The same method can be applied to Windows by replacing mcupdate_GenuineIntel.dll or mcupdate_AuthenticAMD.dll in c:\Windows\System32, you can downgrade Windows microcode updates this way.

PoC using signed vulnerable driver to remove process creation callbacks to blind all EDRs on the system. Building on great work by 🥝🏳️‍🌈 Benjamin Delpy Matt Graeber Adam Chester 🏴‍☠️ Jackson T. Christopher SpecterOps b33f | 🇺🇦✊ Writeup and sample code tomorrow.

By making a registry key symlink to \REGISTRY you get the NT view in regedit. With the siloes visible.

Unprivileged users are not allowed to create files in system32 folder- on hyper-v hosts they finally realised that unprivileged lives matters too as anyone can now create files there , with creater as owner, just open like this:

@hFireF0X If anyone is interested, here is example usage. Basically identical to ProcessStateChange APIs: gist.github.com/DownWithUp/9cb…

CVE-2020-16938 - aka bits please! So...recent update changed the permissions on partitions and volume device objects, granting everybody read access. This means that by opening the device directly you can read the raw data without any privs. 7zip parses NTFS so super for POC

Time to roll out those "not a security boundary" admin -> kernel exploits.

Driver couldn't import from Win32k.sys? How five seconds of Googling could've saved me at least an hour: downwithup.github.io/Blog/7.html

Even when disabled, Windows Defender continues to squander computer resources. Highly annoying.

Windows Defender needs to be resource restricted. Seems like a good use for a job object.

What a shot taken from Melbourne Australia 🔭🪐

So .msu files really are just .cab files? 😅

Just a quick little post on how to use the the undocumented API NtPssCaptureVaSpaceBulk to gather a process' virtual memory in a single call. Read more here: downwithup.github.io/Blog/8.html

Here's an old project that I polished up a bit: github.com/DownWithUp/WHP… Essentially the idea was to have some introspection into an OS at the hypervisor level. It was also a foray into the Windows Hypervisor Platform API.

😮New post on Windows Warbird encryption and decryption: downwithup.github.io/blog/post/2023…

Something interesting I stumbled upon: In Windows, for Intel's MPX, a driver could use KeRegisterBoundCallback to handle/hook the BOUND #BR exception. This function will eventually get called from the IDT's KiBoundFault

"This thing I need is open source. Surely someone has audited this code?" 🙃

Exporting registry data in the "hive" format seems to ignore the "BIOS" key under HKLM\HARDWARE\DESCRIPTION\System. You can export it directly, but exporting any parent will not contain the "BIOS" key and its values