Alex Ionescu
8,479 posts
Alex Ionescu
@aionescu
Chief Technical Innovation Officer @crowdstrike. Windows Internals author and trainer. He/Him. RTs are not endorsements, opinions are my own.
- NSA: we are open sourcing a multi million line of code SRE tool to democratize the malware analysis space. Microsoft: Hold my beer blogs.windows.com/buildingapps/2…
- Attackers can exploit CVE-2020-1048 with a single PowerShell command: Add-PrinterPort -Name c:\windows\system32\ualapi.dll On an unpatched system, this will install a persistent backdoor, that won't go away *even after you patch*. See windows-internals.com/printdemon-cve… for more details.
- This patch literally invents new computer science to work around the side-channel CPU issues. Continuing to be in awe and massive kudos to all the OS vendors who had to probably re-do entire feature roadmaps to handle this work. tl;dr Tokens/Processes now have "Security Domains".
- I can finally efficiently (fast) and reliably (no errors) read paged pool/non-L1 data. Time for MeltiKatz/MimiDown. I’ll sit on this a few weeks before setting the world on fire and watching it burn. Or probably someone will do it first 🔥
00:00 - A big customer concern with #windows #internals 6th Edition was that when used in its typical form as a monitor stand, part 2 has 250 less pages so a multi monitor setup is not vertically aligned. We fixed this in 7th Edition part 2 by adding two chapters and aligning the height.
- The question on everyone's minds: Does MacOS fix the Intel #KPTI Issue? Why yes, yes it does. Say hello to the "Double Map" since 10.13.2 -- and with some surprises in 10.13.3 (under Developer NDA so can't talk/show you). cc @i0n1c @s1guza @patrickwardle
- Just in time for #BlackHat, I've released the Ring 0 Army Knife (r0ak) at github.com/ionescu007/r0ak. Full driver-less, built-in, Windows 8+ Ring 0 arbitrary read/write/execute debugging tool for HVCI/Secure Boot/WDAG environments where local debugging is often impossible to set up.
- There are no bugs in anyone's CPU. But there are compreshensive fixes for them, developed by your CPU vendor. That you need to get from your BIOS vendor, alongside your OS vendor. Which come as OS kernel mitigations. Only if your AV vendor sets a reg key. Oh, patch your browser.
- Playing around with my first AMD Ryzen system. Turns out the "AMD PCI Driver" isn't actually a PCI Driver... at all. Here's a few fun facts: 1) It registers a process creation notify routine, and checks all process names against a list of 19 hashed names.
- Damn Microsoft, y’all weren’t paying for E5 Azure Log retention for your domain either? 😂🌶️🙈
- Woke up on this first day of 2022 to find the internet (Exchange) is on fire due to a 32-bit INT overflow and today’s date. Don’t ever change, compsci.
- We built multi-tenant cloud computing on top of processors and chipsets that were designed and hyper-optimized for single-tenant use. We crossed our fingers that it would be OK and it would all turn out great and we would all profit. In 2018, reality has come back to bite us.
