http://www.secuobs.com Observatoire de la securite Internet fr webmaster@secuobs.com 2014-10-23 14:40:23 - j00ru vx tech blog : Yesterday I gave a talk at a Polish security conference held in Warsaw, Poland, called Ucieczka z Matrixa nie bezpieczna analiza malware eng Escaping the Matrix in secure malware analysis The presentation was lightly technical and concerned the different threats of using popular software to aid in interacting with and analyzing malware samples While the talk was http://www.secuobs.com/revue/news/542318.shtmlhttp://www.secuobs.com/revue/news/542318.shtml Secuobs.com : 2014-05-29 12:10:13 - j00ru vx tech blog - Collaborative post by Gynvael Coldwind and Mateusz j00ru Jurczyk Just yesterday another edition of the largest and most successful IT security conference held in Poland CONFidence ended The Dragon Sector CTF team which we founded and are running actively participated in the organization of the event by hosting an onsite, individual CTF for http://www.secuobs.com/revue/news/516065.shtmlhttp://www.secuobs.com/revue/news/516065.shtml Secuobs.com : 2014-04-30 16:35:47 - j00ru vx tech blog - As part of my daily routine, I tend to fuzz different popular open-source projects such as FFmpeg, Libav or FreeType2 under numerous memory safety instrumentation tools developed at Google, such as AddressSanitizer, MemorySanitizer or ThreadSanitizer Every now and then, I encounter an interesting report and spend the afternoon diving into the internals of a specific http://www.secuobs.com/revue/news/511152.shtmlhttp://www.secuobs.com/revue/news/511152.shtml Secuobs.com : 2014-01-10 18:12:54 - j00ru vx tech blog - Collaborative post by Mateusz j00ru Jurczyk and Gynvael Coldwind a short version is available at the Google Online Security blog Following more than two years of work, the day has finally came the FFmpeg project has incorporated more than a thousand fixes to bugs including some security issues we have discovered in the project http://www.secuobs.com/revue/news/490877.shtmlhttp://www.secuobs.com/revue/news/490877.shtml Secuobs.com : 2013-11-16 18:54:44 - j00ru vx tech blog - Having the first spare weekend in a really long time, I have decided it was high time to update some all of the tables related to Windows system calls and CSR API I once created and now try to maintain This includes NT API syscalls for the 32-bit and 64-bit Intel platforms, win32ksys syscalls for http://www.secuobs.com/revue/news/481425.shtmlhttp://www.secuobs.com/revue/news/481425.shtml Secuobs.com : 2013-11-08 11:19:09 - j00ru vx tech blog - Just yesterday I had the pleasure to speak at a highly hacking-oriented Russian conference, ZeroNights, for the second time see my ZeroNights slides, Hack In The Box Magazine 9 and other news post from last year The conference itself has been great so far several interesting and inspiring talks, lots of leet Russian hackers http://www.secuobs.com/revue/news/479765.shtmlhttp://www.secuobs.com/revue/news/479765.shtml Secuobs.com : 2013-09-12 22:30:25 - j00ru vx tech blog - Welcome after one of the more lengthy breaks in the blog s activity Today, I would like to discuss none other than several interesting weaknesses around the implementation of menus like, window menus in the core component of the Microsoft Windows kernel the infamous win32ksys driver, also known as the Java of Windows in terms http://www.secuobs.com/revue/news/468345.shtmlhttp://www.secuobs.com/revue/news/468345.shtml Secuobs.com : 2013-08-14 01:55:17 - j00ru vx tech blog - Collaborative post by Mateusz j00ru Jurczyk and Gynvael Coldwind Two weeks ago we re running late, sorry Gynvael and I had the pleasure to attend one of the largest, most technical and renowned conferences in existence Black Hat 2013 in Las Vegas, USA The event definitely stood up to our expectations the city was purely http://www.secuobs.com/revue/news/462756.shtmlhttp://www.secuobs.com/revue/news/462756.shtml Secuobs.com : 2013-07-24 17:25:10 - j00ru vx tech blog - This is a quick reminder that Gynvael and I are going to attend BlackHat US 2013 in Las Vegas next week with the Bochspwn Identifying 0-days via System-Wide Memory Access Pattern Analysis presentation on the second day of the event The talk is going to largely extend our previous performance at SyScan this year see http://www.secuobs.com/revue/news/458901.shtmlhttp://www.secuobs.com/revue/news/458901.shtml Secuobs.com : 2013-07-01 14:53:14 - j00ru vx tech blog - If you work in the software engineering or information security field, you should be familiar with all sorts of software bugs the functional and logical ones, those found during the development and internal testing along with those found and reported by a number of complaining users, those that manifest themselves in the form of http://www.secuobs.com/revue/news/454739.shtmlhttp://www.secuobs.com/revue/news/454739.shtml Secuobs.com : 2013-06-18 13:44:42 - j00ru vx tech blog - Collaborative post by Mateusz j00ru Jurczyk and Gynvael Coldwind It was six weeks ago when we first introduced our effort to locate and eliminate the so-called double fetch eg time-of-check-to-time-of-use during user-land memory access