daax, Author at Reverse Engineering
Experimenting with Object Initializers in Windows – See PG-compliance Disclaimer*| Reverse Engineering
Experimenting with Object Initializers in Windows – See PG-compliance Disclaimer*| Reverse Engineering
Overview In this article, I wanted to introduce a fun approach to performing functions similar to those enabled by Windows Object Callbacks but through an alternative means (experimentally). It’s well known that anti-malware, anti-cheat, and generic monitoring tools on Windows systems often use these callbacks. However, their usability is limited to parties with signed modules, […]| Reverse Engineering
Abuse the HalPrivateDispatchTable to hook SYSCALL system-wide while maintain compliance with PatchGuard on Windows 10 and 11.| Reverse Engineering
Walkthrough of detecting VMware through ACPI checks in user mode, and mitigating the checks in VMware.| Reverse Engineering
The first implementation heavy article covering the details of x86 paging, MTRR configuration, VPID/PCID, and initializing an EPT hierarchy.| Reverse Engineering
EPT, EPTP Switching, Page Hooks, and much more are covered in this 5 part series over hypervisor development. The various examples are tested throughout.| Reverse Engineering
No Errata For U! If you haven’t already, read Part 1 which outlines three neat tricks used by Patchguard. KiErrata420Present The LSTAR MSR can be intercepted using a hypervisor to trap on reads and writes. It is the most common and efficient way to hook syscalls in most modern x86 operating systems. However contrary to […] The post Patchguard: Detection of Hypervisor Based Introspection [P2] appeared first on Reverse Engineering.| Reverse Engineering
Errata Or Nah? Over the last 2-3 years, Microsoft has inserted various methods of virtualization introspection detection (big brain words) into the workings of patchguard. It shouldn’t come as surprise that this has happened, as subverting kernel patch protection is a breeze when the attacker code is running at a higher privilege level. While Windows […] The post Patchguard: Detection of Hypervisor Based Introspection [P1] appeared first on Reverse Engineering.| Reverse Engineering
Takes a third-party crackme and teaches assembly while reverse engineering the target application. Covers data structure analysis, flow validation, and more| Reverse Engineering
Part 1 of the x86_64 assembly crash course for people looking to learn how to reverse engineer, read assembly, and understand how exploits work.| Reverse Engineering
This article covers the technical requirements and details for implementing EPT on Intel based hypervisors.| Reverse Engineering
