If you do Windows kernel debugging in VMWare/VirtualBox VMs, and don’t know about VirtualKD, this will be exciting for you:
http://securityblog.gr/3092/faster-windows-kernel-debugging-with-virtual-machines/
Tag: Windows
Matthew on x86 boot security
Apple has a lot of work to do, but they just hired LegbaCore, so they should be able to improve.
Linux has a lot of work to do, to catch up to Windows. Luckily there are people like Matthew working on it.
OEMs/Intel has a lot of work to do: they should be working to build the Stateless Laptop that ITL has proposed.
Microsoft getting tough on Superfish OEMs
Since the days of MS-DOS, OEMs have bundled lots of crap along with their Microsoft OS, and users would always blame Microsoft, not the OEM or IHV or ISV, for the user experience. Since NT was created, there have been tests for OEMs/IHVs, initially to get listed on the Hardware Compatibility List, these days to get certs and more. Now that modern versions of Windows include installer-related binaries in ACPI tables, that can be misused by attackers if OEMs don’t clean up their systems properly (Lenovo, Dell, etc.), Microsoft is increasing their testing of OEM systems bloatware.
Microsoft to Remove Superfish-Like Programs Starting in March
https://blogs.technet.microsoft.com/mmpc/2015/12/21/keeping-browsing-experience-in-users-hands/
I’ve heard one interesting potential feature of the new Microsoft laptop is that it might be the one Windows box doesn’t have OEM bloatware on it. Granted, it’ll have other Microsoft bloatware on it…
Intel’s Debug Extensions for WinDbg
Windbg is Microsoft’s Windows system debugger (both user-mode and kernel-mode), which has the ability to load third party extensions. I just noticed some Windbg extensions that Intel has created. One enables Windbg to work over JTAG, the other enables support for Intel PT:
The “Intel Debug Extensions for WinDbg” consists of two sets of debugger extensions:
1) Intel Debug Extensions for WinDbg for IA JTAG debugging (IA JTAG) enables the connection of WinDbg to a target over the JTAG. The server acts as a mediator and forwards the calls from WindDbg* to the IPC interface and back.
2) Intel Debug Extensions for WinDbg for Intel Processor Trace (Intel PT) is designed to help WinDbg users by extending their debugging tool set with execution tracing. The extension allows for easy setup of Intel PT by abstracting hardware configuration and then reconstructing and displaying execution flow from the collected trace data. It will integrate with other WinDbg* features like symbolization and high-level source display. Intel PT is a new technology for low-overhead execution tracing. It facilitates debugging a program by exposing an accurate and detailed trace of the program’s activity, and its triggering and filtering capabilities help identifying and isolating the relevant program executions. Intel PT records information about software execution on each hardware thread using dedicated hardware facilities. After execution completes, a software can process the recorded trace data and reconstruct the exact program flow.
[…]
BIOS / UEFI firmware: With firmware that is Intel PT-aware, you can set up an Intel PT-specific memory allocation. In this case, the firmware allocates a dedicated memory area and reserves it in a memory map for further use. Operating systems will recognize this reserved memory range and will not use it. When firmware reserves a memory region for Intel PT, it also configures the Intel PT output MSRs accordingly and indicates that Intel PT output configuration is ready to be used. The extension will recognize this setup. No further configuration (from user’s side) is required.
I presume these extensions are only available as part of the commercial-only Intel System Studio product. If you use Windbg, you may want to try to get these extensions, they sound useful.
More information:
https://software.intel.com/en-us/iss-2016-windbg-pt-user-guide-windows
https://software.intel.com/en-us/articles/intel-system-studio-release-notes
https://software.intel.com/en-us/iss-2016-get-started-debug-extensions-windbg-windows
https://software.intel.com/en-us/intel-system-studio
R00tkitSMM’s new Win32k.sys fuzzer
R00tkitSMM has created a Windows win32k.sys fuzzer project called Win32k-Fuzzer:
https://twitter.com/R00tkitSMM/status/669949945814712320
Fuzz and Detect “Use After Free” vulnerability in win32k.sys (Heap based)
“Win32k.sys for Windows is like Java for internet.”
