http://www.secuobs.com Observatoire de la securite Internet fr webmaster@secuobs.com 2015-12-30 18:36:08 - Alex Ionescu's Blog : Brief Overview of WoW64 Heaven s Gate refers to a technique first popularized by the infamous Roy G Biv of 29a fame, and later re-published in Valhalla 1 Cited and improved in various new forms, and even seen in the wild used by the Vawtrak banking malware, it centers around the fact that on a 64-bit http://www.secuobs.com/revue/news/594528.shtmlhttp://www.secuobs.com/revue/news/594528.shtml Secuobs.com : 2015-06-23 01:49:00 - Alex Ionescu's Blog - A number of excellent PatchGuard articles have been written around what PatchGuard is, how to bypass it, what triggers it uses, its obfuscation techniques, and more But for some reason, nobody has published a full list of everything that PatchGuard actually verifies Microsoft used to have a website that listed the initial first 7 checks, http://www.secuobs.com/revue/news/575030.shtmlhttp://www.secuobs.com/revue/news/575030.shtml Secuobs.com : 2015-05-14 18:28:02 - Alex Ionescu's Blog - One of the most common ways that I glean information on new and upcoming features on releases of Windows is obviously to use reverse engineering such as IDA Pro and look at changed functions and variables, which usually imply a change in functionality Of course, such changes can also reveal security fixes, but those are a lot http://www.secuobs.com/revue/news/570755.shtmlhttp://www.secuobs.com/revue/news/570755.shtml Secuobs.com : 2015-01-22 06:20:36 - Alex Ionescu's Blog - Windows 81 radically changes the address space layout of the system by finally removing the 44-bit limitation which I described in one of the earliest blog posts on this website and which Wikipedia even links to This is a little-known detail about the operating system, and an odd thing for Microsoft not to emphasize on http://www.secuobs.com/revue/news/555823.shtmlhttp://www.secuobs.com/revue/news/555823.shtml Secuobs.com : 2014-12-31 19:21:15 - Alex Ionescu's Blog - There is no excerpt because this is a protected post http://www.secuobs.com/revue/news/552545.shtmlhttp://www.secuobs.com/revue/news/552545.shtml Secuobs.com : 2014-09-30 04:13:27 - Alex Ionescu's Blog - Introduction One of the annoying things of my Windows Internals Security research is when every single component and mechanism I ve looked at in the last six months has ultimately resulted in me finding very interesting design bugs, which I must now wait on Microsoft to fix before being able to talk further about them As such, I http://www.secuobs.com/revue/news/537507.shtmlhttp://www.secuobs.com/revue/news/537507.shtml Secuobs.com : 2014-06-17 23:16:06 - Alex Ionescu's Blog - Introduction As part of my daily reverse engineering and peering into Windows Internals, I started noticing a strange effect in Windows 81 whenever looking at the reference counts of various objects with tools such as WinDBG, Process Explorer, and Process Hacker seemingly gigantic values on x64 Windows, and smaller, yet still incredibly large values on http://www.secuobs.com/revue/news/519376.shtmlhttp://www.secuobs.com/revue/news/519376.shtml Secuobs.com : 2014-01-06 20:14:08 - Alex Ionescu's Blog - Introduction In this last part of our series on protected processes in Windows 81, we re going to be taking a look at the cryptographic security that protects the system from the creation or promotion of arbitrary processes to protected status, as well as to how the system is extensible to provide options for 3rd party http://www.secuobs.com/revue/news/490010.shtmlhttp://www.secuobs.com/revue/news/490010.shtml Secuobs.com : 2013-12-11 05:22:16 - Alex Ionescu's Blog - There is no excerpt because this is a protected post http://www.secuobs.com/revue/news/485548.shtmlhttp://www.secuobs.com/revue/news/485548.shtml Secuobs.com : 2013-11-22 11:06:23 - Alex Ionescu's Blog - There is no excerpt because this is a protected post http://www.secuobs.com/revue/news/482570.shtmlhttp://www.secuobs.com/revue/news/482570.shtml Secuobs.com : 2013-11-17 10:48:50 - Alex Ionescu's Blog - Introduction As some of you may know, back in June of 2013, I gave a talk at Recon, a security conference in Montreal, about KASLR Information Bypasses Leaks in the Windows NT kernel, entitled I got 99 problems but a kernel pointer ain t one The point of the presentation was both to collect and catalog the http://www.secuobs.com/revue/news/481469.shtmlhttp://www.secuobs.com/revue/news/481469.shtml Secuobs.com : 2011-10-04 17:15:56 - Alex Ionescu's Blog - Anyone reversing Windows 8 will now find a non-familiar piece of code, whenever a list insertion operation is performed on a LIST_ENTRY 1 2 3 4 5 6 7 8 9 10 11 12 text 00401B65 mov edx, eax text 00401B67 mov ecx, eax 4 text 00401B6A cmp edx 4 , eax text 00401B6D jnz SecurityAssertion text 00401B73 cmp ecx , eax text 00401B75 jnz http://www.secuobs.com/revue/news/332607.shtmlhttp://www.secuobs.com/revue/news/332607.shtml Secuobs.com : 2009-07-13 09:07:18 - Alex Ionescu's Blog - I am very pleased to