WoW64 (Windows 32-bit on Windows 64-bit) is a subsystem within Microsoft Windows that lets Windows run 32-bit programs on 64-bit hardware. One way to glean what processes are currently running in WoW64 mode is by querying NtQuerySystemInformation and checking whether IsWow64Process returns true or not. This returns a pointer to a value that is set to TRUE if the process is running under WOW64 on an Intel64, x64, or ARM64 processor. ...
Lately I’ve been poking around at Windows internals and writing low level code. This morning I thought I’d try to bypass Windows Defender and get a low score on Virus Total. One trick I’ve been playing with is writing shellcode to the Windows registry to keep things “fileless.” It’s not super fancy, but it’s kind of neat. I combined that with indirect syscalls and some cryptographic routines to get Windows Defender to chill out. ...
wifiExtract The other day my grandmother forgot her Windows WiFi SSID and password when she wanted to share it with a friend. So I thought if I could just automate the retrieval of her wireless profiles, she would never forget them again in the future. It turns out, the Windows API offers a nice way to enumerate WLAN information. First, we open a handle to the WLAN system by first calling the WlanOpenHandle function, which we can then use to enumerate WLAN interfaces with the WlanEnumInterfaces function. 1 ...
Elfland Lately I’ve been thinking about Linux internals and malware. In this blog post, we’re going to hark about the ELFs. Just as Windows has its own executable format, so too does Linux. If we look at the source code1 to the Executable and Linkable Format specification in elf.h, we can see the definition of the ELF header and some of its core machinery to get an idea of how it works. ...
I’ve been somewhat mute here lately and haven’t updated my GitHub Pages in a while. However, I’ve been actively engaged in research and taking notes on a new sideblog on Blogspot. So, I’ve been writing a little Rust, Python, and C# code, exploring operating system internals. And utilizing aspects of .NET to do stuff on Windows. And occasionally, I’ve been analyzing malware.
In previous posts, I covered how to observe process information in Windbg by starting a debugging session and dumping the Process Environment Block. And how we can view the EPROCESS structure, including a doubly linked-list of active processes via ActiveProcessLinks. But in this post, we’ll discuss yet another way of gleaning information about processes in Windows, this time from another structure within the Windows ecosystem: the SYSTEM_PROCESS_INFORMATION structure. SYSTEM_PROCESS_INFORMATION Structure Microsoft tells us in their documentation that this structure holds various entries which hold system and process information. ...
In the Windows kernel, each process is assigned an EPROCESS structure, which is a kernel object that represents a program or process. And a Process Environment Block (PEB) is just one of many structures pointed to by the EPROCESS structure. A snippet from _EPROCESS as documented on Vergilius Project: volatile ULONGLONG OwnerProcessId; struct _PEB* Peb; struct _MM_SESSION_SPACE* Session; VOID* Sparel; In user space however, we cannot directly reference all of the EPROCESS structures and their data. At most, we can do something like dt nt!_EPROCESS in windbg and get a peek at the layout. We’ll have to enable kernel debugging to more closely examine things. But here’s what we can see in user mode. The EPROCESS structure is large. The entire output from windbg is as follows: ...
A Brief History Inference, that is, induction and deduction, are perhaps my personal favorite classes of problem-solving methods. Given very little initial information, depending on our model and situation, we can utilize just a few points to infer other information which was never directly presented to us. From Pythagoras, to Euclid, and Spinoza—to the use of modern inductive algorithms like those being developed at MIRI—inference is a powerful primitive, and somewhat of a universal open secret, playing a role almost everywhere we look—from philosophy, to economics, game theory, aerospace, medicine, computer science, and any scenario in which probability is of importance. In the spirit of Lewis Carrol: ...
In the time before improved multi-factor authentication schemes like Authy and Yubikeys, there were security questions. And for some reason, they seem as though they’ll never give us up. Even today, some organizations still rely on them, asking users to set questions and answers as a way to validate users out-of-band, in the event of forgetting a password. You might recall services like AOL and AIM using these. But if anything, they’re more of a security vulnerability. ...
Then In February 2020, I decided to check out web application security programs on HackerOne. I set my eyes on AT&T for the novel fact that, in the 1960s, they almost invented the internet, but their research was prematurely halted citing costs and technical hurdles. Nonetheless, AT&T’s Picturephone is a historical but often forgotten piece of history. After burning nearly $500 million dollars on the effort, AT&T, then known as Bell Labs, scrapped the project entirely. And later, the Advanced Research Projects Agency and Department of Defense would lay claim to inventing the base technologies which would eventually grow to become the Internet. ...