Determining Windows partition information
Patrik Suzzi has an article on GPT partitions, and how to determine if you have MBR or GPT:
The article is written for Windows users, and has lots of screenshots, looks to be informative!
http://www.multibooters.com/guides/determine-if-hard-drive-is-mbr-or-gpt.html
Microsoft adds GDB to Visual Studio
Memory Explorer added to DbgKit
Andrey Bazhan has announced Memory Explorer, a new tool for DbgKit, a fancy add-on to Microsoft’s Windbg debugger. If you do Windows debugging or forensic analysis, you might want to check this out.
http://www.andreybazhan.com/dbgkit.html
Alex on Windows 10 use of Intel SGX
Alex Ionescu has a paper discussing Windows 10’s use of Intel SGX:
Debugging Tools for Windows 10
It looks like Microsoft has updated Windbg for Windows 10, one of the new features is support of Visual Studio’s NatVis expression model:
dx (Display NatVis Expression) – Describes the new dx debugger command, which displays object information using the NatVis extension model and LINQ support.
New commands that work with the NatVis visualization files in the debugger environment.
.nvlist (NatVis List)
.nvload (NatVis Load)
.nvunload (NatVis Unload)
.nvunloadall (NatVis Unload All)
https://msdn.microsoft.com/en-us/library/windows/hardware/mt219728%28v=vs.85%29.aspx
new Windows PDB tool: pdb_type_theft.py
As pointed out by ZDI, Dustin Childs of HP Security Research (HPSR) wrote an article on Windows binaries and symbols, and how some symbolic information is missing from current binaries, and how he wrote a new tool — pdb_type_theft.py — to extract the missing information from old binaries.
In August of this year, Microsoft published an update to NTDLL and along with it, released updated symbols for debugging. These symbols are available as PDBs (program databases). Unfortunately, the symbols that were released contain type information that is missing standard structures and enumerations. As a result, debugging applications on Windows became a far more involved task. Microsoft is aware of the issue but has yet to release updated PDBs that rectify this issue. While they are working on it, I found myself wondering if I could avoid their involvement altogether. Barring any changes to the structures and enumerations, the information from previous versions of the PDBs should still be valid. As such, if I could copy the type information from a previous PDB and inject it into the current PDB, I’d theoretically be able to have everything I expect from a working build process. […] This script requires having a PDB with the type information you want available to copy into another PDB. If you are not in the habit of snapshotting your VMs after every update, the following links may be helpful […]
Full article and source:
http://community.hpe.com/t5/Security-Research/PDB-Type-Theft/ba-p/6801065
https://github.com/thezdi/scripts/blob/master/pdb_type_theft.py
(If you’ve read a few blog entries, you know that I misspell things a lot. Sorry. The other day, Microsoft finally made the PDB spec public, and I blogged on it, calling it “PDF”. Sigh.)
Accessing Microsoft Surface Book firmware
Paul Thurrott has an article on how to access the firmware of a Microsoft Surface Book:
ExtremeGTX’s Win32 UEFI Library
ExtremeGTX has created a new ‘hello world’ sample for UEFI developers on github. It is currently is centered around boot manager features. If you are new to UEFI application development, and want to learn how to do Windows-centric ‘OS-present’ code to talk to UEFI, this is another sample you may want to look at. It is new, so perhaps give the author some more time to add more to the library.
ExtemeGTX: If you are reading this, please consider upgrading to a newer version of Microsoft Visual C++, I think you’re still using something from a pre-Y2K era, which generates ugly template code, not to mention decades of bugs and newer features to help you write better code, the whole point of an IDE. And fewer conversion pain for others that try to compile your code with a copy of Visual Studio 201x. Thank you!
https://github.com/ExtremeGTX/Win32-UEFILibrary
Change.org petition for more user control in Windows 10
Users need data from firmware vendors, not just application vendors, about details of the update. Right now, all OEMs/IHVs/ODMs are terrible at this. Some of the issues in this petition are asking for more information about vendor information, excerpts:
1) Microsoft must give Windows 10 users more control over when updates are installed. We need the ability to delay or hide damaging updates that impact the computing experience, have undesirable side effects such as blue screens of death, or reduce the functionality to attached devices. Under the current system of mandated updates, we have been adversely impacted by forced driver and firmware updates plus other patches; we’ve wasted hours dealing with the unwanted side effects. As long-time Windows users, we understand the need to have quicker and more agile security updating. But this agility should not introduce additional risks to our systems. Windows 10 updates have already caused loss of system functionality, video and display issues, and other significant issues.
