Intel has a technology called Virtual RAID on CPU (VROC) that lets you set up RAID arrays of NVMe SSDs, with the RAID calculations being offloaded to specialised hardware on the CPU instead of being done in software. When I built my workstation back in 2019, I installed an Asus HYPER M.2 card, which is a PCIe 3.0 x16 carrier card that breaks out into four M.2 slots. The M.2 slots are separated using 4-way bifurcation, which allows one 16-lane slot to be split into four 4-lane slots. With four Corsair MP510...
Microsoft added a new field, GuardMemcpyFunctionPointer, to the PE load config structure in Windows 22H2. I couldn’t find any documentation on this at all, either from Microsoft or from reverse engineers, so I thought I’d post my initial findings here.
The field is a virtual address (VA) that typically points into the .rdata section. At this virtual address there is another virtual address, which (in every binary I have checked so far) points to the memcpy implementation in the .text section. As is...
How many processors does Windows 10 support? It’s a simple question, but the correct answer is surprisingly hard to come by.
What led me to ask this question was curiosity: I wondered whether it would be possible to run Windows 10 on a Supermicro 7089P-TR4T - a single-node server with eight Intel Xeon Scalable sockets in an S8S configuration.
Windows Server licenses come with a baseline limit of 16 physical processor cores. If you want to use more cores, you have to buy additional core licenses. For...
Intel Cryo Cooling is an active cooling solution that uses a TEC, also known as a Peltier element, to cool the CPU. A TEC can pump heat from one side of it to the other, meaning that one side gets cold while the other gets hot. This is useful for situations where you want to reduce the heat of something below the ambient temperature. Many camping fridges utilise TECs for this purpose.
While TECs have previously been investigated for the purposes of sub-ambient cooling, they were generally considered...
Memory DIMMs have a small flash memory chip (EEPROM) on them, containing an important descriptor table called the Serial Presence Detect (SPD). This data tells the system the size, speed, timings, operating voltage, manufacturer, part number, overclocking profiles, and all sorts of other information about each DIMM. The SPD chip is accessed using the SMBus protocol, which is based on I2C.
Tools such as CPU-Z, RAMMon, and RW Everything can be used to read the SPD data by talking to the flash chip over a...
The Windows XP SP1 and Server 2003 source code leaked recently, and it includes the build system. While it isn’t exactly simple to get it up and running, and not everything is included (missing winlogon is the biggest problem), people have already figured it out and managed to make working VMs from it.
A quick disclaimer: Nothing in this blog post contains any source or copyrighted material from the leak, in any form. Don’t ask me for the leaked source, and don’t ask me where to find the leaked source,...
I’ve recently been making some mods for the game Rust. I don’t play much of the game myself, as I’m pretty bad at FPS games in general, but I do enjoy watching a select few YouTubers and streamers play it. One thing that I’ve seen a bunch of them complain about is the excessive use of autoturrets and other traps during raids, and for griefing people and areas. While I can’t do much to help the vanilla players, I am familiar with making mods for the game using the Oxide mod framework, which is now part of...
A lesser-known feature of the Windows memory manager is that it can maintain write watches on allocations for debugging and profiling purposes. Passing the MEM_WRITE_WATCH flag to VirtualAlloc “causes the system to track pages that are written to in the allocated region”. The GetWriteWatch and ResetWriteWatch APIs can be used to manage the watch counter. This can be (ab)used to catch out debuggers and hooks that modify memory outside the expected pattern.
There are four primary ways to exploit this...
A short while ago, slipstream/RoL dropped an exploit for the ASUS memory mapping driver (ASMMAP/ASMMAP64) which was vulnerable to complete physical memory access (read/write) to unprivileged users, allowing for local privilege escalation and all sorts of other problems. An aside to this was that there were also IOCTLs available to perform direct I/O operations (in/out instructions) directly from unprivileged usermode, which had additional interesting impacts for messing with system firmware without...
Back in June, I was doing some analysis on a Windows driver and discovered that the INIT section had the read, write, and executable characteristics flags set. Windows executables (drivers included) use these flags to tell the kernel what memory protection flags should be applied to that section’s pages once the contents are mapped into memory. With these flags set, the memory pages become both writable and executable, which violates the W^X policy, a concept which is considered good security practice....
Just a quick tip for anyone doing a code review of a Java EE web application: LAPSE+ is a very useful tool to have in the arsenal, whether you’ve got the original source or just the JAR/WAR file.
In my case, the client provided me with a single .WAR file which contained the application. As it was a large application, I didn’t really fancy digging through everything manually with JD-GUI, although it is an excellent Java decompiler. I decided to take the opportunity to give LAPSE+ a try.
Here’s what you’ll...
When I moved into my flat, I found that the previous tenant had left behind his Sky Broadband router. Awesome - a new toy to break! Sadly I got bogged down with silly things like moving house and going to work, so I didn’t get a chance to play with it. Until now, that is.
This isn’t the first embedded device I’ve played with. Over the years I’ve desoldered EEPROMs from routers, done unspeakable things to photocopiers, and even overvolted an industrial UPS unit via SNMP. The router I shall be discussing in...
In this series of posts, I’m going to discuss executable analysis, the methods that are used and mechanisms to prevent them. There are three types of analysis that can be performed on executables:
Static - Analysis of the sample file on disk.
Emulated - Branch and stack analysis of the sample through an emulator.
Live - Analysis of the executing sample on a VM, usually using hooks.
I’m going to look at each type in detail, giving examples of techniques used in each and ways to make analysis...