I generally learn best by writing tools. I wanted to learn about Secure Boot policy so I wrote a parser which I completed with the help of Geoff's amazing documentation (https://t.co/Ir4PVFjMmM). My parser can be found here if you want to play along: https://t.co/gXevP2bFY1 pic.twitter.com/KKc1a4GBmV

— Matt Graeber (@mattifestation) April 20, 2018

Also, as I learned more about Secure Boot policy, it forced me to learn more about BCD, motivated this project (https://t.co/KXcpEdjtfr), and supplied me with inspiration to branch into unchartered territory for me – learning about the Windows boot manager.

— Matt Graeber (@mattifestation) April 20, 2018

Click on above URL or remove spaces in below URL (WordPress mangles Github Gist URLs…)

https://gist. github.com/mattifestation /f1e160bc970c8a7b82355d7e5946901b

Chrome OS firmware change may support Verified Boot of Windows?

April 19, 2018 ~ hucktech ~ Leave a comment

[…]A recent branch title “firmware-eve-campfire” was discovered in the Chromium gerrit, accompanied by changes referencing “AltOS” and “go/vboot-windows.” That, combined that with the addition of placeholder strings for “Chrome OS” and “AltOS” being added to all languages, suggests that a future Chrome OS device, codenamed “Eve” will have the capability to boot more than one operating system. The commit was found by -nbsp- on Reddit. Obviously, with a name like “vboot-windows,” it is easy to jump to the conclusion that the feature is intended for Microsoft Windows, though little information about this is available. Most of the relevant code is hidden behind the private gerrit for Google employees, making it difficult to ascertain how this works and what it is intended for. According to a post at XDA-developers, it seems possible that this could be used for non-Windows OSes, such as Linux, or whatever Google Fuschia actually is.[…]

https://www.techrepublic.com/article/a-mysterious-chrome-os-commit-could-hint-at-a-chromebook-that-dual-boots-windows/

UDK2018-UEFI-Shell: UDK2018 stripped down to shell build

April 14, 2018 ~ hucktech ~ Leave a comment

Windows-centric.

UDK2018 stripped down to shell build with VS2017

https://github.com/JoaquinConoBolillo/UDK2018-UEFI-Shell

Visual-ANSI-C-for-UEFI-Shell: create and debug ANSI C UEFI Shell apps using Visual Studio 2017

April 12, 2018April 12, 2018 ~ hucktech ~ Leave a comment

Create and debug ANSI C UEFI Shell EFI_APPLICATION using Visual Studio 2017

https://github.com/JoaquinConoBolillo/Visual-ANSI-C-for-UEFI-Shell

Intel seeks BIOS/UEFI Tools Developer

April 8, 2018 ~ hucktech ~ Leave a comment

BIOS-UEFI Firmware Tools Engineer

As BIOS-UEFI Firmware Tools Engineer you will develop tools and scripts needed for build and test automation infrastructure that is the backbone of the the Continuous Integration process in Intel’s Data Center UEFI firmware BIOS team.[…]

https://jobs.intel.com/ShowJob/Id/1573600/BIOS%20UEFI%20Firmware%20Tools%20Engineer

PS: I need to figure out a way to get some swag/etc from jobs that’re filled via this blog. ;-(

PS: Intel HR: spaces in URLs is generally frowned upon.

PSSysmonTools: SysMon Tools for PowerShell

April 8, 2018 ~ hucktech ~ Leave a comment

Sysmon Tools for PowerShell, by @mattifestation https://t.co/swGDNFtbiv

— DirectoryRanger (@DirectoryRanger) April 7, 2018

https://github.com/mattifestation/PSSysmonTools

Geoff Chappell: Secure Boot internals

March 31, 2018 ~ hucktech ~ 1 Comment

This is by far the most detailed explanation of Secure Boot policy in existence (and there’s already very little info out there about it). Geoff’s corpus of Windows Internals knowledge is such a valuable asset. https://t.co/YAbno8UcVW

— Matt Graeber (@mattifestation) March 31, 2018

DRAFT: Take more than your usual care.
SYSTEM_SECUREBOOT_POLICY_FULL_INFORMATION

The SYSTEM_SECUREBOOT_POLICY_FULL_INFORMATION structure is what a successful call to ZwQuerySystemInformation or NtQuerySystemInformation produces in its output buffer when given the information class SystemSecureBootPolicyFullInformation (0xAB).
Documentation Status

The SYSTEM_SECUREBOOT_POLICY_FULL_INFORMATION structure is not documented.

http://www.geoffchappell.com/studies/windows/km/ntoskrnl/api/ex/sysinfo/secureboot_policy_full.htm

