One of Windows kernel subsystem I recently dug into is the Configuration Manager (CM), mostly because I found very scarce public resources about it despite its criticality: this subsystem is responsib…
Background This is a short blog post that I decided to finish recently after looking for a way to sandbox Win32 apps, but lazy as I am, I wanted something that was free/open-source & robustly tes…
Sometimes you read about an awesome exploitation technique (#1), so you want to go deeper. So this is my notes about how trying to totally understand the exploitation of CVE-2020-0796 (#2), I ended up…
This is tiny Post-It post to remind of different ways to enumerate processes from KD: using nt!PsActiveProcessHead dx Debugger.Utility.Collections.FromListEntry( *(nt!_LIST_ENTRY*)&(nt!PsActiveP…
The short version The short version is that there’s a small logic bug in user32!EndTask() which doesn’t really check the HWND handle passed when forcefully killing the process, allowing unprivileged …