Win10 for ARM?

January 14, 2016 ~ hucktech ~ Leave a comment

It sounds like non-embedded Windows may end up being available for platforms outside Intel again. Long ago, Microsoft Windows NT supported MIPS, Alpha, PowerPC, Itanium, as well as x86/x64. Embedded Windows supported many other processors, including ARM. And Microsoft already has ARM-based Surface devices, and Windows 10 for ARM-based RPI2.

Rumor: Microsoft working on ARM based version of Windows 10 https://t.co/vpP3gEIYkv pic.twitter.com/xJDPTMPTGH

— Markus Kasanmascheff (@mkasanm) January 14, 2016

http://www.winbuzzer.com/2016/01/14/rumor-microsoft-to-offer-windows-10-desktop-edition-for-arm-architecture-xcxwbn/
https://twitter.com/h0x0d/status/687501104947400704
https://msdn.microsoft.com/en-us/windows/hardware/dn940797%28v=vs.85%29.aspx
http://www.ubergizmo.com/2016/01/microsoft-might-be-developing-windows-10-for-arm-based-processors/
http://www.windowscentral.com/desktop-version-windows-10-arm-based-chips-might-be-development

SysInternals tools updated

January 5, 2016 ~ hucktech ~ Leave a comment

SysIntenals, now acquired by the Microsoft TechNet team, has some new tool announcements:

Just published a bunch of cool Sysinternals updates: Sysmon, Sigcheck, Procexp, AccessChk, Autoruns https://t.co/vDV8BVutnV

— Mark Russinovich (@markrussinovich) January 5, 2016

Some interesting updates by @markrussinovich:https://t.co/MlrOq7cule pic.twitter.com/wzqw1Ag76s

— Enno Rey (@Enno_Insinuator) January 5, 2016

http://blogs.technet.com/b/sysinternals/archive/2016/01/05/update-sigcheck-v2-4-sysmon-v3-2-process-explorer-v16-1-autoruns-v13-51-accesschk-v6-01.aspx

Sigcheck v2.4
Sysmon v3.2
Process Explorer v16.1
Autoruns v13.51
AccessChk v6.01

Microsoft getting tough on Superfish OEMs

December 23, 2015 ~ hucktech ~ Leave a comment

Since the days of MS-DOS, OEMs have bundled lots of crap along with their Microsoft OS, and users would always blame Microsoft, not the OEM or IHV or ISV, for the user experience. Since NT was created, there have been tests for OEMs/IHVs, initially to get listed on the Hardware Compatibility List, these days to get certs and more. Now that modern versions of Windows include installer-related binaries in ACPI tables, that can be misused by attackers if OEMs don’t clean up their systems properly (Lenovo, Dell, etc.), Microsoft is increasing their testing of OEM systems bloatware.

Microsoft will begin detecting/removing #Superfish-like programs beginning Mar. 31, 2016 – https://t.co/TP9QQBk8K0

— Threatpost (@threatpost) December 23, 2015

Microsoft to Remove Superfish-Like Programs Starting in March

https://blogs.technet.microsoft.com/mmpc/2015/12/21/keeping-browsing-experience-in-users-hands/

I’ve heard one interesting potential feature of the new Microsoft laptop is that it might be the one Windows box doesn’t have OEM bloatware on it. Granted, it’ll have other Microsoft bloatware on it…

Intel’s Debug Extensions for WinDbg

December 6, 2015 ~ hucktech ~ Leave a comment

Windbg is Microsoft’s Windows system debugger (both user-mode and kernel-mode), which has the ability to load third party extensions. I just noticed some Windbg extensions that Intel has created. One enables Windbg to work over JTAG, the other enables support for Intel PT:

Intel® Debug Extensions for WinDbg* for Intel® Processor Trace https://t.co/pl7FCJukxw

— Francisco Ribeiro (@blackthorne) December 4, 2015

The “Intel Debug Extensions for WinDbg” consists of two sets of debugger extensions:

1) Intel Debug Extensions for WinDbg for IA JTAG debugging (IA JTAG) enables the connection of WinDbg to a target over the JTAG. The server acts as a mediator and forwards the calls from WindDbg* to the IPC interface and back.