Total Meltdown for Windows 7: follow-up

March 30, 2018 ~ hucktech ~ Leave a comment

Total Meltdown? How the Windows 7 Meltdown January patch made things way worse. (Patched in March updates) https://t.co/wrV8EApW1n

— Ulf Frisk (@UlfFrisk) March 27, 2018

#TotalMeltdown OOB patches available now! No longer ZERO-DAY! APPLY PATCHES NOW! (Win7/2008R2) CVE-2018-1038 . Awesome turnaround time and support from @msftsecresponse! Super impressive work given the time frame!https://t.co/TcVVMBDEPl pic.twitter.com/n0FpD8nP5X

— Ulf Frisk (@UlfFrisk) March 29, 2018

We released a security update yesterday to address CVE-2018-1038 in Windows 7 Service Pack 1 (x64) and Windows Server 2008 R2 Service Pack 1 (x64). Thanks to @UlfFrisk for the partnership.

— Security Response (@msftsecresponse) March 30, 2018

Yesterday #microsoft released a security update to address CVE-2018-1038 in Windows 7 SP1 (x64) and Windows Server 2008 R2 SP1 (x64). Shout out to @UlfFrisk for the partnershiphttps://t.co/fDUMGZuw20

— Jeff Jones (@securityjones) March 30, 2018

I'm proud to have been a part of getting this vulnerability addressed and giving credit where it was due. Thank you @UlfFrisk I hope to see more research from you in the future! https://t.co/jrVghRq1NP

— 👾 Nate Warfield 👾 (@dk_effect) March 29, 2018

A big thanks to @UlfFrisk for working with us through this bumpy ride. We are glad to be at a better spot with this latest release. https://t.co/1kgjE7megN

— Phillip Misner (@phillip_misner) March 30, 2018

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1038

Microsoft Windows: Kernel Virtual Address (KVA) Shadow: mitigating Meltdown

March 23, 2018 ~ hucktech ~ Leave a comment

Deep dive technical blog post on KVA Shadow which is the mitigation for Meltdown on Windows, this one authored by Ken Johnson (Skywing) from @msftsecresponse. Lots of low-level systems engineering details! https://t.co/Lgukpy1PRm

— Matt Miller (@epakskape) March 23, 2018

If you remember his https://t.co/1IMCACTZaK posts and miss them, Ken Johnson (NOT YET ON TWITTER) authors this week's SRD post on speculative execution mitigations. 👍 https://t.co/UsOhst1cM7

— John Lambert (@JohnLaTwC) March 23, 2018

KVA Shadow: Mitigating Meltdown on Windows

On January 3rd, 2018, Microsoft released an advisory and security updates that relate to a new class of discovered hardware vulnerabilities, termed speculative execution side channels, that affect the design methodology and implementation decisions behind many modern microprocessors. This post dives into the technical details of Kernel Virtual Address (KVA) Shadow which is the Windows kernel mitigation for one specific speculative execution side channel: the rogue data cache load vulnerability (CVE-2017-5754, also known as “Meltdown” or “Variant 3”). KVA Shadow is one of the mitigations that is in scope for Microsoft’s recently announced Speculative Execution Side Channel bounty program. It’s important to note that there are several different types of issues that fall under the category of speculative execution side channels, and that different mitigations are required for each type of issue. Additional information about the mitigations that Microsoft has developed for other speculative execution side channel vulnerabilities (“Spectre”), as well as additional background information on this class of issue, can be found here. Please note that the information in this post is current as of the date of this post.[…]

https://blogs.technet.microsoft.com/srd/2018/03/23/kva-shadow-mitigating-meltdown-on-windows/

HackBGRT: How to change Windows Boot Logo using HackBGRT

March 22, 2018 ~ hucktech ~ Leave a comment

Re: https://firmwaresecurity.com/2016/05/21/hackbgrt-changes-windows-boot-logo-on-uefi-systems/

https://github.com/Metabolix/HackBGRT

People are constantly searching for “HackBGRT” is constantly being hit on this blog search site. Here’s a new article on how to use it:

http://www.thewindowsclub.com/change-windows-boot-logo-using-hackbgrt

Microsoft updates: Windows OEM security guidance

March 12, 2018 ~ hucktech ~ Leave a comment

Standards for a highly secure Windows 10 device
03/07/2018
These standards are for general purpose laptops, tablets, 2-in-1’s, mobile workstations, and desktops. This topic applies specifically and uniquely for Windows 10 version 1709, Fall Creators Update. If you are a decision maker purchasing new devices and you want to enable the best possible security configuration, your device should meet or exceed these standards. Beyond the hardware and firmware configurations outlined below, Microsoft recommends running Windows 10 S for security. Windows 10 S is a specific configuration of Windows 10 Pro that offers a familiar Windows experience that’s streamlined for security and performance. Windows 10 S provides the best of the cloud and full featured apps, and is designed for modern devices. Windows Defender is always on and always up-to-date.[…]

https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-highly-secure

PCILeech3 and Memory Process File System released!

