Day 0: Virtual Environment Setup, Scripts, and WinDbg
Overview Today is the day you begin your wild journey into hypervisor development. It’s going to be miserable, rewarding, frustrating, and exciting – all at the same time. In this article, we accelerate head on into setting up our virtual environment using VMware (taking advantage of their nested virtualization), write scripts for quick stand-up and […]
5 Days to Virtualization: A Series on Hypervisor Development
Overview Next week, (10/29) I’ll be starting to publish a series that is written to aid new and interested readers with building, testing, and understanding type-2 hypervisor development. This hypervisor will be written for use on Intel processors with virtualization support. If you’re operating on an AMD chip, you may find some parts helpful, but […]
Detecting Hypervisor Presence on Windows 10
Detecting a hypervisor on Windows 10 is relatively simple, but due to the simplistic nature of the currently published detection vectors it’s likely that they are also relatively simple to spoof or remove. In this article we’ll detail a few ways of detecting a hypervisors presence on Windows 10, determining if it’s a Microsoft hypervisor, […]
Hiding Drivers on Windows 10
Disclaimer: All experiments and development were performed on Windows 10 x64 (Version 1703, Build 15063.540). Any attempt to replicate results on a different version or operating system may yield inconsistent results. —– It’s a pretty common objective in the game hacking community to load and attempt to hide their kernel modules from prying eyes. The […]
Superseding Driver Altitude Checks on Windows
It was brought to my attention that in an article on my former research portfolio. I mentioned another way to manipulate an unsigned driver and perform some black magic. This black magic is done by modifying a flag in the _DRIVER_OBJECT allowing for the loaded driver to supersede altitude checks, register callbacks both with the […]
Converting Virtual Linear Addresses to Physical Addresses
The processes of converting virtual address to physical addresses varies from architecture to architecture. This article lays out the process of converting a standard 64bit linear address on a processor operating in IA32e mode. It’s important to note this distinction because some constructs that exist for IA32e do not for IA32 mode (such as the […]
Reading MSRs from UserMode
After speaking with some pals online about Windows 10’s policy requiring drivers to be digitally signed in order to load the lot of us began digging into tools that use signed drivers – you know… to see if there was any fun to be had with drivers that don’t validate UserMode addresses that are passed […]
Custom GetProcAddress and GetModuleHandle Implementation (x64)
Reverse engineers know that the easiest way to break an application down to understand it’s internal operations involves using the import table and, of course, understanding assembly to some degree. In an effort to add a layer of indirection and in pursuit of understanding how the internal Windows routines operated I rewrote the famous, or […]
Recovering Deleted Windows Files [Breakdown and Theory]
When you delete a file on Windows, specifically Windows 10 Professional x64, it is removed from the user’s view and placed in the recycle bin for permanent deletion. Once that permanent deletion is performed, some ask the question “is the file really gone?” The answer is no, not immediately, and even after permanent deletion it’s […]
Structure of Security Identifiers
Recently a friend of mine asked about an unknown user account associated with all files, new or old, with an unknown SID (security identifier) attached. I noted that this is common when local machines have had accounts that have since been removed. However, he then asked about the structure of that number so I figured […]