Uncategorized

Adaptiva Secure 10: BIOS to UEFI

New registration-required freeware from Adaptiva:

Adaptiva’s free Secure 10 is a complete automation solution for ConfigMgr admins to make the BIOS to UEFI conversion process simple and unattended. With Secure 10, migrations take much less time and no IT staff need to be on-site during the process. Now including support for new MBR2GPT.exe tool for retaining data while making the switch, as well as ConfigMgr 1610+ WinPE boot image pre-staging. Also new: two complete task sequences to save time integrating into your deployments! […] The open solution includes detailed documentation to help SCCM system administrators overcome the complexities of automating the conversion from:

* BIOS to UEFI – Secure 10 automates the conversion process from the legacy BIOS firmware typically used in Windows 7/8 systems to the more powerful Unified Extensible Firmware Interface (UEFI) technology. UEFI is required to enable key enterprise security features available in Windows 10.

* MBR to GPT – Secure 10 now includes support for the MBR2GPT.exe tool, which helps convert the disk layout on a PC from the legacy Master Boot Record (MBR) to GUID Partition Table (GPT). The new tool is the only Microsoft-supported tool to convert a production disk from MBR to GPT without data loss, greatly speeding in-place upgrades to Windows 10.

* WinPE Pre-staging – Microsoft recently introduced the capability to pre-stage a WinPE boot image to a partition from within an SCCM Task Sequence and have that image persist during the conversion from MBR to GPT. Secure 10 supports this capability for refresh/replace scenarios.

https://www.adaptiva.com/blog/2017/adaptiva-releases-bios-uefi-solution-update-speed-windows-10-migrations/

Standard
Uncategorized

Mike on Windows Config Mgr and Secure Boot

Mike Terrill has 2 blog posts on Windows Configuration Manager and UEFI Secure Boot:

BIOS and Secure Boot State Detection during a Task Sequence
With all of the security issues and malware lately, BIOS to UEFI for Windows 10 deployments is becoming a pretty hot topic (unless you have been living under a rock, UEFI is required for a lot of the advanced security functions in Windows 10). In addition, with the Windows 10 Creators Update, Microsoft has introduced a new utility called MBR2GPT that makes the move to UEFI a non-destructive process. If you have already started deploying Windows 10 UEFI devices, it can be tricky to determine what state these devices are in during a running Task Sequence. The Configuration Manager Team introduced a new class called SMS_Firmware and inventory property called UEFI that helps determine which computers are running in UEFI in Current Branch 1702. This can be used to build queries for targeting and reports, but it would be nice to handle this plus Secure Boot state (and CSM) during a running Task Sequence. We do have the Task Sequence variable called _SMSTSBootUEFI that we will use, but we need to determine the exact configuration in order to execute the correct steps.[…]

https://miketerrill.net/2017/05/13/bios-and-secure-boot-state-detection-during-a-task-sequence/

https://miketerrill.net/2017/05/30/bios-and-secure-boot-state-detection-during-a-task-sequence-part-2/

 

Standard
Uncategorized

Microsoft WinHEC Taipei 2017

Welcome to WinHEC June 2017 Registration
The Windows Hardware Engineering Community (WinHEC) is where technical experts from around the world, and Microsoft, come together to make Windows great for every customer. Our next WinHEC event is June 14th and 15th in Taipei, Taiwan. The workshop will feature sessions and a lab for developers, product managers and planners to help prepare for Windows 10 S and to showcase the benefits of adopting key hardware features. Presentations will include: Introduction to Universal Drivers, Universal Developer Center for Hardware and Driver Servicing, Driver Flighting end-to-end, Windows Ink, Windows 10 Mixed Reality, Designing and Optimizing for Long Battery Life and Responsive Windows Devices, Windows Hello, and Developer Platform Updates. We will also have a guided, hands-on lab to explore and practice the concepts covered in the Introduction to Universal Driver session.

https://www.microsoftevents.com/profile/form/index.cfm?PKformID=0x19594336ecd

 

Standard
Uncategorized

SimpleSvm: hypervisor for AMD Windows systems

SimpleSvm is a minimalistic educational hypervisor for Windows on AMD processors. It aims to provide small and explanational code to use Secure Virtual Machine (SVM), the AMD version of Intel VT-x, with Nested Page Tables (NPT) from a windows driver. SimpleSvm is inspired by SimpleVisor, an Intel x64/EM64T VT-x specific hypervisor for Windows, written by Alex Ionescu.

https://github.com/tandasat/SimpleSvm

Standard
Uncategorized

ltmdm64_poc

Windows 7 SP1 x64 Code Integrity Bypass POC using ltmdm64.sys
Bug was found in ltmdm64.sys!DriverEntry driver incorrectly uses RtlQueryRegistryValues API it also lacks security cookies across entire binary except GsDriverEntry function. This PoC was created back in 2014 and submitted later to MSRC they were not able to located the driver authors but also didn’t take any action on fixing the problem. ltmdm64.sys is shipped since Windows Vista and present in digitally signed catalog files. This PoC is detected by Windows Defender as Exploit:Win64/Ropero.A

https://github.com/int0/ltmdm64_poc

 

Standard
Uncategorized

MemoryMonRWX: Windows hypervisor to detect rootkits

Modern malware and spyware platforms attack existing antivirus solutions and even Microsoft PatchGuard. To protect users and business systems new technologies developed by Intel and AMD CPUs may be applied. To deal with the new malware we propose monitoring and controlling access to the memory in real time using Intel VT-x with EPT. We have checked this concept by developing MemoryMonRWX, which is a bare-metal hypervisor. MemoryMonRWX is able to track and trap all types of memory access: read, write, and execute. MemoryMonRWX also has the following competitive advantages: fine-grained analysis, support of multi-core CPUs and 64-bit Windows 10. MemoryMonRWX is able to protect critical kernel memory areas even when PatchGuard has been disabled by malware. Its main innovative features are as follows: guaranteed interception of every memory access, resilience, and low performance degradation.

http://igorkorkin.blogspot.com/2017/03/memorymonrwx-detect-kernel-mode.html

Standard