Experimenting with Object Initializers in Windows – See PG-compliance Disclaimer*
Overview In this article, I wanted to introduce a fun approach to performing functions similar to those enabled by Windows Object Callbacks but through an alternative means (experimentally). It’s well known that anti-malware, anti-cheat, and generic monitoring tools on Windows systems often use these callbacks. However, their usability is limited to parties with signed modules, […]
Fun with another PatchGuard-compliant Hook
Overview In this article, we’ll be covering a fun alternative to the treasured InfinityHook from Nick Peterson. This alternative method was discovered by Aidan Khoury following the release and subsequent patch of the EtwpGetCycleCount target by Microsoft without any acknowledgements to the original authors. This method has been tested from early Windows 10 to latest Windows […]
MMU Virtualization via Intel EPT: Implementation – Part 1
Overview This article will cover the various requirements and features available for MMU virtualization via Intel Extended Page Tables. It’s going to be a relatively long article as I want to cover all of or most of the details concerning initialization and capability checking, MTRR setup, page splitting, and so on. We’ll start with checking […]
MMU Virtualization via Intel EPT: Technical Details
Overview This article marks the first of 5 articles covering the virtualization of the memory management unit (MMU) using Intel EPT. This technology is used as additional support for the virtualization of physical memory and allows hypervisors to monitor memory activity. This article will address the motivation for extended page tables, the many performance concerns […]
MMU Virtualization via Intel EPT – Index
Overview After receiving an abundance of requests to complete the EPT series I’ve switched gears to write this 5 part series over MMU Virtualization using Intel EPT. This series is written to be able to be used in your own hypervisor project or in conjunction with the CPU virtualization series published a few months prior. […]
Applied Reverse Engineering: Accelerated Assembly [P2]
Overview After reading feedback from the first part to the Accelerated Assembly guide, I’ve decided to take on a custom target, and call back to high-level languages when we encounter obscure or new pieces in the assembly. I realize that the level of detail in my last article may have been cumbersome to some readers, […]
Applied Reverse Engineering: Accelerated Assembly [P1]
Overview In this article you’ll be guided through a course on the x86 Instruction Set. This article serves at as a quick fix to the problem of not knowing where to start when learning Assembly. We’ll be covering instruction format briefly, and then jump right in to the instructions. This is like learning another language, […]
Applied Reverse Engineering: Exceptions and Interrupts
Overview To continue learning important topics within the OS and architecture, and before diving into the deep end of the application, we’re going to cover a topic that is relevant to reverse engineering and development in general: exceptions and interrupts. In this article, you’ll learn about exceptions/interrupts from the ground up. What they are, the […]
Applied Reverse Engineering: The Stack
Overview This article is written for new reverse engineers who have a hard time understanding the stack, its layout, how it works, and the various requirements for proper function. It can be a confusing concept to wrap your head around at first, but after reading this article you should have a very deep understanding of […]
Applied Reverse Engineering: Basic Architecture
Overview Thanks for joining me in my newest series Applied Reverse Engineering. I decided to write this new series concurrently with the EPT series except I pushed out the first five for this one and haven’t started the other. Typical. Anyways, I have to give a little preface to the article and series as well […]