bcdedit-revert-uefi-gpt-boot-order: Powershell script to modify the UEFI/GPT boot order

March 28, 2019 ~ hucktech ~ Leave a comment

This powershell script modifies the UEFI/GPT boot order by finding the first non-Windows entry and moving it to the top of the order. When using UEFI+GPT, the Windows installation (since Windows 7?) creates its own boot device entry (“Windows Boot Manager”, a.k.a. “{bootmgr}”) in the UEFI/GPT boot order list and, obnoxiously, takes the liberty of moving said entry to the top of the list. Under most circumstances, this is fine, and probably desirable. However for systems used for repeated deployment testing, or systems which you want a different bootloader to take priority (such as dual-boot systems, or computer lab systems that can be remotely re-imaged), this is a show stopper. So I needed a way to do this programmatically. This script makes use of the arcane and undocumented {fwbootmgr} identifier implemented by bcdedit to find the first non-Windows boot device entry in the UEFI/GPT boot order list and move it to the top of the list.

https://github.com/mmseng/bcdedit-revert-uefi-gpt-boot-order

Star LabTop Mk III: Open Source Edition (with coreboot)

March 4, 2019 ~ hucktech ~ Leave a comment

Interesting, StarLabs makes a laptop with coreboot and optionally includes Windows. It this the only OEM/VAR system with coreboot+Windows?? 🙂

StarLabsTheme 0.47, US keyboards, 16GB RAM, Coreboot and more – https://t.co/wfRrPe875K pic.twitter.com/7Iwm0HcC7V

— Star Labs (@starlabsltd) March 3, 2019

https://mailchi.mp/ff0ba15366de/osc-edition

https://starlabs.systems/

Get-USBHistory: get history of a USB flash driving using PowerShell

February 22, 2019 ~ hucktech ~ Leave a comment

#DFIR tip:

You can mass query USB devices used across an enterprise by leveraging PowerShell.

Leverage this to hunt for malicious insiders. Keep historical records to detect anomalies.

1) https://t.co/k4g06z30QV

2) https://t.co/P8zUs18H3B

— Andrew Case (@attrc) February 9, 2018

https://gallery.technet.microsoft.com/scriptcenter/Get-USBHistory-707e43a3

Use PowerShell to Find the History of USB Flash Drive Usage

Patching Yourself into Windows Code Integrity, Part 1: On-Disk Patching

January 23, 2019 ~ hucktech ~ Leave a comment

https://t.co/rd1GfpAAnK

— Avery Mosher (@Avery3R) January 23, 2019

I started this whole thing because I wanted to run my own kernel-mode code while still having access games protected by anti-cheat that don’t allow test signing, and I didn’t want to shell out the time and money required to get an EV certificate. […]I’m going to start out by patching binaries on disk, but the end result will be a UEFI application that patches all binaries in memory. […]

https://github.com/Avery3R/re-writeups/blob/master/windows-ci/part1_on_disk_patching.md

bootnext: Windows tray icon to set EFI BootNext

January 22, 2019 ~ hucktech ~ Leave a comment

https://github.com/geek1011/bootnext

https://github.com/geek1011/bootnext/blob/master/bootnext/EFI.cs

Writing a Hyper-V “Bridge” for Fuzzing — Part 1: WDF

January 18, 2019 ~ hucktech ~ Leave a comment

https://twitter.com/aionescu/status/1085559401149284352

After spending the better part of a weekend writing a specialized Windows driver for the purposes of allowing me to communicate with the Hyper-V hypervisor, as well as the Secure Kernel, from user-mode, I realized that there was a dearth of concise technical content on non-PnP driver development, and especially on how the Windows Driver Foundation (WDF) fundamentally changes how such drivers can be developed. While I’ll eventually release my full tool, once better polished, on GitHub, I figured I’d share some of the steps I took in getting there. Unlike my more usual low-level super-technical posts, this one is meant more as an introduction and tutorial, so if you already consider yourself experienced in WDF driver development, feel free to wait for Part 2.

