Security
Physical Memory Imaging
I came across this interesting 2007 paper on Live Memory Acquisition for Windows Operating Systems by Naja Davis that shows some of the tools and techniques used by forensics analysts1 to get at the physical memory and analyze memory contents to get list of processes, threads, files, passwords and other data in memory.
Internet Explorer is not YAWA
From a programmer’s perspective Internet Explorer is not Yet Another Windows Application (YAWA1). Considering all the versions of IE out there, when I say Internet Explorer I mean for the most part 32-bit Internet Explorer 7 on Windows Vista onwards in the default configuration (ie. User Account Control on, Protected Mode on). For starters, if [...]
Privileges play hard-to-get in Vista
Privileges are a way to control who has access to certain system-wide resources. For example if a user does not have SE_SHUTDOWN_PRIVILEGE aka SeShutdownPrivilege, she cannot shutdown the machine. Privileges are stored in the token and have to be present and enabled to take effect. If a privilege is absent or disabled in the process/thread [...]
Vista Security Internals
I came across Michael Muckin’s paper titled Windows Vista Security Internals in Blackhat archives recently. The paper begins with an introduction to Vista logon/security architecture1 changes vis-a-vis Windows XP and goes onto Vista crypto architecture (CNG, BCrypt, NCrypt). The paper ends with analysis of Vista SP1 changes in lsasrv.dll functions LsaInitializeProtectedMemory and LsaEncryptMemory, two functions involved in [...]
Verifier bugcheck (0xc4) subclass 0xf6
Windows 7 driver verifier can do a DRIVER_VERIFIER_DETECTED_VIOLATION (0xC4) bugcheck with parameter 1 (violation type) set to 0xf6. The top of stack may look something like the following nt!KeBugCheckEx+0x1e nt!VerifierBugCheckIfAppropriate+0×32 nt!VfCheckUserHandle+0x15f nt!ObReferenceObjectByHandleWithTag+0×136 nt!ObReferenceObjectByHandle+0×21 nt!ObpLookupObjectName+0x9a nt!ObOpenObjectByName+0×159 This new subclass of violation, comes as part of Security Checks1 settings which is new to Windows 7 Driver Verifier. [...]
Conficker/Downadup worm strikes hard
Conficker worm (W32/Confick-A, W32/Confick-B, W32/Confick-C, W32/Confick-D, W32/Confick-E), aka Downadup, aka Kido (W32.Downadup, W32.Downadup.B) is going around and is capable of spreading very fast on Windows XP/Vista machines. This worm exploits1 a remote code execution vulnerability in the Server service responsible for file/printer sharing functionalities. The vulnerability is apparently because of a buffer overrun bug in [...]
Loading ...