2) Microsoft should provide detailed information on what’s in each update — along with what system changes we should see with each cumulative-update release. We applaud the cumulative-update model, but the lack of documentation doesn’t let us to perform the due diligence required for safely deploying and maintaining Windows 10 systems in our organizations. […]
https://www.change.org/p/satya-nadella-microsoft-what-computer-users-want-changed-in-windows-10
List of UEFI-based Windows 10 features
Johan Arwidmark recently posted an article, “List of Windows 10 features that requires UEFI”
One of the many restrictions of the Windows 10 inplace-upgrade process is that it doesn’t support changing BIOS to EUFI (see my Windows 10 Upgrade Limitations post for complete listing). So, do you really need UEFI to deploy Windows 10? The answer is no, Windows 10 can absolutely be deployed to BIOS-based machines, but some of it’s features does require UEFI. Here is the (current) list:
Full article:
http://deploymentresearch.com/Research/Post/514/List-of-Windows-10-features-that-requires-UEFI
Windows Trusted Boot bypass
Microsoft: Trusted Boot Security Feature Bypass Vulnerability
CVE-2015-2552
Product: Windows NT series 8.0+
Affected versions: See “systems affected”.
Reported by: “Myria”
An attacker with administrative access to a Windows machine with UEFI Secure Boot enabled may bypass code signing policy checks by putting intentionally-malformed configuration options in the boot configuration database (BCD).
https://technet.microsoft.com/en-us/library/security/ms15-111.aspx
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2552
http://seclists.org/bugtraq/2015/Oct/70
https://support.microsoft.com/en-us/kb/3096447
Mike Terrill on Windows 10’s Secure Boot and Cfg Mgr
Mike Terrill has an article on using Windows 10 and Secure Boot, and using Configuration Manager to show the state of Secure Boot:
Inventory Secure Boot State and UEFI with ConfigMgr
Now that Windows 10 has been released, you are probably starting to take a closer look at the new OS and the related security benefits that it has to offer. Secure Boot is a supported security feature in Windows 10 that secures the boot process by only allowing the loading of drivers and boot loaders that are signed with a trusted signature. The first versions of Windows to support Secure Boot were Windows 8 and Windows Server 2012. Secure Boot requires computer systems to be running UEFI 2.3.1 (or later). Legacy ROMs or compatibility support modules (CSM) must be disabled in order to enable Secure Boot. In this blog, I will show you how to extend the Configuration Manager hardware inventory so that you can report on the state of Secure Boot in your environment. This will not only tell you which systems have Secure Boot enabled or disabled, but it will also help you detect systems that are not currently running UEFI (the ones running in BIOS mode). Identifying these systems will be helpful when determining the deployment method that you will select when moving to Windows 10. If it is a requirement of your security team that all systems running Windows 10 must also be running Secure Boot, it will give you an idea on how much effort will be involved during the deployment process. […]
GetUEFI – Windows script
Chris Warwick has published a new Windows-centric firmware tool on Github, GetUEFI. It is a script that determines the firmware type, UEFI or BIOS.
Microsoft Threat Modeling Tool 2016 released
Microsoft has updated their Threat Modelling Tool. It appears to be a few years since the last release.
This latest release simplifies working with threats and provides a new editor for defining your own threats. Microsoft Threat Modeling Tool 2016 has several improvements: a New Threat Grid, a Template Editor, and Migrating Existing Data Flow Diagrams.
If you don’t have a Windows box, you can at least use their EOP card game. 🙂
http://blogs.microsoft.com/cybertrust/2015/10/07/whats-new-with-microsoft-threat-modeling-tool-2016/
http://www.microsoft.com/en-us/sdl/
http://www.microsoft.com/en-us/sdl/adopt/eop.aspx
http://threatmodelingbook.com/
Windows 10’s Compact OS feature
Anandtech and other sites have information about Windows 10’s Compact OS feature.
Image from TechNet blog:
Excerpt from MSDN:
Windows 10 includes tools to help you use less drive space. You can now compress the files for the entire operating system, including your preloaded desktop applications. Compact OS lets you run the operating system from compressed files (similar to WIMBoot in Windows 8.1 Update 1), and single-instancing helps you run your pre-loaded Windows desktop applications in compressed files. The new processes helps maintain a small footprint over time by using individual files, rather than combining them in a WIM file. Compact OS installs the operating system files as compressed files. Compact OS is supported on both UEFI-based and BIOS-based devices. Unlike WIMBoot, because the files are no longer combined into a single WIM file, Windows update can replace or remove individual files as needed to help maintain the drive footprint size over time.
More information:
http://www.anandtech.com/show/9676/windows-10-feature-focus-compactos
http://www.windowscentral.com/how-reduce-windows-10-footprint
https://msdn.microsoft.com/en-us/library/windows/hardware/dn940129%28v=vs.85%29.aspx
http://blogs.technet.com/b/mniehaus/archive/2015/09/16/windows-10-reducing-the-disk-footprint.aspx
Firmware Security 
You must be logged in to post a comment.