2) Intel Debug Extensions for WinDbg for Intel Processor Trace (Intel PT) is designed to help WinDbg users by extending their debugging tool set with execution tracing. The extension allows for easy setup of Intel PT by abstracting hardware configuration and then reconstructing and displaying execution flow from the collected trace data. It will integrate with other WinDbg* features like symbolization and high-level source display. Intel PT is a new technology for low-overhead execution tracing. It facilitates debugging a program by exposing an accurate and detailed trace of the program’s activity, and its triggering and filtering capabilities help identifying and isolating the relevant program executions. Intel PT records information about software execution on each hardware thread using dedicated hardware facilities. After execution completes, a software can process the recorded trace data and reconstruct the exact program flow.
[…]
BIOS / UEFI firmware: With firmware that is Intel PT-aware, you can set up an Intel PT-specific memory allocation. In this case, the firmware allocates a dedicated memory area and reserves it in a memory map for further use. Operating systems will recognize this reserved memory range and will not use it. When firmware reserves a memory region for Intel PT, it also configures the Intel PT output MSRs accordingly and indicates that Intel PT output configuration is ready to be used. The extension will recognize this setup. No further configuration (from user’s side) is required.

I presume these extensions are only available as part of the commercial-only Intel System Studio product. If you use Windbg, you may want to try to get these extensions, they sound useful.

More information:

https://software.intel.com/en-us/iss-2016-windbg-pt-user-guide-windows
https://software.intel.com/en-us/articles/intel-system-studio-release-notes
https://software.intel.com/en-us/iss-2016-get-started-debug-extensions-windbg-windows
https://software.intel.com/en-us/intel-system-studio

R00tkitSMM’s new Win32k.sys fuzzer

November 30, 2015 ~ hucktech ~ Leave a comment

R00tkitSMM has created a Windows win32k.sys fuzzer project called Win32k-Fuzzer:

https://twitter.com/R00tkitSMM/status/669949945814712320

Fuzz and Detect “Use After Free” vulnerability in win32k.sys (Heap based)

“Win32k.sys for Windows is like Java for internet.”

https://github.com/Rootkitsmm/Win32k-Fuzzer

Windows Phone Internals 1.0 released

November 26, 2015November 26, 2015 ~ hucktech ~ Leave a comment

Windows Phone Internals – Unlock bootloader, Enable Root Access and create Custom ROM's on selected Lumia's https://t.co/LkTpzXQTXx

— Heathcliff74 (@Heathcliff74XDA) November 26, 2015

I am proud to announce the immediate availability of Windows Phone Internals 1.0. This tool allows you to unlock the bootloader of selected Lumia Windows Phone models. After unlocking the bootloader, you can enable Root Access on the phone or create and flash Custom ROM’s. I created a short introduction video to show the features of the tool. Root Access allows you to load your own homebrew software onto the phone with high privileges. Apps can escape from their sandboxes. The tool can also create backup-images of the phone and access the file-system in Mass Storage mode. The tool supports most versions of Windows Phone 8.1 and Windows 10 Mobile. For a complete list of supported phones and Operating Systems have a look at the Getting Started section of the tool. The download package also contains an SDK, which helps you to easily access the filesystem and registry on the phone from your own homebrew app.

Be careful and have fun!
Heathcliff74

http://www.wpinternals.net/

Microsoft adds GDB to Visual Studio

November 19, 2015 ~ hucktech ~ Leave a comment

W00t! Visual Studio #GDB debugger extension – https://t.co/9pNrmQuhHP

— Mario Hewardt 🦆 (@MarioHewardt) November 18, 2015

http://blogs.msdn.com/b/vcblog/archive/2015/11/18/announcing-the-vs-gdb-debugger-extension.aspx

https://visualstudiogallery.msdn.microsoft.com/35dbae07-8c1a-4f9d-94b7-bac16cad9c01

Memory Explorer added to DbgKit

November 17, 2015 ~ hucktech ~ Leave a comment

Love #RamMap by @markrussinovich ? Check out Memory Explorer from #DbgKit #WinDbg https://t.co/vWtnJvrYsZ pic.twitter.com/4K21sJIr87

— Andrey Bazhan (@AndreyBazhan) November 16, 2015

Andrey Bazhan has announced Memory Explorer, a new tool for DbgKit, a fancy add-on to Microsoft’s Windbg debugger. If you do Windows debugging or forensic analysis, you might want to check this out.

http://www.andreybazhan.com/dbgkit.html

fTPM 2.0 research from Microsoft

November 16, 2015 ~ hucktech ~ Leave a comment

There’s a new paper from Microsoft Research, on a firmware-based TPM implementation (fTPM):

https://twitter.com/h0x0d/status/662465826503524352

This paper presents the design and implementation of a firmware-based TPM 2.0 (fTPM) leveraging ARM TrustZone. The fTPM is the reference implementation used in millions of mobile devices, and was the first hardware or software implementation to support the newly released TPM 2.0 specification. This paper describes the shortcomings of ARM’s TrustZone for implementing secure service (such as our implementation), and presents three different approaches to overcome them. Additionally, the paper analyzes the fTPM’s security guarantees and demonstrates that many of the ARM TrustZone’s shortcomings remain present in future trusted hardware, such as Intel’s Software Guard Extensions (SGX).