March 12, 2018March 12, 2018 ~ hucktech ~ Leave a comment

Targets 64-bit Intel systems running Windows.

Memory Process File System and PCILeech3 released! Map processes and virtual memory as files & folders!
Use memory dump files or PCIe DMA devices to edit live process memory. More info in blog entry. https://t.co/EfgwZeQSQA https://t.co/KuTVVzZc5j pic.twitter.com/DB6deQAe1G

— Ulf Frisk (@UlfFrisk) March 12, 2018

http://blog.frizk.net/2018/03/memory-process-file-system.html

https://github.com/ufrisk/pcileech

ShowSLIC.efi: Access ACPI-based Windows SLIC License Key

March 1, 2018 ~ hucktech ~ Leave a comment

FPMurphy has a new blog post with source to a new tool, and mentions plans for 3-4 new tools/year!

Those who follow my work in the UEFI Shell space are aware that I usually develop a number of new, and hopefully useful, UEFI shell utilities each year. This year, I plan to write three or four new utilities and enhance a number of existing utilities. This is the first of these new utilities. In this post, I describe the ShowSLIC utility. It is the first of my new utilities and came about from license and booting issues caused by a disk failure on a friend’s laptop that was running Windows 7. ShowSLIC is designed to enable you to retrieve SLIC (System License Internal Certificate) information from a UEFI-based Microsoft Windows PC or laptop. Such information is accessible (exposed) via the ACPI (Advanced Configuration and Power Interface) SLIP table.[…]

https://blog.fpmurphy.com/2018/01/accessing-acpi-slic-from-uefi-shell.html#ixzz58Wq6TSMw

https://blog.fpmurphy.com/

Looks like you have to scrape the source from the HTML blog post, not included in latest UEFI-Utilities, AFAICT:

https://github.com/fpmurphy/UEFI-Utilities-2016/commits/master

Microsoft: update on Spectre and Meltdown security updates for Windows devices

March 1, 2018 ~ hucktech ~ Leave a comment

March 1, 2018 10:00 am
Update on Spectre and Meltdown security updates for Windows devices
By John Cable / Director of Program Management, Windows Servicing and Delivery

https://blogs.windows.com/windowsexperience/2018/03/01/update-on-spectre-and-meltdown-security-updates-for-windows-devices/

Microsoft Device Health Attestation protocol

February 28, 2018 ~ hucktech ~ Leave a comment

Re: https://firmwaresecurity.com/2018/02/22/hp-including-expected-pcr0-values-in-firmware-releases/

Microsoft Device Health Attestation protocol

This is really easy to validate with Windows 10 DHA https://t.co/fx6Yli7UOm https://t.co/M5b5zRo1AH

— Dave dwizzzle Weston (@dwizzzleMSFT) February 26, 2018

Is the DHA client/server protocol documented?

— Matthew Garrett (@mjg59) February 27, 2018

Oh wait https://t.co/33RqIvANfy?

— Matthew Garrett (@mjg59) February 27, 2018

Any documentation of the format of the claims element?

— Matthew Garrett (@mjg59) February 27, 2018

Device Health Attestation
https://technet.microsoft.com/en-us/library/mt750346.aspx

[MS-DHA]: Device Health Attestation Protocol
https://msdn.microsoft.com/en-us/library/mt766195.aspx

ASUS doesn’t care about Linux [Firmware]

February 27, 2018February 27, 2018 ~ hucktech ~ Leave a comment

See image in below tweet. A tweet with a bug report about ACPI and TPM2 on ASUS systems.

Linux users: remember that you’re not using a Linux box, you’re using a Windows box, or a Chrome box, and reinstalling an OS, which the OEM doesn’t support, so they won’t be offering you any way to update your firmware with that OS. Unless you’re buying your machine from an OEM that installs Linux. If you are a Linux user, stop buying Windows/Chrome PCs and buy Linux PCs.

