Evolution of the x86 context switch in Linux

While researching archaic facts about the 80386 hardware context switch last weekend, I remembered that early versions of the Linux kernel relied on it. I was promptly sidetracked for hours reading code I hadn't seen in years. This weekend, I've decided to write down the journey to consolidate all the nuggets of fun stuff I discovered along the way

https://www.maizure.org/projects/evolution_x86_context_switch_linux/

#reverse #linux #internals

Creating Windows Access Tokens

Some time ago I was playing with the STOPZilla exploit which is very interesting and educational because it shows how you can abuse from an arbitrary write from the userland into the kernel. In this case the exploit will permit us, by altering the EPROCESS structure of the current process, to activate an additional privilege, usually the SeCreateTokenPrivilege.

https://decoder.cloud/2019/07/04/creating-windows-access-tokens/

#windows #internals #tokens

1001 Ways of Implementing a System Call

Today, we’re going to look at the many ways of implementing user-to-kernel transitions on x86, i.e. system calls.

https://x86.lol/generic/2019/07/04/kernel-entry.html

#linux #assembly #shellcode #internals

sysinternals-source

The publicly available source code lovingly archived at or before the SysInternals acquisition announcement.

https://github.com/xcud/sysinternals-source

#windows #internals #tools

Iris WinDbg Extension

Iris WinDbg extension performs detection of common Windows process mitigations (32 and 64 bits).

https://github.com/fdiskyou/iris
#windows #debugging #internals #windbg

Mimidrv In Depth: Exploring Mimikatz’s Kernel Driver

The goals of this post is to familiarize operators with the capability that Mimidrv provides, put forth some documentation to be used as a reference, introduce those who haven’t had much time working with the kernel to some core concepts, and provide defensive recommendations for mitigating driver-based threats.

> https://posts.specterops.io/mimidrv-in-depth-4d273d19e148

#mimikatz #windows #internals

Diff windows kernel structures per OS 👽

> https://ntdiff.github.io/
#tools #windows #internals #kernel

Code Integrity in the Kernel

There are cases where you need to reliably identify a process before you allow it to take certain actions. Verifying its Authenticode signature is a trusted way to do that. The user mode dll wintrust provides an API specifically for this purpose.

[...]

https://medium.com/cybereason/code-integrity-in-the-kernel-66b3f5cce5f
#windows #kernel #reverse #internals

IceBox

Icebox is a Virtual Machine Introspection solution that enable you to stealthily trace and debug any process (kernel or user). It's based on project Winbagility.

https://github.com/thalium/icebox
#windows #debug #reverse #internals

auto_re
IDA PRO auto-renaming plugin with tagging support

https://github.com/a1ext/auto_re
#windows #reverse #ida #internals #tools

Using Memory Artifacts As Shellcode Emulation Environment (ft. Unicorn Framework)

https://darungrim.com/research/2020-06-04-UsingMemoryArtifactsAsShellcodeEmulationEnvironment.html
https://github.com/ohjeongwook/ShellCodeEmulator

#windows #shellcoding #internals

Windows SDK Data

Windows API listing in JSON format - generated from SDK headers + SDK API documentation for SAL notations. You can use it for fuzzing, writing Windbg extensions, PyKD script to dump parameters or writing Frida script that understands parameters.

https://github.com/ohjeongwook/windows_sdk_data
#json #frida #windbg #internals

Apple Lightning

Here's my little article about (almost) everything I know about Apple Lightning and related technologies: Tristar, Hydra, HiFive, SDQ, IDBUS and etc. But first a tiny warning...
Read this article on your own risk! The information in this artcile is based on a lot of AppleInternal materials (leaked datasheets, schematics, source codes) I read in a diagonal direction. And of course on my own research too. I have to warn you, the reader, that I have never done such a research before. Thus, this write-up might use incorrect or just weird terms and turn out partially or completely wrong!

https://nyansatan.github.io/lightning/
#apple #internals #macos

Windows Debugger API — The End of Versioned Structures

Some time ago I was introduced to the Windows debugger API and found it incredibly useful for projects that focus on forensics or analysis of data on a machine. This API allows us to open a dump file taken on any windows machine and read information from it using the symbols that match the specific modules contained in the dump.

https://medium.com/swlh/windows-debugger-api-the-end-of-versioned-structures-ac4acaa351bd
#windows #internals #debug

Debugging into .NET

.NET for post-exploitation is here to stay. It has been bundled with most C2 frameworks, common tools have been ported, AMSI has been added (then bypassed) and new and clever ways have been found to launch unmanaged code. The process of loading a .NET assembly however appears to be pretty consistent.

https://blog.xpnsec.com/debugging-into-net/
#windows #dotnet #redteaming #internals

Hiding PE Imports

You’ve spent the last hour cheffing up a spicy, homemade, Windows executable just right for your target. Go to compile it and, sweet, there are no errors. Fire up the isolated VM and give it a few test runs and it’s working great. That ASCII art is looking mighty clean I must say. Time to send it downrange. Upload completes and you can see it on the file system.

https://roblehesa.com/posts/hiding-pe-imports/
#windows #internals #redteaming #malware #evasion

Hands off my service account!

Windows service accounts are one of the preferred attack surface for privilege escalation. If you are able to compromise such an account, it is quite easy to get the highest privileges, mainly due to the powerful impersonation privileges that are granted by default to services by the operating system.

https://decoder.cloud/2020/11/05/hands-off-my-service-account/
#windows #internals