vulnerabilities in operating system kernels through CPU-level operating system instrumentation, a project code-named Bochspwn as a reference to the x86 emulator used bochs The Open http://www.secuobs.com/revue/news/452048.shtmlhttp://www.secuobs.com/revue/news/452048.shtml Secuobs.com : 2013-06-02 15:56:08 - j00ru vx tech blog - Another week, another conference Just a few days ago, Gynvael and I had the pleasure to attend and present at the CONFidence 2013 infosec conference traditionally held in Cracow, Poland The event requires no further introduction it has been simply the best Polish conference in the security area since it first started, and this http://www.secuobs.com/revue/news/448939.shtmlhttp://www.secuobs.com/revue/news/448939.shtml Secuobs.com : 2013-05-22 04:24:32 - j00ru vx tech blog - The first edition of the NoSuchCon security conference held in Paris ended just a few days ago Before anything else, I would like to thank all of the organizers proudly listed at nosuchconorg for making the event such a blast Both the location, venue and speaker line-up were amazing, with lots of free beer and http://www.secuobs.com/revue/news/446916.shtmlhttp://www.secuobs.com/revue/news/446916.shtml Secuobs.com : 2013-05-02 20:52:56 - j00ru vx tech blog - Collaborative post by Mateusz j00ru Jurczyk and Gynvael Coldwind A few days ago we Gynvael and I gave a talk during the SyScan 13 conference in the fine city of Singapore, and as promised though with a slight delay , today we are publishing both the slide deck and a white paper discussing memory access pattern analysis http://www.secuobs.com/revue/news/443230.shtmlhttp://www.secuobs.com/revue/news/443230.shtml Secuobs.com : 2013-04-16 16:53:25 - j00ru vx tech blog - In the most recent blog post Fun facts Windows kernel and guard pages , we have learned how the code coverage of kernel routines referencing user-mode memory can be determined by taking advantage of the fact that kernel-mode code triggers guard page exceptions in the same way as user-mode does Today, I will present how the http://www.secuobs.com/revue/news/439756.shtmlhttp://www.secuobs.com/revue/news/439756.shtml Secuobs.com : 2013-04-13 04:04:10 - j00ru vx tech blog - It has been a while since I last posted here, so I guess it s high time to get back to work and share some more interesting Windows kernel internals goodies Before we get to that, however, let s start with a few announcements First of all, there is a number of great infosec conferences coming up http://www.secuobs.com/revue/news/439269.shtmlhttp://www.secuobs.com/revue/news/439269.shtml Secuobs.com : 2013-01-09 02:05:51 - j00ru vx tech blog - Collaborative post by Mateusz j00ru Jurczyk and Gynvael Coldwind Almost five months ago, Gynvael Coldwind and I wrote about an effort to improve the security of popular PDF parsing and rendering software back then, we were primarily focused on the Chrome PDF Renderer and latest Adobe Reader applications In order to achieve our results, we http://www.secuobs.com/revue/news/420586.shtmlhttp://www.secuobs.com/revue/news/420586.shtml Secuobs.com : 2012-12-18 22:46:57 - j00ru vx tech blog - Microsoft addressed several Windows kernel vulnerabilities in the MS12-075 security bulletin released in November this year, some of them residing in every version of the win32ksys driver shipped with the NT family line systems Apart from the obviously extremely interesting remote web browser ring-0 arbitrary code execution issue, there have also been two other http://www.secuobs.com/revue/news/417685.shtmlhttp://www.secuobs.com/revue/news/417685.shtml Secuobs.com : 2012-12-10 10:10:46 - j00ru vx tech blog - I hope you haven t got bored with bypassing the Driver Signature Enforcement mechanism present on all 64-bit Microsoft Windows operating systems since Vista just yet in either case, stay calm this is going to be the last post of the series After using multiple drivers shipped with the OS in the default configuration to http://www.secuobs.com/revue/news/416015.shtmlhttp://www.secuobs.com/revue/news/416015.shtml Secuobs.com : 2012-12-01 12:58:01 - j00ru vx tech blog - First of all, it has been recently reported to me that the system call list for Microsoft Windows Vista SP0 available at http j00ruvexilliumorg ntapi was wrong, containing syscall numbers for beta2 version of the system instead of the actual RTM Service Pack 0 The issue has already been fixed apologies for any confusion this might http://www.secuobs.com/revue/news/414570.shtmlhttp://www.secuobs.com/revue/news/414570.shtml Secuobs.com : 2012-11-16 20:44:33 - j00ru vx tech blog - Regardless of whether you are a Windows exploitation guru, a professional win32 application developer or someone whose curiosity occasionally tells him to dig up the MSDN library looking for interesting quirks or undocumented functionality, the following examples of MSDN article excerptions are very likely to look familiar to you Simply put, the operating system operates on an http://www.secuobs.com/revue/news/411908.shtmlhttp://www.secuobs.com/revue/news/411908.shtml Secuobs.com : 2012-11-10 04:13:58 - j00ru vx tech blog - To stand by my claim that the Microsoft Windows