Reminder: firmware talk/lab at July DC206 Meeting

hdk – (unofficial) Hyper-V® Development Kit

January 12, 2019 ~ hucktech ~ Leave a comment

https://twitter.com/aionescu/status/1083874432215437312

The HDK is an updated version of the HvGdk.h header file published under MSR-LA as part of the Singularity Research Kernel. It has been updated to add the latest definitions, structures and definitions as described in the Microsoft Hypervisor Top-Level Functional Specification (TLFS) 5.0c published June 2018.

https://ionescu007.github.io/hdk/

NASM-UEFI: UEFI sample application built in NASM

December 30, 2018 ~ hucktech ~ 1 Comment

OS Development on Windows – Part 1: Building a UEFI Application in NASM

This is a series of articles on developing your own operating system. We will be focusing on modern techniques, like UEFI booting and 64-bit assembly, and everything will be created from scratch. I will be going step-by-step, explaining every tool we use and every line of code, so that you have a thorough understanding of the process. You should be able to copy-paste these steps and get the same results I am describing. In addition, we will be doing this on Windows and using the tools available on this platform only. OS development is almost exclusively done on UNIX-like systems because the tools are more readily available and documented. I hope to show you how easy this is to do on Windows too.[…]

https://github.com/BrianOtto/nasm-uefi

https://hackerpulp.com/os/os-development-windows-1-building-uefi-applications-nasm/

UEFI

FuzzNDIS: a fuzzer for Windows NDIS drivers by IOActive

November 11, 2018November 11, 2018 ~ hucktech ~ Leave a comment

A Fuzzer for Windows NDIS Drivers OID Handlers developed by @kiqueNissim of @IOActive: https://t.co/JSF9tm9CMM … anyone interested in fuzzing, in general, is welcome to a digital copy of @pedramamini's book on the matter: https://t.co/y0pVF1QKhj bit dated, but still applicable.

— InQuest (@InQuest) November 8, 2018

https://github.com/IOActive/FuzzNDIS

Melting Down PatchGuard: Leveraging KPTI to Bypass Kernel Patch Protection

October 30, 2018 ~ hucktech ~ Leave a comment

A patch for meltdown by MSFT opened patchguard for hooking syscalls.
Great research by @UdiYavo from @ensilo.https://t.co/bXjfGLsC90

— Gil Dabah (@_arkon) October 27, 2018

by Omri Misgav & Udi Yavo on October 26, 2018 –

The mitigation for Meltdown created a new part in the kernel which PatchGuard left unprotected, making hooking of system calls and interrupts possible, even with HVCI enabled.[…]

https://blog.ensilo.com/meltdown-patchguard

Introducing the Windows Internals Series: One Windows Kernel

October 18, 2018 ~ hucktech ~ Leave a comment

Today we are kicking off a new series of detailed and technical articles that dive deep into the behind-the-scenes on the development of the Windows OS called Windows Internals. First topic? The Windows Kernel! #Winternals https://t.co/rjZosz0k3P pic.twitter.com/2Q3lYXkpZz

— Brandon LeBlanc (@brandonleblanc) October 17, 2018

https://insider.windows.com/en-us/articles/category/article-categories/windows-internals/

Microsoft: Component Firmware Update (CFU)

October 18, 2018 ~ hucktech ~ Leave a comment

Introducing Component Firmware Update https://t.co/i4fkvULCmM

— Windows Blogs (@windowsblog) October 17, 2018

October 17, 2018 4:02 pm
Introducing Component Firmware Update
By Microsoft Devices Team

The Microsoft Devices Team is excited to announce the release of an open-source model for Component Firmware Update for Windows system developers – Component Firmware Update (CFU). With CFU, you can easily deliver firmware updates for through Windows Update by using CFU drivers.[…]

https://blogs.windows.com/buildingapps/2018/10/17/introducing-component-firmware-update/

BootTo: A reboot menu for Windows

September 21, 2018 ~ hucktech ~ Leave a comment

As the tweet mentions, there is a disparity for OS-level access to UEFI runtime services.

