Get-USBHistory: get history of a USB flash driving using PowerShell

https://gallery.technet.microsoft.com/scriptcenter/Get-USBHistory-707e43a3

https://devblogs.microsoft.com/scripting/use-powershell-to-find-the-history-of-usb-flash-drive-usage/

Patching Yourself into Windows Code Integrity, Part 1: On-Disk Patching

I started this whole thing because I wanted to run my own kernel-mode code while still having access games protected by anti-cheat that don’t allow test signing, and I didn’t want to shell out the time and money required to get an EV certificate. […]I’m going to start out by patching binaries on disk, but the end result will be a UEFI application that patches all binaries in memory. […]

https://github.com/Avery3R/re-writeups/blob/master/windows-ci/part1_on_disk_patching.md

Writing a Hyper-V “Bridge” for Fuzzing — Part 1: WDF

After spending the better part of a weekend writing a specialized Windows driver for the purposes of allowing me to communicate with the Hyper-V hypervisor, as well as the Secure Kernel, from user-mode, I realized that there was a dearth of concise technical content on non-PnP driver development, and especially on how the Windows Driver Foundation (WDF) fundamentally changes how such drivers can be developed. While I’ll eventually release my full tool, once better polished, on GitHub, I figured I’d share some of the steps I took in getting there. Unlike my more usual low-level super-technical posts, this one is meant more as an introduction and tutorial, so if you already consider yourself experienced in WDF driver development, feel free to wait for Part 2.

http://www.alex-ionescu.com/?p=377

hdk – (unofficial) Hyper-V® Development Kit

The HDK is an updated version of the HvGdk.h header file published under MSR-LA as part of the Singularity Research Kernel. It has been updated to add the latest definitions, structures and definitions as described in the Microsoft Hypervisor Top-Level Functional Specification (TLFS) 5.0c published June 2018.

https://ionescu007.github.io/hdk/

NASM-UEFI: UEFI sample application built in NASM

OS Development on Windows – Part 1: Building a UEFI Application in NASM

This is a series of articles on developing your own operating system. We will be focusing on modern techniques, like UEFI booting and 64-bit assembly, and everything will be created from scratch. I will be going step-by-step, explaining every tool we use and every line of code, so that you have a thorough understanding of the process. You should be able to copy-paste these steps and get the same results I am describing. In addition, we will be doing this on Windows and using the tools available on this platform only. OS development is almost exclusively done on UNIX-like systems because the tools are more readily available and documented. I hope to show you how easy this is to do on Windows too.[…]

https://github.com/BrianOtto/nasm-uefi

https://hackerpulp.com/os/os-development-windows-1-building-uefi-applications-nasm/

UEFI

Melting Down PatchGuard: Leveraging KPTI to Bypass Kernel Patch Protection

by Omri Misgav & Udi Yavo on October 26, 2018 –

The mitigation for Meltdown created a new part in the kernel which PatchGuard left unprotected, making hooking of system calls and interrupts possible, even with HVCI enabled.[…]

https://blog.ensilo.com/meltdown-patchguard

Introducing the Windows Internals Series: One Windows Kernel

https://insider.windows.com/en-us/articles/category/article-categories/windows-internals/

Microsoft: Component Firmware Update (CFU)

October 17, 2018 4:02 pm
Introducing Component Firmware Update
By Microsoft Devices Team

The Microsoft Devices Team is excited to announce the release of an open-source model for Component Firmware Update for Windows system developers – Component Firmware Update (CFU). With CFU, you can easily deliver firmware updates for through Windows Update by using CFU drivers.[…]

https://blogs.windows.com/buildingapps/2018/10/17/introducing-component-firmware-update/

Microsoft Bitlocker countermeasures and Thunderbolt DMA protection

https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-countermeasures

https://docs.microsoft.com/en-us/windows/security/information-protection/kernel-dma-protection-for-thunderbolt

Dependencies – An open-source modern Dependency Walker for Windows

A rewrite of the old legacy software “depends.exe” in C# for Windows devs to troubleshoot dll load dependencies issues.
Usage Exemple

SpeculationControl: PowerShell script

SpeculationControl is a PowerShell script that summarizes the state of configurable Windows mitigations for various speculative execution side channel vulnerabilities, such as CVE-2017-5715 (Spectre variant 2) and CVE-2017-5754 (Meltdown). For an explanation on how to interpret the output of this tool, please see Understanding Get-SpeculationControlSettings PowerShell script output.[…]

https://github.com/Microsoft/SpeculationControl

https://support.microsoft.com/en-us/help/4074629/understanding-the-output-of-get-speculationcontrolsettings-powershell

ChromeBook CampFire?

Everything we know about Campfire, Google’s secretive project to get Windows 10 running on Chromebooks.[…]

https://www.xda-developers.com/chromebooks-chrome-os-windows-10-dual-boot-apple-boot-camp-campfire/

 

Back Doors for Cross-Signed Windows Drivers

Four undocumented registry values vary the default validation of signatures on kernel-mode code such that Windows 10 may allow cross-signed drivers when it is otherwise documented as requiring Microsoft-signed drivers. This may be welcome for running your own drivers on your own computers without having to send them to Microsoft. Or it may be an unwelcome exposure to software that would install drivers by surprise, including to let malware elevate from administrative access to kernel-mode execution. Setting these values requires administrative access. Their action is subject to System Integrity policy, which provides the best defence.[…]

http://www.geoffchappell.com/notes/security/whqlsettings/