operating system has been built on the fundamental assumption that administrative privileges would always be equivalent to granting the ability to run arbitrary ring-0 code, I have decided to briefly discuss yet another portion of some Windows internals and how they could be easily misused by http://www.secuobs.com/revue/news/410705.shtmlhttp://www.secuobs.com/revue/news/410705.shtml Secuobs.com : 2012-11-04 02:54:24 - j00ru vx tech blog - One of the obvious things about the Windows operating system for anyone actively working on its kernel security is that the Driver Signature Enforcement DSE in short is not effective and can be bypassed with relative ease by any determined individual From a historical perspective, the feature was introduced in the 64-bit build of Windows http://www.secuobs.com/revue/news/409370.shtmlhttp://www.secuobs.com/revue/news/409370.shtml Secuobs.com : 2012-10-21 18:21:34 - j00ru vx tech blog - Bug found by Gynvael Coldwind, exploit developed by Mateusz j00ru Jurczyk Several months back we have been playing with different file systems on various system platforms, examining the security posture and robustness of numerous device drivers implementations One of the configurations we spent some time on was the commonly used NTFS on Microsoft Windows http://www.secuobs.com/revue/news/406881.shtmlhttp://www.secuobs.com/revue/news/406881.shtml Secuobs.com : 2012-09-16 01:07:17 - j00ru vx tech blog - Today, I would like to start sharing some of the most amusing examples of the Windows kernel behavior that I often stumble upon while reverse-engineering its various areas, exploiting a particular vulnerability or just randomly exploring its code Some of them might have certain implications for security, some are completely impractical and are presented for http://www.secuobs.com/revue/news/399901.shtmlhttp://www.secuobs.com/revue/news/399901.shtml Secuobs.com : 2012-08-14 20:13:15 - j00ru vx tech blog - Collaborative post by Mateusz j00ru Jurczyk and Gynvael Coldwind Several months ago, we started an internal Google Security Team effort to improve the general security posture of the Chrome embedded PDF reader, in an approach similar to the Flash fuzzing performed several months ago by Tavis Ormandy During the course of a few weeks, we http://www.secuobs.com/revue/news/393534.shtmlhttp://www.secuobs.com/revue/news/393534.shtml Secuobs.com : 2012-07-23 23:59:53 - j00ru vx tech blog - Disclaimer the things I am writing about here are new to me Although I do my best to have a solid well, decent in this case understanding of the covered topics, some inaccuracies might have slipped through Feel free to point them out in the comments Hey guys or anyone who still happens to visit http://www.secuobs.com/revue/news/389213.shtmlhttp://www.secuobs.com/revue/news/389213.shtml Secuobs.com : 2012-05-20 15:44:17 - j00ru vx tech blog - Hey guys, I figured that it might be worth releasing the The story of CVE-2011-2018 exploitation as a stand-alone, nicely formatted paper for your reading convenience It was previously released in the Hack in The Box Magazine 8 over a month ago see announcement blog post In short words, the paper is a guide through http://www.secuobs.com/revue/news/376565.shtmlhttp://www.secuobs.com/revue/news/376565.shtml Secuobs.com : 2012-04-12 00:18:04 - j00ru vx tech blog - Every one or two quarters, there s the one day we all wait for and that s when the latest issue of the Hack in the Box Magazine is released Thanks to the hard and awesome work of Zarul Shahrin and the entire editorial crew, we are very excited to announce that the eight edition is http://www.secuobs.com/revue/news/369500.shtmlhttp://www.secuobs.com/revue/news/369500.shtml Secuobs.com : 2012-01-17 20:12:27 - j00ru vx tech blog - Title A Bug Hunter s Diary A Guided Tour Through the Wilds of Software Security Author Tobias Klein ISBN 978-1-59327-385-9 Published November 2011 Websites http nostarchcom bughunterhtm, http wwwtrapkitde books bhd enhtml In the modern times of noisy news headlines like A Security Researchers Unveils a Critical Vulnerability in Product X , little is publicly said about the overall bug hunting process, in lieu of discussions regarding http://www.secuobs.com/revue/news/352526.shtmlhttp://www.secuobs.com/revue/news/352526.shtml Secuobs.com : 2011-12-04 13:03:25 - j00ru vx tech blog - That s just a short notification that I decided to release the Windows Security Hardening Through Kernel Address Protection article published in Hack in the Box Magazine 7 over a month ago see HITB 7 on the wild, at last The paper is now available in a nicely formatted, printer-friendly format If you missed it then, http://www.secuobs.com/revue/news/345239.shtmlhttp://www.secuobs.com/revue/news/345239.shtml Secuobs.com : 2011-11-20 18:09:52 - j00ru vx tech blog - Note Collaborative post by Gynvael Coldwind and Mateusz j00ru Jurczyk Five weeks ago, we have taken part in a fancy game-development competition aka Google GameJam 48h As the name implies, the contest lasted for precisely two days unfortunately, we were proven to lack supernatural powers and had to spend some of the precious time sleeping