Sigh, tried to report a couple of firmware bugs, their solution: "use Windows!". Why did I even bother? Why is "we only support Windows" still a thing in 2018… I should look into @coreboot_org I guess. pic.twitter.com/2PcJgjD6oD

— 74810b012346c9a6 (@orionwl) February 27, 2018

Windows AMSI (AntiMalware Scan Interface) bypass

February 18, 2018February 18, 2018 ~ hucktech ~ Leave a comment

blogged about bland new AMSI bypass fixed this week. https://t.co/LJpxbDYdTU

— Satoshi Tanda (@standa_t) February 17, 2018

Amazingly simple and effective AMSI bypass found by Satoshi (who built our Script Control tech). Great thing when you’re monitoring PS from complimentary angles is visibly seeing yourself lose visibility. #ManagedObservability. https://t.co/7RXKHndUfO

— Alex Ionescu (@aionescu) February 17, 2018

http://standa-note.blogspot.ca/2018/02/amsi-bypass-with-null-character.html

https://msdn.microsoft.com/en-us/library/windows/desktop/dn889587(v=vs.85).aspx

See-also:

https://www.cyberark.com/threat-research-blog/amsi-bypass-patching-technique/

Windows 10: storing system-tracking data in UEFI variables

February 14, 2018February 14, 2018 ~ hucktech ~ Leave a comment

"system-unique tracking identifiers that persist across reinstalls by storing them in the TPM or UEFI firmware variables"https://t.co/5ySnN7Eaqm

— slipstream/RoL (@TheWack0lian) February 12, 2018

https://twitter.com/dakotathekat/status/963086883621408768

https://mastodon.social/@slipstream/99513179089285773

https://docs.microsoft.com/en-us/uwp/api/Windows.System.Profile.SystemIdentification

As one comment above notes, make sure you know how to reset this firmware-stored data before you dispose of any such systems.

Interesting, I would have guessed that this data would be stored in UEFI SMM LockBox, but some forms of UEFI variables are also hard to access. Ah, but this is for persistent data…

https://github.com/tianocore/edk2/blob/master/MdeModulePkg/Universal/LockBox/SmmLockBox/SmmLockBox.c

I’d swear I saw some MacOSX (before change to macOS) components moved from system libraries up into Apple EFI, I wonder if Apple also implements SmmLockBox?

Windows: enable BIOS and UEFI boot for PXE in DHCP

February 14, 2018 ~ hucktech ~ Leave a comment

Enable BIOS and UEFI Boot for PXE in DHCP https://t.co/yeZu71dUFS via @PhilPritchett

— skatterbrainzz (@skatterbrainzz) February 12, 2018

There’s an URL to a live.com download in the blog, as well as PowerShell script inline with blog text:

Enable BIOS and UEFI Boot for PXE in DHCP

adding BIOS Mode and Secure Boot state to BGInfo

February 14, 2018February 14, 2018 ~ hucktech ~ Leave a comment

Adding Windows 10 Version, BIOS Mode and Secure Boot State to BGInfo https://t.co/uqAhdZfPFV #AZSMUG @mmsmoa @skatterbrainzz #DreamTeam @gwblok @keithga1 @jeffctangsoo10 @abetterpc pic.twitter.com/9kftJOf1jx

— Mike Terrill [MVP] (@miketerrill) February 12, 2018

My Automation Framework now detecting BIOS/UEFI and Secure Boot thanks to @miketerrill https://t.co/jlfZG28omU pic.twitter.com/8KWZLNzSBM

— Trond E Haavarstein (@xenappblog) February 13, 2018

Adding Windows 10 Version, BIOS Mode and Secure Boot State to BGInfo

Tag: Windows

GetSecureBootPolicy.ps1: Partially-completed Secure Boot policy parser

Chrome OS firmware change may support Verified Boot of Windows?

UDK2018-UEFI-Shell: UDK2018 stripped down to shell build

Visual-ANSI-C-for-UEFI-Shell: create and debug ANSI C UEFI Shell apps using Visual Studio 2017

Intel seeks BIOS/UEFI Tools Developer

PSSysmonTools: SysMon Tools for PowerShell

Geoff Chappell: Secure Boot internals

Total Meltdown for Windows 7: follow-up

Microsoft Windows: Kernel Virtual Address (KVA) Shadow: mitigating Meltdown

HackBGRT: How to change Windows Boot Logo using HackBGRT

Microsoft updates: Windows OEM security guidance

PCILeech3 and Memory Process File System released!

ShowSLIC.efi: Access ACPI-based Windows SLIC License Key

Microsoft: update on Spectre and Meltdown security updates for Windows devices

Microsoft Device Health Attestation protocol

ASUS doesn’t care about Linux [Firmware]

Windows AMSI (AntiMalware Scan Interface) bypass

Windows 10: storing system-tracking data in UEFI variables

Windows: enable BIOS and UEFI boot for PXE in DHCP

adding BIOS Mode and Secure Boot state to BGInfo