そうやね "Ports to Linux, FreeBSD and macOS. (It appears that NetBSD and OpenBSD do not yet have the necessary APIs.)" | sjmulder/bootto: A reboot menu for Windows https://t.co/TdDQHJAPWq

— Kimihiro Nonaka/埜中公博 (@nonakap) September 20, 2018

https://github.com/sjmulder/bootto

WinPrefs.cmd: modern day equivalent of “Tweak UI”

September 8, 2018 ~ hucktech ~ Leave a comment

https://twitter.com/grantaholliday/status/1038332540451340288

https://github.com/gholliday/scripts/blob/master/winprefs.cmd

Microsoft Bitlocker countermeasures and Thunderbolt DMA protection

September 8, 2018 ~ hucktech ~ Leave a comment

Both Secure Launch (a.k.a. DRTM, System Guard, Intel TXT) & DMA Guard on display in the screenshots on the updated BitLocker Countermeasures doc: https://t.co/7qYQSvsekD

— Jay (Jeremiah) Cox (@int0x6) September 6, 2018

https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-countermeasures

Regarding Thunderbolt DMA attacks… my co-conspiratators have published the following: https://t.co/ycM3JdsWWl

— Jay (Jeremiah) Cox (@int0x6) September 8, 2018

https://docs.microsoft.com/en-us/windows/security/information-protection/kernel-dma-protection-for-thunderbolt

A Universal Windows Bootkit: An analysis of the MBR bootkit referred to as “HDRoot”

August 20, 2018 ~ hucktech ~ Leave a comment

https://twitter.com/subTee/status/1030991146338533377

http://williamshowalter.com/a-universal-windows-bootkit/

Dependencies – An open-source modern Dependency Walker for Windows

August 20, 2018 ~ hucktech ~ Leave a comment

For those who missed the mention in @cppcast I want to give a shout out to Dependencies, the reimplementation of the good old Dependency Walker.
It's much faster and handles both 32 and 64 bits in the same app.https://t.co/z9R6nI3O8S

— Mathieu Ropert (@MatRopert) August 18, 2018

A rewrite of the old legacy software “depends.exe” in C# for Windows devs to troubleshoot dll load dependencies issues.

https://github.com/lucasg/Dependencies

SpeculationControl: PowerShell script

August 18, 2018 ~ hucktech ~ Leave a comment

I created a github repo for the SpeculationControl PowerShell script: https://t.co/zkk8jUUvZ8

— Matt Miller (@epakskape) August 17, 2018

SpeculationControl is a PowerShell script that summarizes the state of configurable Windows mitigations for various speculative execution side channel vulnerabilities, such as CVE-2017-5715 (Spectre variant 2) and CVE-2017-5754 (Meltdown). For an explanation on how to interpret the output of this tool, please see Understanding Get-SpeculationControlSettings PowerShell script output.[…]

https://github.com/Microsoft/SpeculationControl

https://support.microsoft.com/en-us/help/4074629/understanding-the-output-of-get-speculationcontrolsettings-powershell

hvpp: lightweight C++ Intel x64/VT-x hypervisor for Windows

August 18, 2018 ~ hucktech ~ Leave a comment

I hope I'm not too late to the party, but here's my take at hypervisors – meet hvpp, the simple x64/VT-x hypervisor for Windows.https://t.co/zLB2Vypirk

Repo includes example which shows CPUID interception and hiding of user-mode hooks via EPT.

— Petr Beneš (@PetrBenes) August 17, 2018

https://github.com/wbenny/hvpp

ChromeBook CampFire?

August 13, 2018 ~ hucktech ~ Leave a comment

Chromebooks may get Apple Boot Camp-like Windows 10 dual boot with "Campfire" https://t.co/jY64vUO9M5 pic.twitter.com/42ujxCgXxo

— XDA (@xdadevelopers) August 12, 2018

https://twitter.com/coolstarorg/status/1028677996578660352

Everything we know about Campfire, Google’s secretive project to get Windows 10 running on Chromebooks.[…]

https://www.xda-developers.com/chromebooks-chrome-os-windows-10-dual-boot-apple-boot-camp-campfire/