http://www.secuobs.com/revue/news/341647.shtmlhttp://www.secuobs.com/revue/news/341647.shtml Secuobs.com : 2011-11-18 13:25:21 - j00ru vx tech blog - Long time no see, huh TL DR I created and released a complete Windows NT-family syscall table See the bottom of the post for a link For the last couple of years, the Metasploit project has been hosting a table of the core Windows kernel services, also known as system calls originally available at http devmetasploitcom users opcode syscallshtml In http://www.secuobs.com/revue/news/341391.shtmlhttp://www.secuobs.com/revue/news/341391.shtml Secuobs.com : 2011-10-19 16:48:30 - j00ru vx tech blog - Hello, It gives me a great pleasure to announce that after several months past the last release see The HITB Magazine 6 now available , the awesome crew as always, special kudos to Zarul Shahrin has managed to put up the 7th edition of Hack in the Box Magazine Without much ado, I will just say http://www.secuobs.com/revue/news/335720.shtmlhttp://www.secuobs.com/revue/news/335720.shtml Secuobs.com : 2011-10-08 15:22:29 - j00ru vx tech blog - A few years back, we ve been ie j00ru and Gynvael working on a bootkit-related project some polish SecDay 09 presentation slides can be found here Bootkit vs Windowspdf One of its basic requirements was the ability to load custom boot- sectors from an external host in the local network Since the publicly available solutions required too much http://www.secuobs.com/revue/news/333578.shtmlhttp://www.secuobs.com/revue/news/333578.shtml Secuobs.com : 2011-09-21 18:52:19 - j00ru vx tech blog - Due to my forthcoming move to Switzerland, I haven t had much time to post anything new here for quite some time Hopefully, this will change soon after I am set up in my new location In the meanwhile, I would like to share several tables presenting the differences in the export table symbols and native http://www.secuobs.com/revue/news/330195.shtmlhttp://www.secuobs.com/revue/news/330195.shtml Secuobs.com : 2011-08-03 22:27:56 - j00ru vx tech blog - A rather short blog post today, as I am currently on my vacations After publishing two, quite extensive write-ups regarding vulnerabilities in the Windows CSRSS component at Microsoft July Patch Tuesday CVE-2011-1281 A story of a Windows CSRSS Privilege Escalation vulnerability CVE-2011-1282 User-Mode NULL Pointer Dereference co I would like to shortly discuss the http://www.secuobs.com/revue/news/320911.shtmlhttp://www.secuobs.com/revue/news/320911.shtml Secuobs.com : 2011-07-21 18:52:07 - j00ru vx tech blog - After a short break, today I would like to present the details of another Windows CSRSS vulnerability, fixed during the recent Microsoft Patch Tuesday cycle advisory MS11-056 CVE-2011-1282, also called CSRSS Local EOP SrvSetConsoleLocalEUDC Vulnerability Although not as spectacular as the previous one see CVE-2011-1281 A story of a Windows CSRSS Privilege Escalation vulnerability , http://www.secuobs.com/revue/news/318506.shtmlhttp://www.secuobs.com/revue/news/318506.shtml Secuobs.com : 2011-07-12 20:29:02 - j00ru vx tech blog - Today, I would like to present a detailed description of the CVE-2011-1281 vulnerability 1 , which was reported by me several months ago and patched today, together with four other bugs marked as the Elevation of Privileges class, on the occasion of the monthly Microsoft Patch Tuesday cycle see Microsoft Security Bulletin MS11-056, a summary of http://www.secuobs.com/revue/news/316558.shtmlhttp://www.secuobs.com/revue/news/316558.shtml Secuobs.com : 2011-07-03 21:41:26 - j00ru vx tech blog - Once upon a time, an interesting software vulnerability vector called DLL Hijacking became very popular, thanks to a Slovenian security research outfit ACROS Security, as well as HD Moore and his DLL Hijacking Audit Kit In short, the vulnerability class allowed an attacker to execute arbitrary code in the context of an application, which http://www.secuobs.com/revue/news/314974.shtmlhttp://www.secuobs.com/revue/news/314974.shtml Secuobs.com : 2011-06-19 01:01:27 - j00ru vx tech blog - The segmentation functionality has been present in the Intel processors since very early stages of the CPU manufacturing In real-mode, segments were the basis for 16-bit memory management, allowing the operating system or application to specify separate memory areas for different types of information, ie code, regular data, stack and so on When a more http://www.secuobs.com/revue/news/312175.shtmlhttp://www.secuobs.com/revue/news/312175.shtml Secuobs.com : 2011-06-13 09:25:10 - j00ru vx tech blog - As usual, I would like to inform you that the sixth issue of the Hack in the Box Magazine has just been published Unlike previous editions, the paper is released several weeks after the HITB Amsterdam 2011 security conference we spent the additional time working on providing you with even more interesting sections and http://www.secuobs.com/revue/news/310767.shtmlhttp://www.secuobs.com/revue/news/310767.shtml Secuobs.com : 2011-06-12 20:25:07 - j00ru vx tech blog - A nearly year ago, a critical Windows Shell vulnerability was found in the wild stuxnet co , making it possible for an attacker to execute arbitrary code on a