Authors: Himanshu Raj, Stefan Saroiu, Alec Wolman, Ronald Aigner, Jeremiah Cox, Paul England, Chris Fenner, Kinshuman Kinshumann, Jork Loeser, Dennis Mattoon, Magnus Nystrom, David Robinson, Rob Spiger, Stefan Thom, and David Wooten

http://research.microsoft.com/apps/pubs/default.aspx?id=258236

Alex on Windows 10 use of Intel SGX

November 12, 2015 ~ hucktech ~ Leave a comment

Alex Ionescu has a paper discussing Windows 10’s use of Intel SGX:

https://twitter.com/aionescu/status/664600755886665728

http://www.alex-ionescu.com/

https://firmwaresecurity.com/tag/intel-sgx/

Debugging Tools for Windows 10

November 11, 2015 ~ hucktech ~ Leave a comment

It looks like Microsoft has updated Windbg for Windows 10, one of the new features is support of Visual Studio’s NatVis expression model:

dt is dead, long live dx! NatVis now supported in WinDbg: https://t.co/x7nHTdKfWV

— OSR (@OSRDrivers) November 6, 2015

dx (Display NatVis Expression) – Describes the new dx debugger command, which displays object information using the NatVis extension model and LINQ support.
New commands that work with the NatVis visualization files in the debugger environment.

    .nvlist (NatVis List)
    .nvload (NatVis Load)
    .nvunload (NatVis Unload)
    .nvunloadall (NatVis Unload All)

https://msdn.microsoft.com/en-us/library/windows/hardware/mt219728%28v=vs.85%29.aspx

TCG workshop in Tokyo next month

November 5, 2015 ~ hucktech ~ Leave a comment

Today the TCG sent out a news announcement about their presence at JRF in Tokyo next month. Email header/footers removed, but body not excerpted, since no URL and only from TCG newsletter.

You’re Invited to Attend the Annual Japan Regional Forum (JRF) Workshop in Tokyo on December 2, 2015.

Date/Time: Wednesday, December 2, 2015 13:30 – 19:30

Venue: Akihabara UDX Next 1 – Tokyo, Japan

The Japan Regional Forum (JRF) will be hosting its annual Open Workshop on Wednesday, December 2, 2015 at Akihabara UDX in Tokyo.

This 7th annual JRF Workshop is open to both members of the Trusted Computing Group (TCG) and non-members who are interested in TCG activities and issues around security.

This event provides an excellent opportunity to learn global trends and challenges in IoT, Automotive, and Embedded System, and get deep understanding through the discussions through the event.

The program includes a keynote address from David Grawrock, Senior Principal Engineer of Intel on TPM core features for Trustworthy in IoT Era. In addition, Koji Ono, Technical Sales, Consumer & Partner Group OEM at Microsoft Japan will lead a session on security feature of Windows 10 for IoT and Mark Schiller, Executive Director of the Trusted Computing Group will introduce TCG efforts for embedded system and IoT as well as benefit of joining TCG.

Other speakers include Shinji Sato, IPA (Information-technology Promotion Agency, Japan), Shinichi Horata, IPCERT/CC (Japan Computer Emergency Response Team Coordination Center), and Ryo Kurachi, TCG Invited Expert from Nagoya University.

The session is followed by reception with food & drink and will provide a great opportunity to network with speakers and members of the TCG. TCG technology demo showcase will also be available for attendees.

If you are interested in attending this event please visit the TCG JRF website (Japanese) at http://www.trustedcomputinggroup.org/jp/jrfworkshop .

Registration will close on Wednesday, November 25, 2015.

More info:
http://www.trustedcomputinggroup.org/jp/jrfworkshop

Open Compute Project’s new Firmware focus group

November 5, 2015November 5, 2015 ~ hucktech ~ Leave a comment

The Open Compute Project’s Hardware group is starting a new Firmware focus group, focusing on UEFI Forum and DMTF technologies. The group is led by Mallik Bulusu of Microsoft and Vincent Zimmer of Intel.

“During our last meeting, we had a very good discussion about standardizing UEFI interfaces and what make sense and does not make sense. There is also a need to standardize and streamline FW updates, define bare metal provisioning scenarios and interfaces, extend security framework to include auditing and monitoring, UEFI configuration management, etc. Also, our alliance groups (UEFI, DMTF) are working on similar or closely related technologies. We want to make sure we work closely with them to make sure we are aligned. Towards that end, Mallik Bulusu and Vincent Zimmer are willing to bootstrap this effort and lead a subgroup that is focused on this. Anyone interested in this topic and willing to contribute please send an email to Mallik and Vincent expressing your interest. The goal here is to a) come up with a specification that capture OCP member specification and b) working with our members and alliance partners to get buy-in and implementations for those specs. We will discuss this further in our upcoming monthly meeting.”

