Want to submit an article relating to security or OS internals? Click "Create an Article" on the left menu.
To add code, change the text format from Basic HTML to Full HTML. Then click the "Insert code snippet" icon (located at the top far right of the menu).
Administrators can add articles directly by clicking the top menu Content->Add content->Article.
Evil Mass Storage
Original forum posthere
Evil Mass Storage is a proof of concept USB composite device which demonstrates an end-to-end solution that infiltrates an isolated-offline-network and covertly extracts data over both radio frequency or close access covert storage while hiding from forensi... Read more
Windows Debugger API — The End of Versioned Structures
Some time ago I was introduced to theWindows debugger APIand found it incredibly useful for projects that focus on forensics or analysis of data on a machine. This API allows us to open a dump file taken on any windows machine and read information from it using the symbols that match the specific mo... Read more
SimpleVisor - Don't believe the Hype(rvisors)
Have you always been curious on how to build a hypervisor? Has Intel's documentation (the many hundreds of pages) gotten you down? Have the samples you've found online just made things more confusing, or required weeks of reading through dozens of thousands of lines and code? If so, ... Read more
WinDBG - the Fun Way: Part 2
In the first part we got to know the basics of the new debugger data model — Using the new objects, having custom registers, searching and filtering output, declaring anonymous types and parsing lists and arrays. In this part we will learn how to use legacy commands withdx, get to know the amazing n... Read more
WinDBG - the Fun Way: Part 1
A while ago, WinDbg added support for a newdebugger data model, a change that completely changed the way we can use WinDbg. No more horrible MASM commands and obscure syntax. No more copying addresses or parameters to a Notepad file so that you can use them in the next commands without scrolling up.... Read more
Windows - Using the Debugger API
The Windows Debugger API allows interacting with a dump file or active debugger session and using the symbols for each module. This lets us automate complicated operations that might be a pain to repeatedly do in WinDBG. We can also use the debugger API to write debugger extensions, which got a lot ... Read more
Windows - Blocking Process Creation
Windows Supplies drivers with multiple callbacks to get notified about events happening in the system. One of them, as well as the only one that allows blocking, is the process notify routine. It alert all the drivers that are registered to it about process creation and termination.
There are 3 p... Read more
Windows - Finding the System Root Path
This article describes how to retrieves the System Root path anddemonstrates the use ofZwOpenSymbolicLinkObject, ZwQuerySymbolicLinkObject, IoGetDeviceObjectPointer, and RtlVolumeDeviceToDosName.The path is found by opening then querying the symbolic link "\SystemRoot". The drive letter is then foun... Read more
Windows - Helloworld Driver
One question we often get asked is how to get started with kernel mode programming. This article is designed to help set you up for kernel mode programming on Windows. This requires that you are running Windows OS
Download the Windows Driver Kit 7.1 (WDK)here: https://www.microsoft... Read more