victim s computer, by getting the user to list a directory which would contain a specially crafted LNK file The sole purpose of files of that type http://www.secuobs.com/revue/news/310711.shtmlhttp://www.secuobs.com/revue/news/310711.shtml Secuobs.com : 2011-06-05 13:18:03 - j00ru vx tech blog - Collaborative post by Mateusz j00ru Jurczyk Gynvael Coldwind Early Sunday morning discussion has resulted in j00ru coming up with an idea to mitigate some variants of kernel exploitation techniques by introducing a CPU feature that would disallow execution control transfers in kernel-mode to code residing in user memory area pages eg addresses 0 80000000 http://www.secuobs.com/revue/news/309220.shtmlhttp://www.secuobs.com/revue/news/309220.shtml Secuobs.com : 2011-05-29 19:09:58 - j00ru vx tech blog - Although not the most common vulnerability class, it sometimes happens that a ring-0 module or the kernel itself references a local variable or buffer, which wasn t previously properly initialized The threat is usually mitigated by compiler warnings errors, informing about potential security flaws present in the source code as life shows, it is http://www.secuobs.com/revue/news/307857.shtmlhttp://www.secuobs.com/revue/news/307857.shtml Secuobs.com : 2011-05-22 16:35:45 - j00ru vx tech blog - While performing some random research related to the WIN32KSYS driver syscalls a few months ago, I stumbled on an interesting finding when examining the full 32-bit or in the case of the original research 64 return values, some of the services seemed to return unusual numbers, for example 0xfffffa8000ea0000 After investigating the subject http://www.secuobs.com/revue/news/306423.shtmlhttp://www.secuobs.com/revue/news/306423.shtml Secuobs.com : 2011-05-17 13:36:12 - j00ru vx tech blog - Around three weeks ago, Bartek announced a competition called Pimp My CrackMe on his http secnewspl website The main prize was a free pass to the CONFidence 2011 conference, which is going to take place in on 24-25 May, in Cracow The task was to create an interesting CrackMe program, which would then be judged based http://www.secuobs.com/revue/news/305316.shtmlhttp://www.secuobs.com/revue/news/305316.shtml Secuobs.com : 2011-02-14 22:48:59 - j00ru vx tech blog - Hello, Today, I would like to present the fifth issue of the well-known Hack In The Box e-magazine, originally brought back to life by Zarul Shahrin, in January last year see the complete release history here As usual, every Windows Internals maniac can find something for himself this time, I described some of the most http://www.secuobs.com/revue/news/285189.shtmlhttp://www.secuobs.com/revue/news/285189.shtml Secuobs.com : 2011-01-11 21:25:18 - j00ru vx tech blog - Hello, Today, I would like to present the results of the research, performed by me and Gynvael Coldwind, during the last three or four weeks an almost forty-page long article, entitled Exploiting the otherwise non-exploitable Windows Kernel-mode GS cookies subverted yes, that s an obvious reference to the Exploiting the otherwise non-exploitable on Windows by http://www.secuobs.com/revue/news/277481.shtmlhttp://www.secuobs.com/revue/news/277481.shtml Secuobs.com : 2010-10-14 13:55:58 - j00ru vx tech blog - Hey Traditionally - during the annual, last Hack in the Box 2010 conference edition held in Kuala-Lumpur, Malaysia follow HITBSecConf Twitter , an IT-security related magazine is released Since three issues, I have been contributing to the paper with my Windows-oriented articles This time, I would like to present a publication called Creating custom console http://www.secuobs.com/revue/news/256934.shtmlhttp://www.secuobs.com/revue/news/256934.shtml Secuobs.com : 2010-10-10 16:24:53 - j00ru vx tech blog - Hello, Before I start talking writing over the real subject of this short post, I would like to make some interesting announcements My friend mawekl has recently fired up a project called Security Traps The website consists of numerous IT-related challenges, ranging from typical JavaScript-hackmes, through Windows software Reverse Code Engineering tasks, up to C C http://www.secuobs.com/revue/news/255659.shtmlhttp://www.secuobs.com/revue/news/255659.shtml Secuobs.com : 2010-09-17 00:38:30 - j00ru vx tech blog - Hey there I have recently came across well, not entirely by myself cheers Nahuel a fairly un common problem related to performing ring0-to-ring3 transitions, after a successful kernel vulnerability exploitation As I have managed to come up with a bunch of possible solutions, and even write exemplary code for some of these, today I would like http://www.secuobs.com/revue/news/246597.shtmlhttp://www.secuobs.com/revue/news/246597.shtml Secuobs.com : 2010-07-28 00:29:46 - j00ru vx tech blog - A quick beginning note My friend d0c_s4vage has created a technical blog and posted his first text just a few days ago The post entry covers a recent, critical libpng vulnerability discovered by this guy the interesting thing is that, among others, the latest Firefox and Chrome versions were vulnerable Feel free to take a http://www.secuobs.com/revue/news/244403.shtmlhttp://www.secuobs.com/revue/news/244403.shtml Secuobs.com : 