For more information, see the posting on the OCP Hardware Management list, and their next upcoming monthly meeting.

http://lists.opencompute.org/pipermail/opencompute-hardwaremngt/2015-November/000668.html

new Windows PDB tool: pdb_type_theft.py

November 5, 2015 ~ hucktech ~ Leave a comment

As pointed out by ZDI, Dustin Childs of HP Security Research (HPSR) wrote an article on Windows binaries and symbols, and how some symbolic information is missing from current binaries, and how he wrote a new tool — pdb_type_theft.py — to extract the missing information from old binaries.

Missing the structures from the latest Windows symbols? @WanderingGlitch reveals the secret to finding them. http://t.co/9fwn0lYVTP #debug

— Zero Day Initiative (@thezdi) October 12, 2015

In August of this year, Microsoft published an update to NTDLL and along with it, released updated symbols for debugging. These symbols are available as PDBs (program databases). Unfortunately, the symbols that were released contain type information that is missing standard structures and enumerations. As a result, debugging applications on Windows became a far more involved task. Microsoft is aware of the issue but has yet to release updated PDBs that rectify this issue. While they are working on it, I found myself wondering if I could avoid their involvement altogether. Barring any changes to the structures and enumerations, the information from previous versions of the PDBs should still be valid. As such, if I could copy the type information from a previous PDB and inject it into the current PDB, I’d theoretically be able to have everything I expect from a working build process. […] This script requires having a PDB with the type information you want available to copy into another PDB. If you are not in the habit of snapshotting your VMs after every update, the following links may be helpful […]

Full article and source:
http://community.hpe.com/t5/Security-Research/PDB-Type-Theft/ba-p/6801065
https://github.com/thezdi/scripts/blob/master/pdb_type_theft.py

(If you’ve read a few blog entries, you know that I misspell things a lot. Sorry. The other day, Microsoft finally made the PDB spec public, and I blogged on it, calling it “PDF”. Sigh.)

Hyper-V research

November 2, 2015 ~ hucktech ~ Leave a comment

Gerhart X has done some research on Microsoft Hyper-V:

Microsoft Hyper-V and vmbus internals https://t.co/IGaLsIkWUC

— Nicolas Krassas (@Dinosn) October 31, 2015

http://hvinternals.blogspot.gr/2015/10/hyper-v-internals.html

Nice document, lots of figures and information, apparently from a translation!

Microsoft publishes PDF file format

October 30, 2015 ~ hucktech ~ Leave a comment

Microsoft sharing the PDB file format – https://t.co/x7x3WR4uto

— Simon Barratt (@barog) October 30, 2015

Microsoft executables have a format for symbols that has not been publicly documented, it was kept close to the C/C++ compiler team.

https://github.com/Microsoft/microsoft-pdb

Microsoft symbols can be included inside the image, or a separate “sidecar” file. This spec will help tool developers understand the symbols of the code. Microsoft does not ship symbols to all of it’s code, much are stripped before shipping them. Once LLVM clang or GCC supports proper Windows symbols, those compilers can finally become “first-class citizens” on the Windows platform, where the Windows system debugger will recognize their symbols, and the outdated C89-centric Microsoft C will not longer be needed to do Windows development! It also means reverse-engeering tools now have the potential to find more information about Windows apps/drivers, if they haven’t already reversed the format earlier.

UEFI uses the Microsoft executable tools, up until the last second, when PE images are converted to TE images, Terse Executables are a slight variation to PE images, more suited for firmware. I am not sure how this new symbol spec will impact UEFI, if at all.

