A Fuzzer for Windows NDIS Drivers OID Handlers developed by @kiqueNissim of @IOActive: https://t.co/JSF9tm9CMM … anyone interested in fuzzing, in general, is welcome to a digital copy of @pedramamini's book on the matter: https://t.co/y0pVF1QKhj bit dated, but still applicable.
— InQuest (@InQuest) November 8, 2018
by Omri Misgav & Udi Yavo on October 26, 2018 –
The mitigation for Meltdown created a new part in the kernel which PatchGuard left unprotected, making hooking of system calls and interrupts possible, even with HVCI enabled.[…]
October 17, 2018 4:02 pm
Introducing Component Firmware Update
By Microsoft Devices Team
The Microsoft Devices Team is excited to announce the release of an open-source model for Component Firmware Update for Windows system developers – Component Firmware Update (CFU). With CFU, you can easily deliver firmware updates for through Windows Update by using CFU drivers.[…]
As the tweet mentions, there is a disparity for OS-level access to UEFI runtime services.
SpeculationControl is a PowerShell script that summarizes the state of configurable Windows mitigations for various speculative execution side channel vulnerabilities, such as CVE-2017-5715 (Spectre variant 2) and CVE-2017-5754 (Meltdown). For an explanation on how to interpret the output of this tool, please see Understanding Get-SpeculationControlSettings PowerShell script output.[…]
Everything we know about Campfire, Google’s secretive project to get Windows 10 running on Chromebooks.[…]
Four undocumented registry values vary the default validation of signatures on kernel-mode code such that Windows 10 may allow cross-signed drivers when it is otherwise documented as requiring Microsoft-signed drivers. This may be welcome for running your own drivers on your own computers without having to send them to Microsoft. Or it may be an unwelcome exposure to software that would install drivers by surprise, including to let malware elevate from administrative access to kernel-mode execution. Setting these values requires administrative access. Their action is subject to System Integrity policy, which provides the best defence.[…]
Lots of general debugging skills for Windows USB drivers covered in this blog post.
What is OEM Windows? How It’s Different From Retail Version Of Windows?
[…]The OEM Windows has its product key tied to a particular device. While the retail product key also works on one machine, it can be transferred to another one. Earlier, in the case of laptops, the OEM product key was written on the bottom part of the device. Nowadays, it’s embedded directly into firmware (BIOS or UEFI) of a device and used by Windows when required.[…]
RWeverything is a freeware tool, no source available. It includes a Windows kernel driver. CHIPSEC can be configured to trust and use that driver. It has been many years since I’ve trusted third-party freeware where I didn’t know the third-party author or have many other knowledgeable friends who trust them.
According to my system’s browser:
“rweverything.com uses an invalid security certificate. The certificate expired on January 8, 2018, 3:59:59 PM GMT-8. The current time is July 16, 2018, 3:58 PM.”
Winbagility is a tool that gives you ability to connect WinDbg on non /DEBUG Windows x64 systems. Winbagility simulates a debugged kernel. It retrieves over the STUB for some essentials information (KDBG, KPCR…) and forward these informations to WinDbg over KD.
PyFDP is a Python extension used to communicate with the FDP (Fast Debugging Protocol) hypervisor-based debugging server used in the Winbagility project. Winbagility introduced an instrumented version of VirtualBox which can be used to implement a sthealth debugger via Virtual Machine introspection and runtime analysis. While Winbagility simply connect the FDP server to Windbg in order to debug a Windows VM as if the guest was launch with /DEBUG option activated, anyone can write a FDP client. PyFDP expose the FDP client side by wrapping the DLL’s exports via ctypes, enabling any Python program to script a VM debugging session.
Security Researcher, SpecterOps
Note: I originally scrapped this post because I didn’t like that audit events were only logged once per boot due to caching, however, Casey’s tweet reminded me that I shouldn’t let perfect be the enemy of good. This is still one of the best options that I know of (without requiring a commercial solution) to log all driver loads.[…]
AaronLocker is designed to make the creation and maintenance of robust, strict, AppLocker-based whitelisting rules as easy and practical as possible. The entire solution involves a small number of PowerShell scripts. You can easily customize rules for your specific requirements with simple text-file edits. AaronLocker includes scripts that document AppLocker policies and capture event data into Excel workbooks that facilitate analysis and policy maintenance.[…]