Clik here to view.
Windows Object Case Sensitivity - Extended Edition
In my last blog post I discussed the changes going on in NTFS to improve case sensitivity support, specifically for WSL. What I glossed over was the impact of case sensitivity on object manager...
View ArticleClik here to view.
ProcessDebugObjectHandle Anti-Anti-Debug Trick
During my implementation of NT Debug Object support in NtObjectManager (see a related blog here) I added support to open the debug object for a process by using the ProcessDebugObjectHandle process...
View ArticleClik here to view.
Digging into the WSL P9 File System
Windows 10 version 1903 is upon us, which gives me a good reason to go looking at what new features have been added I can find bugs in. As it's clear people seem to appreciate fluff rather than...
View ArticleClik here to view.
Windows Code Injection: Bypassing CIG Through KnownDlls
TL;DR; This blog post describes a technique to inject a DLL into a process using only Duplicate Handle process access (caveats apply) which will also bypass Code Integrity Guard.I've been attending...
View ArticleClik here to view.
The Art of Becoming TrustedInstaller - Task Scheduler Edition
2 years ago I wrote a post running a process in the TrustedInstaller group. It was pretty well received, and as others pointed out there's many way of doing the same thing. However in my travels I came...
View ArticleClik here to view.
Overview of Windows Execution Aliases
I thought I'd blogged about this topic, however it turns out I hadn't. This blog is in response to a recent Twitter thread from Bruce Dawson on a "fake" copy of Python which Microsoft seems to have...
View ArticleClik here to view.
Bypassing Low Type Filter in .NET Remoting
I recently added a new feature my .NET remoting exploitation tool which is many cases allow you to exploit an arbitrary service through serialization. This feature has always existed in the tool, if...
View ArticleClik here to view.
The Ethereal Beauty of a Missing Header
Skip to the end if you don't want to listen to me regaling you with a mostly made up story :-)It was a dark and stormy night, as cliches goes you might as well go with a classic. With little else to...
View ArticleClik here to view.
The Internals of AppLocker - Part 1 - Overview and Setup
AppLocker (AL) is a feature added to Windows 7 Enterprise and above as a more comprehensive application whitelisting solution over the older Software Restriction Policies (SRP). When configured it's...
View ArticleClik here to view.
The Internals of AppLocker - Part 2 - Blocking Process Creation
In the previous blog post I briefly discussed the architecture of AppLocker (AL) and how to setup a really basic test system based on Windows 10 1909 Enterprise. This time I'm going to start going into...
View ArticleClik here to view.
The Internals of AppLocker - Part 3 - Access Tokens and Access Checking
This is part 3 in a short series on the internals of AppLocker (AL). Part 1 is here and part 2 here.In the last part I outlined how process creation is blocked with AL. I crucially left out exactly how...
View ArticleClik here to view.
The Internals of AppLocker - Part 4 - Blocking DLL Loading
This is part 4 in a short series on the internals of AppLocker (AL). Part 1 is here, part 2 here and part 3 here. As I've mentioned before this is how AL works on Windows 10 1909, it might differ on...
View ArticleClik here to view.
The Mysterious Case of a Broken Virus Scanner
On my VM (with a default Windows 10 1909) I used for my series of AppLocker I wanted to test out the new Edge. I opened the old Edge and tried to download the canary installer, however the download...
View ArticleEmpirically Assessing Windows Service Hardening
In the past few years there's been numerous exploits for service to system privilege escalation. Primarily they revolve around the fact that system services typically have impersonation privilege. What...
View ArticleClik here to view.
Don't Use SYSTEM Tokens for Sandboxing (Part 1 of N)
This is just a quick follow on from my last post on Windows Service Hardening. I'm going to pick up on why you shouldn't use a SYSTEM token for a sandbox token. Specifically I'll describe an unexpected...
View ArticleClik here to view.
DLL Import Redirection in Windows 10 1909
While poking around in NTDLL the other day for some Chrome work I noticed an interesting sounding new feature, Import Redirection. As far as I can tell this was introduced in Windows 10 1809, although...
View ArticleClik here to view.
Getting an Interactive Service Account Shell
Sometimes you want to manually interact with a shell running a service account. Getting a working interactive shell for SYSTEM is pretty easy. As an administrator, pick a process with an appropriate...
View ArticleSharing a Logon Session a Little Too Much
The Logon Session on Windows is tied to an single authenticated user with a single Token. However, for service accounts that's not really true. Once you factor in Service Hardening there could be...
View ArticleClik here to view.
Old .NET Vulnerability #5: Security Transparent Compiled Expressions...
It's been a long time since I wrote a blog post about my old .NET vulnerabilities. I was playing around with some .NET code and found an issue when serializing delegates inside a CAS sandbox, I got a...
View ArticleWriting Windows File System Drivers is Hard.
A tweet by @jonasLyk reminded me of a bug I found in NTFS a few months back, which I've verified still exists in Windows 10 2004. As far as I can tell it's not directly usable to circumvent security...
View Article