Back Doors for Cross-Signed Windows Drivers

Four undocumented registry values vary the default validation of signatures on kernel-mode code such that Windows 10 may allow cross-signed drivers when it is otherwise documented as requiring Microsoft-signed drivers. This may be welcome for running your own drivers on your own computers without having to send them to Microsoft. Or it may be an unwelcome exposure to software that would install drivers by surprise, including to let malware elevate from administrative access to kernel-mode execution. Setting these values requires administrative access. Their action is subject to System Integrity policy, which provides the best defence.[…]

FOSSbytes: Comparing OEM Windows from Retail Windows

What is OEM Windows? How It’s Different From Retail Version Of Windows?

[…]The OEM Windows has its product key tied to a particular device. While the retail product key also works on one machine, it can be transferred to another one. Earlier, in the case of laptops, the OEM product key was written on the bottom part of the device. Nowadays, it’s embedded directly into firmware (BIOS or UEFI) of a device and used by Windows when required.[…]

RWEverthing web site, HTTPS cert expired in January

RWeverything is a freeware tool, no source available. It includes a Windows kernel driver. CHIPSEC can be configured to trust and use that driver. It has been many years since I’ve trusted third-party freeware where I didn’t know the third-party author or have many other knowledgeable friends who trust them.

According to my system’s browser:

“ uses an invalid security certificate. The certificate expired on January 8, 2018, 3:59:59 PM GMT-8. The current time is July 16, 2018, 3:58 PM.”

Winbagility project: simulates a debugged kernel

Winbagility is a tool that gives you ability to connect WinDbg on non /DEBUG Windows x64 systems. Winbagility simulates a debugged kernel. It retrieves over the STUB for some essentials information (KDBG, KPCR…) and forward these informations to WinDbg over KD.

PyFDP is a Python extension used to communicate with the FDP (Fast Debugging Protocol) hypervisor-based debugging server used in the Winbagility project. Winbagility introduced an instrumented version of VirtualBox which can be used to implement a sthealth debugger via Virtual Machine introspection and runtime analysis. While Winbagility simply connect the FDP server to Windbg in order to debug a Windows VM as if the guest was launch with /DEBUG option activated, anyone can write a FDP client. PyFDP expose the FDP client side by wrapping the DLL’s exports via ctypes, enabling any Python program to script a VM debugging session.

Threat Detection using Windows Defender Application Control (Device Guard) in Audit Mode

Matt Graeber
Security Researcher, SpecterOps
Jun 26
Note: I originally scrapped this post because I didn’t like that audit events were only logged once per boot due to caching, however, Casey’s tweet reminded me that I shouldn’t let perfect be the enemy of good. This is still one of the best options that I know of (without requiring a commercial solution) to log all driver loads.[…]


Announcing the pre-release (v0.9) of “AaronLocker:” robust and practical application whitelisting for Windows.

AaronLocker is designed to make the creation and maintenance of robust, strict, AppLocker-based whitelisting rules as easy and practical as possible. The entire solution involves a small number of PowerShell scripts. You can easily customize rules for your specific requirements with simple text-file edits. AaronLocker includes scripts that document AppLocker policies and capture event data into Excel workbooks that facilitate analysis and policy maintenance.[…]

On Intel not talking to OpenBSD about recent FPU vuln

Chip vendors controlling the security of OSes should be more transparent in their selection process. They should maintain a list of OSVs that they maintain embargoed fixes. Then uses could determine if they want to trust the OS or not, or try to lobby to try and get the ISA vendor to support their OS. Is the OS on the list, ok then they may have some chance at fixing things. If not on the list I expect to be vulnerable until the embargo ends. There are MANY more OSes than Microsoft Windows, Apple macOS, a limited number of Linux distros, and sometimes FreeBSD.

In some forums, Bryan Cantrill is crafting a fiction. He is saying the FPU problem (and other problems) were received as a leak. He is not being truthful, inventing a storyline, and has not asked me for the facts. This was discovered by guessing Intel made a mistake. We are doing the best for OpenBSD. Our commit is best effort for our user community when Intel didn’t reply to mails asking for us to be included. But we were not included, there was no reply. End of story. That leaves us to figure things out ourselves. Bryan is just upset we guessed right. It is called science.