2010-07-20 02:54:42 - j00ru vx tech blog - Hey there Today, I would like to post a less-technical text, discussing two issues I have recently came across, or been busy with don't worry though, as CSRSS Write-Up IPC part 2 3 is on the way The first matter is about recent changes applied to the blog appearance and functionality, while the latter regards the http://www.secuobs.com/revue/news/241907.shtmlhttp://www.secuobs.com/revue/news/241907.shtml Secuobs.com : 2010-07-13 19:18:04 - j00ru vx tech blog - Introduction In the second post of the Windows CSRSS Write Up series, I would like to explain how the practical communication between the Windows Subsystem and user's process takes place under the hood Due to the fact that some major improvements have been introduced in Windows Vista and later, the entire article is split into http://www.secuobs.com/revue/news/240154.shtmlhttp://www.secuobs.com/revue/news/240154.shtml Secuobs.com : 2010-07-10 09:32:24 - j00ru vx tech blog - Sorry, this entry is only available in Polski http://www.secuobs.com/revue/news/239366.shtmlhttp://www.secuobs.com/revue/news/239366.shtml Secuobs.com : 2010-07-09 00:15:17 - j00ru vx tech blog - NOTE The following post entry opens a series of CSRSS-oriented articles, aiming at describing the uncovered CSRSS mechanism internals, present in the Windows OS for more than fifteen years now Although some great research has already been carried out by a few curious guys check out the references , no thorough case study is available until http://www.secuobs.com/revue/news/238867.shtmlhttp://www.secuobs.com/revue/news/238867.shtml Secuobs.com : 2010-07-05 01:16:57 - j00ru vx tech blog - NOTE This post is highly related to the research performed by Alex Ionescu He is going to present the results of his work on the RECON2010 conference, during his Debugger-based Target-to-Host Cross-System Attacks speech As it turns out, me and Alex have been working on the same subject concurrently - while I have only managed http://www.secuobs.com/revue/news/237598.shtmlhttp://www.secuobs.com/revue/news/237598.shtml Secuobs.com : 2010-07-02 17:11:38 - j00ru vx tech blog - Hey I have recently had some fun playing around with driver signing on Windows x64, and so I like to share some matters that have came into my head Therefore, let me briefly describe some internal mechanisms lying behind well known Driver Signature Enforcement, a significant part of the Code Integrity feature introduced http://www.secuobs.com/revue/news/237185.shtmlhttp://www.secuobs.com/revue/news/237185.shtml Secuobs.com : 2010-06-20 10:45:40 - j00ru vx tech blog - Hi there Not so long a few weeks, actually ago, me together with Gynvael Coldwind had a chance to carry out a research regarding the Global and Local Descriptor Tables being used as a write-what-where target, while exploiting ring-0 vulnerabilities on 32-bit Microsoft Windows NT-family systems The result of our work is a small article, http://www.secuobs.com/revue/news/233288.shtmlhttp://www.secuobs.com/revue/news/233288.shtml Secuobs.com : 2010-06-20 10:45:40 - j00ru vx tech blog - Zgodnie z obietnicą, publikuję materiały, które zostały przedstawione na bezpłatnej konferencji SEConference 2010 http www2k10seconferencepl , organizowanej na terenie Politechniki Krakowskiej Tematem mojej prelekcji były luki bezpieczeństwa jądra Windows, a konkretnie potencjalne pułapki i miejsca, w których programista trybu jądra może popełnić błędy odbijające się na bezpieczeństwie całego systemu Prezentacja w formacie pptx link 616kB Prezentacja w http://www.secuobs.com/revue/news/233287.shtmlhttp://www.secuobs.com/revue/news/233287.shtml Secuobs.com : 2010-06-20 10:45:40 - j00ru vx tech blog - Today, during the Patch Tuesday, Microsoft has released bits of information regarding the security vulnerabilities present in the Windows kernel - found and exploited in the Proof of Concept form by me and Gynvael Coldwind - which are directly connected with a well-known Windows Registry functionality Five bugs have been described there is a total http://www.secuobs.com/revue/news/233286.shtmlhttp://www.secuobs.com/revue/news/233286.shtml Secuobs.com : 2010-06-20 10:45:40 - j00ru vx tech blog - Hello, A few weeks ago, I had the pleasure to take part in a local 24-hour long, programming marathon greets to my team Pawel and Wojtek Due to the nature of the competition, I was obliged to create a simple class, making it possible to redirect sockets to standard i o stdin stdout , which would http://www.secuobs.com/revue/news/233285.shtmlhttp://www.secuobs.com/revue/news/233285.shtml Secuobs.com : 2010-06-20 10:45:40 - j00ru vx tech blog - W dniu dzisiejszym, w czasie trwania konferencji Hack In The Box 2010 Dubai, do sieci trafił kolejny drugi numer odrodzonego projektu HITB eZine Jest to cyklicznie wydawany magazyn, skupiający się na zagadnieniach związanych z szeroko pojętym bezpieczeństwem komputerowym Jednym z artykułów tej edycji jest praca Windows Objects in Kernel Vulnerability Exploitation mojego autorstwa Opisałem w http://www.secuobs.com/revue/news/233284.shtmlhttp://www.secuobs.com/revue/news/233284.shtml Secuobs.com : 2010-06-20 10:45:40 - j00ru vx