SimpleSvm is a minimalistic educational hypervisor for Windows on AMD processors. It aims to provide small and explanational code to use Secure Virtual Machine (SVM), the AMD version of Intel VT-x, with Nested Page Tables (NPT) from a windows driver. SimpleSvm is inspired by SimpleVisor, an Intel x64/EM64T VT-x specific hypervisor for Windows, written by Alex Ionescu.
Tag: Windows
ltmdm64_poc
https://twitter.com/vpikhur/status/866881935477399552
Windows 7 SP1 x64 Code Integrity Bypass POC using ltmdm64.sys
Bug was found in ltmdm64.sys!DriverEntry driver incorrectly uses RtlQueryRegistryValues API it also lacks security cookies across entire binary except GsDriverEntry function. This PoC was created back in 2014 and submitted later to MSRC they were not able to located the driver authors but also didn’t take any action on fixing the problem. ltmdm64.sys is shipped since Windows Vista and present in digitally signed catalog files. This PoC is detected by Windows Defender as Exploit:Win64/Ropero.A
https://github.com/int0/ltmdm64_poc
MemoryMonRWX: Windows hypervisor to detect rootkits
Modern malware and spyware platforms attack existing antivirus solutions and even Microsoft PatchGuard. To protect users and business systems new technologies developed by Intel and AMD CPUs may be applied. To deal with the new malware we propose monitoring and controlling access to the memory in real time using Intel VT-x with EPT. We have checked this concept by developing MemoryMonRWX, which is a bare-metal hypervisor. MemoryMonRWX is able to track and trap all types of memory access: read, write, and execute. MemoryMonRWX also has the following competitive advantages: fine-grained analysis, support of multi-core CPUs and 64-bit Windows 10. MemoryMonRWX is able to protect critical kernel memory areas even when PatchGuard has been disabled by malware. Its main innovative features are as follows: guaranteed interception of every memory access, resilience, and low performance degradation.
http://igorkorkin.blogspot.com/2017/03/memorymonrwx-detect-kernel-mode.html
Absolute seeks OEM Business Development Director
It is an exciting time for the Absolute and Microsoft partnership! Absolute’s placement in Windows device firmware provides a truly unique position within the Microsoft partner ecosystem. We continue to strengthen this relationship by opening new doors of engagement through our recent product integration announcements. To further support the relationship, we are looking for a tenured Business Development Director[…]
modzero Security: keylogger in HP audio driver
https://twitter.com/__ths__/status/862589402140352514
[EN] Keylogger in Hewlett-Packard Audio Driver
Security reviews of modern Windows Active Domain infrastructures are – from our point of view – quite sobering. Therefore, we often look left and right, when, for example, examining the hardening of protection mechanisms of a workstation. Here, we often find all sorts of dangerous and ill-conceived stuff. We want to present one of these casually identified cases now, as it’s quite an interesting one: We have discovered a keylogger in an audio driver package by Hewlett-Packard. A keylogger is a piece of software for which the case of dual-use can rarely be claimed. This means there are very few situations where you would describe a keylogger that records all keystrokes as ‘well-intended’. A keylogger records when a key is pressed, when it is released, and whether any shift or special keys have been pressed. It is also recorded if, for example, a password is entered even if it is not displayed on the screen.[…]There is no evidence that this keylogger has been intentionally implemented. Obviously, it is a negligence of the developers – which makes the software no less harmful. If the developer would just disable all logging, using debug-logs only in the development environment, there wouldn’t be problems with the confidentiality of the data of any user[…]
https://www.modzero.ch/advisories/MZ-17-01-Conexant-Keylogger.txt
Windows Internals new edition out
https://twitter.com/aionescu/status/862741520301965312
http://www.alex-ionescu.com/?p=335
Wow, this book has gone a long way from “Inside Windows NT” by Helen Custer, the original author:
Microsoft Windows 10 UEFI training video
Micosoft has a training video for network administrators that includes some UEFI security topics:
Windows 10 new preboot security features
There’s a few new preboot-related features in recent builds of Microsoft Windows, excerpt of some of them below.
New features in Windows 10, version 1511:
* Credential Guard: Enable Credential Guard without UEFI lock. You can enable Credential Guard by using the registry. This allows you to disable Credential Guard remotely. However, we recommend that Credential Guard is enabled with UEFI lock. You can configure this by using Group Policy.
* Bitlocker: DMA port protection. You can use the DataProtection/AllowDirectMemoryAccess MDM policy to block DMA ports when the device is starting up. Also, when a device is locked, all unused DMA ports are turned off, but any devices that are already plugged into a DMA port will continue to work. When the device is unlocked, all DMA ports are turned back on.
* Bitlocker: New Group Policy for configuring pre-boot recovery. You can now configure the pre-boot recovery message and recover URL that is shown on the pre-boot recovery screen. For more info, see the Configure pre-boot recovery message and URL section in “BitLocker Group Policy settings.”