Windows: new feature using IOMMU to block DMA access for Thunderbolt devices when machine is locked

The latest version of Windows apparently has new protections against PCILeech and related attacks:

An ice-cold Boot to break BitLocker

An ice-cold Boot to break BitLocker
By Olle Segerdahl & Pasi Saarinen

A decade ago, academic researchers demonstrated how computer memory remanence could be used to defeat popular disk encryption systems. Not much has happened since, and most seem to believe that these attacks are too impractical for real world use. Even Microsoft have even started to play down the threat of memory remanence attacks against BitLocker, using words such as “they are not possible using published techniques”. We will publish techniques that allow recovery of BitLocker encryption keys from RAM on most, if not all, currently available devices. While BitLocker is called out in the title, the same attacks are also valid against other platforms and operating systems.

Olle is a veteran of the IT-security industry, having worked with both “breaking” and “building” security solutions for almost 20 years. During that time, he has worked on securing classified systems, critical infrastructure and cryptographic products as well as building software whitelisting solutions used by industrial robots and medical equipment. He is currently the Swedish Principal Security Consultant with F-Secure’s technical security consulting practice.

Pasi is an experienced security researcher with a background in both software and network security. In previous employment he has worked on a modern framework for white-box fuzz testing of binaries and security standardization of the 5G mobile network. While he has a very Finnish name, he plays for team Sweden in F-Secure’s technical security consulting practice.


Practical DMA attack on Windows 10

Practical DMA attack on Windows 10
Written by Jean-Christophe Delaunay · 2018-05-30 · in Pentest

Among the various security assessments performed by Synacktiv, some involve attacking the security hardening of a laptop or workstation master image that will be massively deployed in an infrastructure. The purpose of this kind of security assessment is to give the client an overview of its level of maturity regarding security concerns and provide him with some recommendations in order to increase his level of security. This post describes how Synacktiv defeated a workstation security measures by using a hardware approach.[…]

Example photo of Evil Maid attacker in their lab: 🙂



CheckBIOSDisk: Check uefi/legacy bios and gpt/mbr disk type for WinPE

This is a Win32 console application for Windows Preinstall Environment system. The gaol is checking PC uses UEFI BIOS (or with CSM) must ensures the disk type is GPT format, otherwise the legacy BIOS must using MBR format for disk layout. C++ code only does windows executing diskpart and reg commands and checks results to improve function, because requester is lazy and having lack knowledge on his job to design commands flow.

PS: Another tool by author:


Microsoft: C++ Developer Guidance for Speculative Execution Side Channels

C++ Developer Guidance for Speculative Execution Side Channels
Matt Miller Colin Robertson Mike B

This article contains guidance for developers to assist with identifying and mitigating speculative execution side channel hardware vulnerabilities in C++ software. These vulnerabilities can disclose sensitive information across trust boundaries and can affect software that runs on processors that support speculative, out-of-order execution of instructions. This class of vulnerabilities was first described in January, 2018 and additional background and guidance can be found in Microsoft’s security advisory. The guidance provided by this article is related to the class of vulnerabilities represented by CVE-2017-5753, also known as Spectre variant 1. This hardware vulnerability class is related to side channels that can arise due to speculative execution that occurs as a result of a conditional branch misprediction. The Visual C++ compiler in Visual Studio 2017 (starting with version 15.5.5) includes support for the /Qspectre switch provides a compile-time mitigation for a limited set of potentially vulnerable coding patterns related to CVE-2017-5753. The documentation for the /Qspectre flag provides more information on its effects and usage.[…]

[…]An accessible introduction to speculative execution side channel vulnerabilities can be found in the presentation titled The Case of Spectre and Meltdown by one of the research teams that discovered these issues.[…]


Alex Ionescu: Advancing the State of UEFi Bootkids, slides online