SyscallProvider is a feature available from Windows 11 22H2, that allows for inline hooking of syscalls.
This unfinished research was done on Windows 11 22H2. The feature is fully undocumented at the moment and it looks like it's locked to Microsoft-signed drivers.
All of the information here was gathered by manual reverse engineering of securekernel.exe, skci.dll and ntoskrnl.exe.
The kernel exports three functions to work with the new feature: PsRegisterSyscallProvider, PsQuerySyscallProviderInformation, PsUnregisterSyscallProvider.
This writeup will explore how this feature is initialized, how it works internally, and how to interact with it and use it.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| """ | |
| The most atomic way to train and run inference for a GPT in pure, dependency-free Python. | |
| This file is the complete algorithm. | |
| Everything else is just efficiency. | |
| @karpathy | |
| """ | |
| import os # os.path.exists | |
| import math # math.log, math.exp |
Thanks to @leogx9r for providing cracking methods.
https://gist.github.com/JerryLokjianming/71dac05f27f8c96ad1c8941b88030451#gistcomment-3762200 https://gist.github.com/maboloshi/feaa63c35f4c2baab24c9aaf9b3f4e47#gistcomment-3802197 https://gist.github.com/maboloshi/feaa63c35f4c2baab24c9aaf9b3f4e47#gistcomment-3803204
Note: ARM platform is not supported
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!./tclkit | |
| ## prepare runtime environment | |
| proc init {} { | |
| ## mount optional.pak (for tcltwofish) | |
| set optionalPak installbuilder/paks/optional.pak | |
| vfs::mk4::Mount $optionalPak $optionalPak -readonly | |
| ## adjust library search path | |
| set ::auto_path [list $tcl::kitpath/lib/tcl$::tcl_version $tcl::kitpath/lib $tcl::kitpath/libraries $optionalPak/linux-x64 $tcl::kitpath] |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| @ECHO OFF | |
| REM Uses the file name as the profile name | |
| SET MSTEAMS_PROFILE=%~n0 | |
| ECHO - Using profile "%MSTEAMS_PROFILE%" | |
| SET "OLD_USERPROFILE=%USERPROFILE%" | |
| SET "USERPROFILE=%LOCALAPPDATA%\Microsoft\Teams\CustomProfiles\%MSTEAMS_PROFILE%" | |
| REM Ensure there is a downloads folder to avoid error described at |
I'll be organizing the plugins over time. Please submit PRs if you have any other outstanding plugins. I would like to tag each plugin with its corresponding IDA version, but it will take me a long time to test. If you can help there, please do.
If a plugin is only a source repo with no description or documentation, I am not adding it.
- Add more plugins
- Categorize plugins
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // | |
| // Ref = src | |
| // https://www.blackhat.com/docs/eu-17/materials/eu-17-Liberman-Lost-In-Transaction-Process-Doppelganging.pdf | |
| // | |
| // Credits: | |
| // Vyacheslav Rusakov @swwwolf | |
| // Tom Bonner @thomas_bonner | |
| // | |
| #include <Windows.h> |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Example: ls 'C:\Windows\System32\*' -Include '*.dll' | Get-AuthenticodeSignature | Select -ExpandProperty SignerCertificate | Get-TBSHash | |
| filter Get-TBSHash { | |
| [OutputType([String])] | |
| param ( | |
| [Parameter(Mandatory, ValueFromPipeline)] | |
| [Security.Cryptography.X509Certificates.X509Certificate2] | |
| $Certificate | |
| ) |
Follow [steps][1]:
- Download: http://download.microsoft.com/download/9/1/E/91E9F42C-3F1F-4AD9-92B7-8DD65DA3B0C2/mvmc_setup.msi (thanks @xavery)
- Open Powershell as administrator and run
Import-Module 'C:\Program Files\Microsoft Virtual Machine Converter\MvmcCmdlet.psd1' - And after
ConvertTo-MvmcVirtualHardDisk -SourceLiteralPath d:\scratch\vmx\VM-disk1.vmdk -VhdType DynamicHardDisk -VhdFormat vhdx -destination c:\vm-disk1
NewerOlder