* New BCD events: Event ID 4826 has been added to track the following changes to the Boot Configuration Database (BCD): DEP/NEX settings, Test signing, PCAT SB simulation, Debug, Boot debug, Integrity Services, Disable Winload debugging menu
* New PNP events: Event ID 6416 has been added to track when an external device is detected through Plug and Play. One important scenario is if an external device that contains malware is inserted into a high-value machine that doesn’t expect this type of action, such as a domain controller.
* TPM: Key Storage Providers (KSPs) and srvcrypt support elliptical curve cryptography (ECC).
* TPM: The following sections describe the new and changed functionality in the TPM for Windows 10: Device health attestation, Microsoft Passport support, Device Guard support, Credential Guard support […]
https://docs.microsoft.com/en-us/windows/whats-new/whats-new-windows-10-version-1507-and-1511
https://technet.microsoft.com/en-us/windows/release-info
Microsoft MDT: moving from BIOS to UEFI
If you have a Windows box and are trying to convert MBR/BIOS installs to GPT/UEFI installs on ‘class 2’ systems, you might want to read this:
https://blogs.technet.microsoft.com/mniehaus/2017/04/14/moving-from-bios-to-uefi-with-mdt-8443/
CAN-pipe: use Wireshark to sniff CAN traffic
https://twitter.com/HackingThings/status/852554363436376064
A tool for creating a windows named pipe to capture CAN bus traffic using wireshark.
Windows 10 security introduction
https://twitter.com/mattifestation/status/850525271035830274
Nice introduction to current Windows security.
MBR2GPT
“MBR2GPT.EXE converts a disk from Master Boot Record (MBR) to GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. The tool is designed to be run from a Windows Preinstallation Environment (Windows PE) command prompt, but can also be run from the full Windows 10 operating system (OS).[…]”
https://technet.microsoft.com/itpro/windows/deploy/mbr-to-gpt
Windows 10 drops 1394 boot debugging
“1394 boot debugging no longer works on the latest builds on Windows 10.”
https://blogs.msdn.microsoft.com/windbg/2016/08/11/kd-1394-work-around/
Intel updates Minnowboard firmware, and Firmware Engine for Windows
Intel has updated their UEFI firmware for the Minnowboard, and has updated Intel Firmware Engine for Windows.
UEFI-Rebooter
“UEFI-Rebooter is a bash script for implementing dual boot through uefi.” It is labelled “Windows Boot Manager”, and calls Linux’s efibootmgr as it’s main tool.
https://github.com/Dertosh/UEFI-Rebooter
https://github.com/Dertosh/UEFI-Rebooter/blob/master/UEFI-rebooter.sh
Syscall-Monitor for Windows
Syscall Monitor is a system monitor program (like Sysinternal’s Process Monitor) using Intel VT-X/EPT for Windows7+
https://github.com/hzqst/Syscall-Monitor
It requires Intel x86/x64 systems with Intel VT-x and EPT support, running Microsoft Windows.
UEFI VBS required by Microsoft
https://twitter.com/aionescu/status/835553407398100992
“VBS will enable No-Execute (NX) protection on UEFI runtime service code and data memory regions. UEFI runtime service code must support read-only page protections, and UEFI runtime service data must not be executable.”
I’m glad Alex is reading these Microsoft updates better than I am. 🙂 Glad to know that VBS is not VBScript.
Microsoft updates Secure Boot and ACPI requirements
These Microsoft pages have recently (last month) been updated. No changelog, so unclear what has changed. 😦
https://msdn.microsoft.com/en-us/windows/hardware/drivers/bringup/firmware-requirements-for-d3cold
OSR on debugging bad Windows drivers
OSR has a nice blog post that shows how to debug bad drivers. OSR is a smart group of Windows-centric driver consultants, check out their NT Insider newsletter if you’re into NT. And their NTdev mailing list.
[…]The bugcheck makes much more sense now. Someone’s stack expansion callback was called at DISPATCH_LEVEL (Arg2 == 2) and returned at PASSIVE_LEVEL (Arg1 == 0). That’s against the rules, thus you get a system crash. Personally I would call this a bug in KeExpandKernelStackAndCalloutEx seeing as how it is generating an IRQL_UNEXPECTED_VALUE using invalid (unexpected?) arguments. At a minimum the documentation is currently wrong though and I have filed a bug to try to get that addressed.
http://www.osronline.com/showthread.cfm?link=281770
https://www.osr.com/developers-blog/
http://www.osronline.com/showlists.cfm?list=ntdev
http://www.osronline.com/index.cfm
Hmm, it looks like OSRonline.com is becoming ‘legacy’. If there’s not a future home for some of the tools listed there, you might want to grab a set of tools while you still can. The tools are somewhat like SysInternals-style of tools.
Firmware Security 
You must be logged in to post a comment.