tech blog - And so it happened As I've written in this post, Gynvael Coldwind has just finished speaking about recent Windows Kernel Vulnerabilities on the Hack In The Box Dubai conference, taking place today Unfortunately, because of the European air communication being disabled these days, the presentation was held remotely - one way or another, it http://www.secuobs.com/revue/news/233283.shtmlhttp://www.secuobs.com/revue/news/233283.shtml Secuobs.com : 2010-06-20 10:45:40 - j00ru vx tech blog - Hello It seems like half a year has passed since I published the Win32kSYS system call table list on the net During this time well, it didn't take so long I managed to gather enough information to release yet another API list - this time, concerning an user-mode application - CSRSS Client Server Runtime SubSystem http://www.secuobs.com/revue/news/233282.shtmlhttp://www.secuobs.com/revue/news/233282.shtml Secuobs.com : 2010-06-20 10:45:40 - j00ru vx tech blog - One of the biggest best IT security-oriented conferences in Poland finished three days ago, in the wednesday evening In the very first place, I would like to congratulate all the organisers, for their decision on where the event should be held, as well as how it should look like - during these two days, http://www.secuobs.com/revue/news/233281.shtmlhttp://www.secuobs.com/revue/news/233281.shtml Secuobs.com : 2010-06-20 10:45:40 - j00ru vx tech blog - Hey I have recently had some fun playing around with driver signing on Windows x64, and so I like to share some matters that have came into my head Therefore, let me briefly describe some internal mechanisms lying behind well known Driver Signature Enforcement, a significant part of the Code Integrity feature introduced by Microsoft http://www.secuobs.com/revue/news/233280.shtmlhttp://www.secuobs.com/revue/news/233280.shtml Secuobs.com : 2010-05-30 11:04:24 - j00ru vx tech blog - One of the biggest best IT security-oriented conferences in Poland finished three days ago, in the wednesday evening In the very first place, I would like to congratulate all the organisers, for their decision on where the event should be held, as well as how it should look like - during these two http://www.secuobs.com/revue/news/226999.shtmlhttp://www.secuobs.com/revue/news/226999.shtml Secuobs.com : 2010-05-03 03:13:23 - j00ru vx tech blog - Hello It seems like half a year has passed since I published the Win32kSYS system call table list on the net During this time well, it didn t take so long I managed to gather enough information to release yet another API list this time, concerning an user-mode application CSRSS Client Server Runtime SubSystem http://www.secuobs.com/revue/news/218109.shtmlhttp://www.secuobs.com/revue/news/218109.shtml Secuobs.com : 2010-04-22 18:21:20 - j00ru vx tech blog - And so it happened As I ve written in this post, Gynvael Coldwind has just finished speaking about recent Windows Kernel Vulnerabilities on the Hack In The Box Dubai conference, taking place today Unfortunately, because of the European air communication being disabled these days, the presentation was held remotely one way or another, it http://www.secuobs.com/revue/news/214976.shtmlhttp://www.secuobs.com/revue/news/214976.shtml Secuobs.com : 2010-04-20 09:53:23 - j00ru vx tech blog - Hello, A few weeks ago, I had the pleasure to take part in a local 24-hour long, programming marathon greets to my team Pawel and Wojtek Due to the nature of the competition, I was obliged to create a simple class, making it possible to redirect sockets to standard i o stdin stdout , which would greatly http://www.secuobs.com/revue/news/213998.shtmlhttp://www.secuobs.com/revue/news/213998.shtml Secuobs.com : 2010-04-13 23:46:39 - j00ru vx tech blog - Today, during the Patch Tuesday, Microsoft has released bits of information regarding the security vulnerabilities present in the Windows kernel found and exploited in the Proof of Concept form by me and Gynvael Coldwind which are directly connected with a well-known Windows Registry functionality Five bugs have been described there is a total http://www.secuobs.com/revue/news/211737.shtmlhttp://www.secuobs.com/revue/news/211737.shtml Secuobs.com : 2010-01-17 02:42:22 - j00ru vx tech blog - Hi there Not so long a few weeks, actually ago, me together with Gynvael Coldwind had a chance to carry out a research regarding the Global and Local Descriptor Tables being used as a write-what-where target, while exploiting ring-0 vulnerabilities on 32-bit Microsoft Windows NT-family systems The result of our work is a small article, describing http://www.secuobs.com/revue/news/182481.shtmlhttp://www.secuobs.com/revue/news/182481.shtml Secuobs.com : 2010-01-05 00:00:39 - j00ru vx tech blog - What I would like to write about today is a subject I have been playing with for quite some time Windows kernel vulnerability exploitation techniques While digging through various articles and other materials, I appeared to find bunches of interesting facts that are worth being described here The post presented today aims to describe http://www.secuobs.com/revue/news/178091.shtmlhttp://www.secuobs.com/revue/news/178091.shtml Secuobs.com : 2009-12-01 05:17:25 - j00ru vx tech blog - Everyone who has ever had some serious contact with how the Windows kernel mechanisms work, was probably in need to access a complete system call number list together with the handlers definitions As one of the most important part of the communication process between user s applications and kernel, SSDT is commonly used for both clearly http://www.secuobs.com/revue/news/167082.shtmlhttp://www.secuobs.com/revue/news/167082.shtml Secuobs.com : 2009-11-03 04:26:23 - j00ru vx tech blog - Today, I would like to write about finding the addesses of unexported kernel functions system call handler from user mode It is my very own idea, which occured to me during one of my talks regarding Windows32 kernel exploitation greetings to suN8Hclf Despite this, I cannot guarantee that the technique in consideration hasn t been invented http://www.secuobs.com/revue/news/156445.shtmlhttp://www.secuobs.com/revue/news/156445.shtml Secuobs.com : 2009-10-09 22:55:28 - j00ru vx tech blog - In one of my previous posts check Suspending processes in Windows, part 1 , I was trying to discuss the well-known and less popular techniques making it possible to suspend threads or entire processes working under Microsoft Windows OS control I also announced that a specific way of TaskMgrexe modification extending it with the interesting http://www.secuobs.com/revue/news/149137.shtmlhttp://www.secuobs.com/revue/news/149137.shtml Secuobs.com : 2009-10-04 05:01:54 - j00ru vx tech blog - Since I have recently managed to find some time and come back to TraceHook project development, I decided to mark the result of a-few-hour-long session with the next version number 002 Until now, the application has been designed for my own purposes it was written to handle particular problems and work under certain http://www.secuobs.com/revue/news/147254.shtmlhttp://www.secuobs.com/revue/news/147254.shtml Secuobs.com : 2009-08-31 06:11:00 - j00ru vx tech blog - 1 Introduction The first technical post here is about the process of terminating applications on Windows system I have been researching this subject for the last few days, during which a number of interesting yet unknown facts has appeared Some of the solution ideas regarding particular problems are presented here, though I am sure there are http://www.secuobs.com/revue/news/136074.shtmlhttp://www.secuobs.com/revue/news/136074.shtml Secuobs.com : 2009-08-31 06:11:00 - j00ru vx tech blog - As a loyal standard Windows shell explorerexe user I often encounter some problems with the number of opened Windows on one desktop Since my current notebook hardly ever goes down, so does the user s shell After a few working evenings, I often have difficulty localizing the desired windows Having something like 40-50 of them, it http://www.secuobs.com/revue/news/136073.shtmlhttp://www.secuobs.com/revue/news/136073.shtml Secuobs.com : 2009-08-31 06:11:00 - j00ru vx tech blog - It seems like the blog has been dead for more than two months, mainly due to kind of wrong priority hierarchy there was always something interesting to research, even when I should be busy writing a next interesting post on my blog The recent weeks haven t been wasted at all, as the site http://www.secuobs.com/revue/news/136072.shtmlhttp://www.secuobs.com/revue/news/136072.shtml Secuobs.com : 2009-08-31 06:11:00 - j00ru vx tech blog - Aww, another month or even more has apparently passed just in front of my eyes As some of you might have realized, the school time have already ended something like two weeks ago , thus allowing me to carry out some more research and remember about this blog I expect some more posts to be written http://www.secuobs.com/revue/news/136071.shtmlhttp://www.secuobs.com/revue/news/136071.shtml Secuobs.com : 2009-08-31 06:11:00 - j00ru vx tech blog - Welcome to the blog on my own hosting I have recently decided to add multi-language support to the blog, which obviously required the Wordpress system to be moved to my own hosting the one provided by wordpresscom lacks many important features, like the possibility to install plugins which turned out to be very useful, by the http://www.secuobs.com/revue/news/136070.shtmlhttp://www.secuobs.com/revue/news/136070.shtml Secuobs.com : 2009-08-31 06:11:00 - j00ru vx tech blog - I have a pleasure to inform the blog readers about the incoming event I am taking part in the polish SecDay conference regarding security in a general meaning My presentation s subject is the practical approach to, so called, bootkit creation To make things clear, bootkit consists of a number of code blocks http://www.secuobs.com/revue/news/136069.shtmlhttp://www.secuobs.com/revue/news/136069.shtml Secuobs.com : 2009-08-31 06:11:00 - j00ru vx tech blog - I have been recently encountering quite a non-typical problem playing Starcraft was hard due to the amount of active processes running on my operating system including a few IDA instances, virtual machines and the most disturbing Firefox web browser As we all know, it s not only about the memory being used by Firefox http://www.secuobs.com/revue/news/136068.shtmlhttp://www.secuobs.com/revue/news/136068.shtml