Red Balloon Security

October 21, 2015 ~ hucktech ~ Leave a comment

For those interested in firmware security, suggest tracking @redballoonsec approach… http://t.co/iAcnPgUCXA

— Greg Conti (@cyberbgone) October 7, 2015

http://www.redballoonsecurity.com/

“Red Balloon Security was founded in 2011 by two of the world’s leading cyber-security researchers. We are a Columbia Portfolio Company and a Microsoft Ventures Accelerator Company. “

“Project Symbiote: The First Universal Embedded Defense for all embedded devices. Cyber-security threat actors today are shifting to the lowest hanging fruit. Most networked devices shipping today are not desktops, laptops or servers and none of them have strong host-based defense. Your automotive, point-of-sale, unified communications, Internet-of-Things, SCADA, home and office equipment are highly vulnerable and are actively being compromised today, whether for corporate espionage, financial fraud, or state-to-state cyber warfare. Red Balloon Security is devoted to hardening all devices against malicious intrusion. Device manufacturers can now inject Symbiote Defense into any device regardless of CPU type and operating system. No hardware or source code modifications required. “

Change.org petition for more user control in Windows 10

October 19, 2015 ~ hucktech ~ Leave a comment

Users need data from firmware vendors, not just application vendors, about details of the update. Right now, all OEMs/IHVs/ODMs are terrible at this. Some of the issues in this petition are asking for more information about vendor information, excerpts:

1) Microsoft must give Windows 10 users more control over when updates are installed. We need the ability to delay or hide damaging updates that impact the computing experience, have undesirable side effects such as blue screens of death, or reduce the functionality to attached devices. Under the current system of mandated updates, we have been adversely impacted by forced driver and firmware updates plus other patches; we’ve wasted hours dealing with the unwanted side effects. As long-time Windows users, we understand the need to have quicker and more agile security updating. But this agility should not introduce additional risks to our systems. Windows 10 updates have already caused loss of system functionality, video and display issues, and other significant issues.

2) Microsoft should provide detailed information on what’s in each update — along with what system changes we should see with each cumulative-update release. We applaud the cumulative-update model, but the lack of documentation doesn’t let us to perform the due diligence required for safely deploying and maintaining Windows 10 systems in our organizations. […]

https://www.change.org/p/satya-nadella-microsoft-what-computer-users-want-changed-in-windows-10

http://www.eweek.com/developing-stories/change.org-petition-calls-for-microsoft-to-revamp-windows-10-updates.html

https://windows.uservoice.com/forums/265757-windows-feature-suggestions/suggestions/9483897-we-need-better-knowledge-base-articles-for-windows

https://windows.uservoice.com/forums/265757-windows-feature-suggestions/suggestions/7960296-windows-update-configuration-options

Bunnie asked to testify on Xbox reversing trial

October 19, 2015 ~ hucktech ~ Leave a comment

Terrified feds try to bar Bunnie Huang from testifying at Xbox jailbreaking trial #5yrsago http://t.co/JeIqaYeOrx pic.twitter.com/h7Nyq7NtUn

— Cory Doctorow @pluralistic@mamot.fr (@doctorow) October 19, 2015

Bunnie Huang, founder of Bunnie Studios, makers of the Open Source Hardware-based Novena laptops, is also the author of “Hacking the Xbox”, and is being asked to testify in an Xbox jailbreaking case, as the BoingBoing article says:

Terrified feds try to bar Bunnie Huang from testifying at Xbox jailbreaking trial

Bunnie “Chumby” Huang, whose Hacking the Xbox is a reverse-engineer’s bible, has been asked to testify at the trial of Anaheim’s Matthew Crippen, who faces three years in prison for jailbreaking Xbox 360s (that is, modding them so that they could run software that Microsoft hadn’t authorized). But federal prosecutors have asked the judge to prevent Bunnie from testifying.
The 35-year-old Huang argues that mod-chipping is not a violation of the Digital Millennium Copyright Act, which makes it unlawful to circumvent technology designed to prevent copyright infringement. He said he hopes to prove that point to jurors via a step-by-step tutorial.
“Basically, what he did was insufficient on his own to violate anything,” Huang said in a recent telephone interview from Singapore, where he serves as vice president of hardware and general manager for Chumby’s operations in Asia.

Full article:

Terrified feds try to bar Bunnie Huang from testifying at Xbox jailbreaking trial

(3 years in prision for modifying a device you ‘own’? Wow.)

List of UEFI-based Windows 10 features

October 19, 2015 ~ hucktech ~ Leave a comment

Johan Arwidmark recently posted an article, “List of Windows 10 features that requires UEFI”

New blog post: List of Windows 10 features that requires UEFI http://t.co/aDtV7yt8q5 pic.twitter.com/kc3PpBDYFE

— Johan Arwidmark (@jarwidmark) October 16, 2015

One of the many restrictions of the Windows 10 inplace-upgrade process is that it doesn’t support changing BIOS to EUFI (see my Windows 10 Upgrade Limitations post for complete listing). So, do you really need UEFI to deploy Windows 10? The answer is no, Windows 10 can absolutely be deployed to BIOS-based machines, but some of it’s features does require UEFI. Here is the (current) list:

Full article:
http://deploymentresearch.com/Research/Post/514/List-of-Windows-10-features-that-requires-UEFI