Microsoft added a new field, GuardMemcpyFunctionPointer, to the PE load config structure in Windows 22H2. I couldn’t find any documentation on this at all, either from Microsoft or from reverse engineers, so I thought I’d post my initial findings here.
The field is a virtual address (VA) that typically points into the .rdata section. At this virtual address there is another virtual address, which (in every binary I have checked so far) points to the memcpy implementation in the .text section. As is...
I recently built a new computer and enabled BitLocker on it. When doing so, it asked me to save my recovery key, but I didn’t have a working printer or a flash drive to hand to save my recovery key to (also it doesn’t seem sane to store the recovery key in cleartext on a USB stick), so I cheated and used Print to PDF to save the recovery key to my OS drive… the one I was encrypting.
A little later I was hardening my security settings and changed the DEP policy to from the default (opt-in) to opt-out. I...
I just hit 100,000 reputation on Information Security StackExchange! 🎉
I thought this would be a good moment to talk about why StackExchange is so important to me, and what my journey into security looked like. The story starts way back in 2012, before I worked in infosec. Back then I was a few months out of university, having studied for a computing degree (basically compsi + dev management), working my first job as an entry-level developer. I had already been interested in security for over a decade by...
A lesser-known feature of the Windows memory manager is that it can maintain write watches on allocations for debugging and profiling purposes. Passing the MEM_WRITE_WATCH flag to VirtualAlloc “causes the system to track pages that are written to in the allocated region”. The GetWriteWatch and ResetWriteWatch APIs can be used to manage the watch counter. This can be (ab)used to catch out debuggers and hooks that modify memory outside the expected pattern.
There are four primary ways to exploit this...
I’ll be speaking at 44CON this year, at the community evening on Wednesday 9th September. The community evening is free to attend - you just need to register to attend if you don’t have a conference ticket. My talk is currently scheduled at 19:45, and I’m speaking about writing Windows drivers, with the goal of leaving you a bit more informed about how they work, and how to get started.
In addition to my talk, Saumil Shah will be speaking about Stegosploit, and Michael Boman will be running a workshop on...
Another year has rolled by (damn, I really don’t update this blog much, do I?) and Securi-Tay IV is coming up. I’ll be speaking about security issues related to serialisation and deserialisation of data in modern programming languages, including PHP and C#.
My colleague FreakyClown will be talking about robbing banks for a living, which promises to be amusing at the very least (which reminds me - ask me about coathangers and server rooms when you see me).
Most importantly though: we (and by that I mean...
Just a quick tip for anyone doing a code review of a Java EE web application: LAPSE+ is a very useful tool to have in the arsenal, whether you’ve got the original source or just the JAR/WAR file.
In my case, the client provided me with a single .WAR file which contained the application. As it was a large application, I didn’t really fancy digging through everything manually with JD-GUI, although it is an excellent Java decompiler. I decided to take the opportunity to give LAPSE+ a try.
Here’s what you’ll...
In my previous post I talked about a vulnerability in Steam which allows you to bypass UAC. I’m going to be totally transparent here: I fucked up. I wrote the draft post a few days back, then did some more work on the vulnerability. I discovered something much more serious in the process. I posted last night’s blog post at 1am, tired as hell, and in my sleep-deprived state I completely neglected to update it properly, and there are several mistakes and bits of missing information. The draft went out and...
Dropbox has become a daily part of my life. I rely on it to synchronise data between my growing set of devices. But how much of an impact does it have on the security of my system? I decided to find out by digging around in exactly what it does to my machine, or more specifically, the processes running on it.
The first thing I want to check out is what modules are loaded into various processes. Tools like Dropbox like to extend the functionality of other programs using shell extensions, which are nothing...
In light of the numerous recent attacks against SSL, I thought I’d offer up a quick and simple crypto lesson about why MAC-then-encrypt schemes are bad. This post will require only a minimum of knowledge about cryptography, so hopefully it’ll be useful to a wide range of people.
This is not designed to be a full and detailed description of how SSL works, or how various attacks against it works, but rather a short primer on the subject for those who know a bit about crypto but don’t really understand how...
There are two main points to take away from the Kelihos.B takedown. The first is that malware writers, as smart as they are, are really dumb.
Forget about malware for a moment, and imagine the architecture involved in Kelihos.B was part of a legitimate distributed-computing business system. Would you invest all that time and effort to build a P2P network and design a mechanism for message propagation, then leave it wide open to attack by failing to include any form of authentication mechanism? It’s...
A new vulnerability (CVE-2012-0056) that affects almost 650 different builds of the Linux kernel builds allows effortless privilege escalation to root. It works by forking child processes to trick the self_exec_id check on /proc/pid/mem access, allowing the code to modify its own SUID and gain root.
CVE-2012-0056 $ ./mempodipper
===============================
= Mempodipper =
= by zx2c4 =
= Jan 21, 2012 =
===============================
[+]...
I was dubious at first, but I really have grown to like Redis. It’s a wonderfully simple solution to the problem of high-performance fast-changing data storage. However, its simplicity (combined with the incompetency of certain users) can easily become a detriment to security.
The Redis protocol is a simple plain-text mechanism, offering no transport layer security. This is a problem in itself, but it gets worse. By default, it listens on all available IP addresses on port 6379, with no authentication...