Research Blog

Superseding Driver Altitude Checks on Windows

It was brought to my attention that in an article on my former research portfolio[2] I mentioned another way to manipulate an unsigned driver and perform some black magic. This black magic is done by modifying a flag in the _DRIVER_OBJECT allowing for the loaded driver to supersede altitude checks, register callbacks both with the […]

Read More

Converting Virtual Linear Addresses to Physical Addresses

The processes of converting virtual address to physical addresses varies from architecture to architecture. This article lays out the process of converting a standard 64bit linear address on a processor operating in IA32e mode. It’s important to note this distinction because some constructs that exist for IA32e do not for IA32 mode (such as the […]

Read More

Reading MSRs from UserMode

After speaking with some pals online about Windows 10’s policy requiring drivers to be digitally signed in order to load the lot of us began digging into tools that use signed drivers – you know… to see if there was any fun to be had with drivers that don’t validate UserMode addresses that are passed […]

Read More

Custom GetProcAddress and GetModuleHandle Implementation (x64)

Reverse engineers know that the easiest way to break an application down to understand it’s internal operations involves using the import table and, of course, understanding assembly to some degree. In an effort to add a layer of indirection and in pursuit of understanding how the internal Windows routines operated I rewrote the famous, or […]

Read More

Recovering Deleted Windows Files [Breakdown and Theory]

When you delete a file on Windows, specifically Windows 10 Professional x64, it is removed from the user’s view and placed in the recycle bin for permanent deletion. Once that permanent deletion is performed, some ask the question “is the file really gone?” The answer is no, not immediately, and even after permanent deletion it’s […]

Read More

Structure of Security Identifiers

Recently a friend of mine asked about an unknown user account associated with all files, new or old, with an unknown SID (security identifier) attached. I noted that this is common when local machines have had accounts that have since been removed. However, he then asked about the structure of that number so I figured […]

Read More

Usermode Debugger Check Prevention

It’s easy enough to use OllyDbg or any other debugger to bypass debugger checks, but any sort of anti-debugging technique that utilizes the time stamp counter such as QueryPerformanceCounter, GetTickCount, and others, can be bypassed by setting the 2nd bit in control register 4 (CR4) which disables the TimeStamp Counter from working for applications operating […]

Read More

Breaking Down System Routines #2 [NtQuerySystemInformation]

System Routine Overview NtQuerySystemInformation¬†is a system routine that gathers system information specific to the class value provided. During this breakdown, we’ll look at it in much more depth because, like the previous system routine documented, it’s just a wrapper for an internal kernel routine that actually gathers the system information. However, the internal routine it […]

Read More

Breaking Down System Routines #1 [NtQuerySection]

NtQuerySection is a system routine for the Windows operating system that queries information related to a section object and provides the information regarding that object by filling a buffer passed to the function. As an important note, all disassembly and reversing took place on Windows 10 x64 Professional. It requires 4 arguments, 5 if you […]

Read More

Hiding Strings from Disassemblers

Developers attempt to obscure or obfuscate any reverse engineers view of strings through the use of compile-time encryption techniques, packing, virtualization, and the like. In this post, I briefly describe a method to prevent strings from entering the .rdata segment of the executable by using a method of indirect initialization forcing the various characters and […]

Read More