Archive for February, 2009
Vista Security Internals
I came across Michael Muckin’s paper titled Windows Vista Security Internals in Blackhat archives recently. The paper begins with an introduction to Vista logon/security architecture1 changes vis-a-vis Windows XP and goes onto Vista crypto architecture (CNG, BCrypt, NCrypt). The paper ends with analysis of Vista SP1 changes in lsasrv.dll functions LsaInitializeProtectedMemory and LsaEncryptMemory, two functions involved in [...]
Verifier bugcheck (0xc4) subclass 0xf6
Windows 7 driver verifier can do a DRIVER_VERIFIER_DETECTED_VIOLATION (0xC4) bugcheck with parameter 1 (violation type) set to 0xf6. The top of stack may look something like the following nt!KeBugCheckEx+0x1e nt!VerifierBugCheckIfAppropriate+0×32 nt!VfCheckUserHandle+0x15f nt!ObReferenceObjectByHandleWithTag+0×136 nt!ObReferenceObjectByHandle+0×21 nt!ObpLookupObjectName+0x9a nt!ObOpenObjectByName+0×159 This new subclass of violation, comes as part of Security Checks1 settings which is new to Windows 7 Driver Verifier. [...]
PsGetVersion/RtlGetVersion idiosyncrasy
PsGetVersion, the only DDI1 to get the OS version information such as minor and major version, service pack level etc in Windows 2000, was behaving odd in a driver that I was debugging the other day. The DDI is declared in ntddk.h like below.
Loading ...