRACE_CONTEXT
let's continue to dissect ETW (parts 1,2, 3 & 4)Now consider structures generated with mc.exe (Windows Message Compiler). It seems that this is very old technology - some .mc files in official...
View ArticleIDCFuncs in ida pro 7.x
Let's assume what we want to have some normal programming language inside ida pro (not strange looking pile of spaces). Or just to made RPC interface so you can use several instances of ida from...
View Article(semi)auto building of state machine
Several days ago I made PoC to extract addresses of WSK data from windows 10 arm64 afd.sys - specifically AfdWskClientListHead and lock AfdWskClientSpinLock. Nothing special except fact that afd.sys...
View Articleefficiency of auto-derived state machines
It`s time to measure how effective this state-machines. I made today simple perl script to measure how much symbols (located in sections .data, ALMOSTRO and PAGEDATA) can be found for arm64 windows...
View Articleusing of auto-derived state machines
Let`s see what we can do with our auto-derivedstate-machines. All source code in my github repoSimple case: KdLocalDebugEnabledAssume that we want to find address of KdLocalDebugEnabled. On kernel...
View ArticleW32pServiceTable from windows 10 build 20292 64bit
It seems that MS cut off whole apfnSimpleCall dispatching - no more...
View Articleauto-derived FSM for usermode dlls
As expected results of auto-derived FSM for usermode dlls are much worse - for example on rpcrt4.dll can be found only 76 symbols from 228. It's because code in usermode contains much fewer unique...
View Articlefsm rules syntax
I added saving and loading of FSM rules in file - so now you can edit them (or perhaps even write new manually) and then apply with new tool afsm. So lets see how it worksWe must make functions...
View Article