announce that the 5th Edition of the Windows Internals book series is finally shipping for the past couple of weeks, and hard copies are now arriving in the hands of most customers As my last blog post indicates, I took a hiatus from most of my typical work in the http://www.secuobs.com/revue/news/119822.shtmlhttp://www.secuobs.com/revue/news/119822.shtml Secuobs.com : 2008-11-09 14:21:06 - Alex Ionescu's Blog - Three months ago, I posted about my experience with some of the mostexciting tech companies that I had a chance to interview with andexplained my decision behind joining Apple This week, my internshipcomes to a close, and it’s time to review that decision and share withyou my intern experience at Apple No http://www.secuobs.com/revue/news/34510.shtmlhttp://www.secuobs.com/revue/news/34510.shtml Secuobs.com : 2008-11-09 14:21:06 - Alex Ionescu's Blog - Here’s a couple of various useful tips I’ve discovered as I’m sureothers have which make my life easier on Vista, and saved me a lot oftrouble Fix that debugger I had done everything right to get localkernel debugging to work: I added /DEBUG with bcdedit I used WinDBGin Administrator mode, I even turned http://www.secuobs.com/revue/news/34509.shtmlhttp://www.secuobs.com/revue/news/34509.shtml Secuobs.com : 2008-11-09 14:21:06 - Alex Ionescu's Blog - The era of 64-bit computing is finally upon the consumer market, and whatwas once a rare hardware architecture has become the latest commodityin today’s processors 64-bit processors promise not only a largeramount of registers and internal optimizations, but, perhaps mostimportantly, access to a full 64-bit address space, increasing themaximum number http://www.secuobs.com/revue/news/34508.shtmlhttp://www.secuobs.com/revue/news/34508.shtml Secuobs.com : 2008-11-09 14:21:06 - Alex Ionescu's Blog - After my departure from the ReactOS project and subsequent new work forDavid Solomon, it wasn’t clear how much research and development onWindows internals I would still be able to do on a daily basisThankfully, I haven’t given up my number one passion — innovating,pushing the boundaries of internals knowledge, and educating usershttp://www.secuobs.com/revue/news/34507.shtmlhttp://www.secuobs.com/revue/news/34507.shtml Secuobs.com : 2008-11-09 14:21:06 - Alex Ionescu's Blog - Today I want to introduce another utility for Vista and Windows Server2008 called ScTagQuery short for Service Controller Tag Query, atool which will allow you identify to which running service a certainthread inside a service hosting process eg Svchostexe belongs to,in order to help with identifying which services may be using http://www.secuobs.com/revue/news/34506.shtmlhttp://www.secuobs.com/revue/news/34506.shtml Secuobs.com : 2008-11-09 14:21:06 - Alex Ionescu's Blog - Not all of a reverse engineer’s life has to be about undoing — sometimesit is equally as fun to build something from scratch, whether thatmeans a new tool… or the Star Wars 30 Year Anniversary Lego UltimateCollector’s Millennium Falcon Over the course of the last threeweeks, my best friend and myself http://www.secuobs.com/revue/news/34505.shtmlhttp://www.secuobs.com/revue/news/34505.shtml Secuobs.com : 2008-11-09 14:21:06 - Alex Ionescu's Blog - One of the many exciting changes in Windows Vista’s service securityhardening mechanisms which have been aptly explained and documentedin multiple blogs and whitepapers , so I’ll refrain from rehashing oldmaterial is Session 0 Isolation I’ve thought it would be useful totalk about this change and describe the behaviour and implementationof http://www.secuobs.com/revue/news/34504.shtmlhttp://www.secuobs.com/revue/news/34504.shtml Secuobs.com : 2008-11-09 14:21:06 - Alex Ionescu's Blog - In part 1 of the series, we covered some of the changes behind Vista’snew Session 0 Isolation and showcased the UI Detection Service Now,we’ll look at the internals behind this compatibility mechanism anddescribe its behavior First of all, let’s take a look at the serviceitself — although its file name suggests the http://www.secuobs.com/revue/news/34503.shtmlhttp://www.secuobs.com/revue/news/34503.shtml Secuobs.com : 2008-11-09 14:21:06 - Alex Ionescu's Blog - This year I had the chance to present some security-related findings thatI had made earlier during the year inside Win32ksys, the Windows GUISubsystem and Window Manager I presented a total of four bugs, alllocal Denial of Service DoS attacks Two of these attacks could bedone on any system up to Vista http://www.secuobs.com/revue/news/34502.shtmlhttp://www.secuobs.com/revue/news/34502.shtml Secuobs.com : 2008-11-09 14:21:06 - Alex Ionescu's Blog - I’ve been a bit slow updating the blog, and so today, I want to take thetime to explain what’s been keeping me busy by shareing some excitingnews As this post’s title suggests, I am indeed co-authoring WindowsInternals 5th Edition, the latest update to Mark Russinovich and DavidSolomon’s Windows Internals 4th Edition http://www.secuobs.com/revue/news/34501.shtmlhttp://www.secuobs.com/revue/news/34501.shtml