Section Objects as Kernel/User communication mode

I've recently decided to read cover to cover some Windows Internals books, and currently reading the amazing book "What Makes It Page", it gave me some ideas to play with Section Objects as they covered in great details. One thought that occured...

Install Hyper-V & Sandbox on Windows 10/11 Home

Another lie, probably put in place from MS marketing team to force the hand and make more people purchase Windows 10/11 Professional licenses: Hyper-V and Windows Sandbox can be installed on Windows 10/11 Home Edition, not just...

WinDbgX undocumented workspace options

How to use WinDbgX workspaces to make debugging even easier. Workspaces WinDbgX workspaces (suffixed .debugTargets) are nothing more than XML files that instructs WinDbgX how to process with the current debugging session. Saved workspaces can be...

Setup KDCOM for 2 Hyper-V VMs

How to use Hyper-V to debug using KdCOM from 2 VMs, one debugging the other. Debuggee Follow the setup here to setup a BCD profile for KdCom in the VM. Shutdown the VM and in a privileged prompt on the host (here assigned to COM1): Set-VMComPort...

Browsing the registry in kernel-mode

One of Windows kernel subsystem I recently dug into is the Configuration Manager (CM), mostly because I found very scarce public resources about it despite its criticality: this subsystem is responsible for managing the configuration of all...

Cheap sandboxing with AppContainers

Background This is a short blog post that I decided to finish recently after looking for a way to sandbox Win32 apps, but lazy as I am, I wanted something that 1. was free/open-source & robustly tested 2. easily hackable to my need (custom...

Some toying with the Self-Reference PML4 Entry

Sometimes you read about a completely awesome exploitation technique, so you want to go deeper. So this is my notes about how trying to totally understand the exploitation of CVE-2020-0796, I ended up struggling finding good explanation about a...

Enumerating processes from KD

This is tiny Post-It post to remind of different ways to enumerate processes from KD: using nt!PsActiveProcessHead dx Debugger.Utility.Collections.FromListEntry( *(nt!_LIST_ENTRY*)&(nt!PsActiveProcessHead), "nt!_EPROCESS", "ActiveProcessLinks")...

An unexpected logic bug on Win32k

The short version The short version is that there's a small logic bug in user32!EndTask() which doesn't really check the HWND handle passed when forcefully killing the process, allowing unprivileged process to BSoD the host by killing the...

Small dumps in the big pool

Or, on how to use the (Windows 10) new field _ETHREAD.ThreadName to stabilize kernel RW primitives SetThreadDescription() as a way to allocate controlled kernel pools Keeping on with experimenting with Windows 10 I noticed a field part of the...