In this paper, the author discusses the many challenges and problems concerning user-mode callbacks in win32k. In particular, they show how win32k's dependency on global locks in providing a thread-safe environment does not integrate well with the concept of user-mode callbacks. Although many vulnerabilities related to user-mode callbacks have been addressed, their complex nature suggests that more subtle flaws might still be present in win32k. Thus, in an effort to mitigate some of the more prevalent bug classes, they conclusively provide some suggestions as to how users may protect themselves against future kernel attacks.
51d1563fd83b26e69b8116dfefd3de44db9d463eea1972b575297a33f15a2fc2
This paper demonstrates how to ARP poison a connection between Windows 7 and Windows 2008 R2 Server using Cain.
a751245239f622e54ca2416bab2aef9e2485eae6f6c4782fd8b7a36a98c54142
This is a brief whitepaper called A Backdoor in the Next Generation Active Directory.
dd040be0d2bdc00e6d0cbeedaaf496611de0e99e0335d67ebeebc9aaca01a674
Whitepaper called Windows 7/2008 Event Log Forensic and Reversing Analysis.
aef1648589581c22c1a58a83b6b24763434d5609c71498b324de55b9c7a27598
Whitepaper called Firewire-based Physical Security Attacks on Windows 7, EFS and BitLocker.
3d6158da6ded9cf59e2fd18cf780e070291feb92185af0bb51489f9e56543f44
Whitepaper entitled Reverse Engineering Microsoft F#.
4edaef63057c44d9b10082e158d32fd91f25f4a3c1b2b8aa6710a53a6e1909a0
Breaking The Windows Server 2003 SP2 Stack.
73317169f7a8e0b4380b4fd5dea75b0d952694c47cbc1bff599ba7db60a729f9
Access Through Access - A whitepaper that has aggregated various material regarding how to exploit Microsoft Access during a penetration test.
acaaf07911fd3af0f81cc2e11aac7c5e782cc6b509d97994fcf2f209c11ba94e
Physical Security Attacks On Windows Vista - A short whitepaper discussing the firewire unlock attack.
5f035da0bc475ea3fd4753cf55841d7118ed5b5a109b008da86072262ddd24dc
Whitepaper detailing Microsoft API function pointer hijacking.
056bec8064de1bf2562b771532fd532fa7fea977fe12de89101bf552a8806647
Small write up discussing how ShellExecute() works and how applications must make use of it.
7a9b8aea89ccd7fbd91c4adf251cb37df6751074c2749b4e00907f8bac322700
Whitepaper discussing Windows DNS cache poisoning by forwarder DNS spoofing.
a8edfacf63fc3159336647ddf759fbe145f1138297489817602d348e2b57d3a4
Small paper that discusses SMB and NetBIOS on Windows and how a user can disable them.
a4c69c41cf361aeb27b3bc59affd3ab807671e8e08d1873a2cc279845a3b5210
Whitepaper entitled Windows Vista 64bits And Unexported Kernel Symbols.
2b24f359a718212fdce5611bf648c054d5e5be36b5321038430e4c47d5aad39c
Short whitepaper discussing API hooking/interception via DLL redirection.
4f3b2999eaf8674d18053e9c19ddc2690f09ca07ac557ea9d739cbee813c6366
Windows Vista includes a new memory protection system called ASLR. Its goal is to escape buffer overflow attacks in vulnerable programs. Ali Rahbar, has made a complete study of this security mechanism, and found a new implementation flaw that allows to bypass this protection.
ad6a77fa5b3d6c6bce6fb4adca924de45e844e69503cf4da13df83f15ab40765
This multi-part tutorial will present several ways in which you can add functionality to closed source Windows executables through DLLs, PE header modification, and good old assembly code. Adding code to existing code caves, modifying PE headers to create code caves and/or importing DLL functions, adding backdoors to programs, and adding plugin support to closed-source programs are all covered.
addfbf9225a75334eb73fe19aa2b943d801118f73553f9dc431330aa37f87327
Whitepaper discussing the hardening of Windows NT.
c3dfdf7d4262a082864c40fbf2504b64c0e76d0094696de67110b38577ff0649
Whitepaper discussing the fact that the Microsoft Server Message Block Redirector Driver (mrxsmb.sys) does not verify the user-mode buffer properly, allowing any user to overwrite any desired memory address. The successful exploitation results in Ring0 code execution.
8e72140b6ea3bdc38e8d99a76cc14e568dce6926a301540aba00a78f7cb44a46
Source code for all the examples used in tutorials 1 through 4 of 'Writing Stack Based Overflows On Windows'.
860b53e6a362f1432b875fd79227494b5d512c72cfa9e23132fc2648cd5ae25e
Writing Stack Based Overflows on Windows - Part IV: Shellcode creation and exploitation an application remotely.
8574a8998f8d62e5c51157c0cfca653779fe111f04fd2362565eb53dd4584fb2
Writing Stack Based Overflows on Windows - Part III: Walking through a stack based overflow and writing an exploit for a local overflow.
f90a0115f7445c95c71fa6878bcc43ebb6802fec3409da9bbdfa11726c784353
Writing Stack Based Overflows on Windows - Part II: Windows Assembly for writing Exploits
458ebf2f8f50c0249db41a0f2babf0e9c981f7c972089ff9b19153fd0210a5ff
Writing Stack Based Overflows on Windows - Part I: Basic Concepts
f2eded9aca3088ea4d10a3faf846a8d5c7b7d77f76c4957ad9691750d63e1c75
Story of a dumb patch - This paper describes a mistake made by Microsoft in patch MS05-018 where Microsoft failed to properly fix a vulnerability having to release a new patch MS05-049. Hopefully this paper will open the eyes of software vendors to not repeat these kind of mistakes.
a79eb3b5aa2f5d80efad97626f1bd81b439fa096671c52ff737b3558b91a75e0