Aleksei Kulaev flatz

Syscall Provider

Background

SyscallProvider is a feature available from Windows 11 22H2, that allows for inline hooking of syscalls.
This unfinished research was done on Windows 11 22H2. The feature is fully undocumented at the moment and it looks like it's locked to Microsoft-signed drivers.
All of the information here was gathered by manual reverse engineering of securekernel.exe, skci.dll and ntoskrnl.exe.
The kernel exports three functions to work with the new feature: PsRegisterSyscallProvider, PsQuerySyscallProviderInformation, PsUnregisterSyscallProvider.
This writeup will explore how this feature is initialized, how it works internally, and how to interact with it and use it.

IERAE CTF 2024 - Intel CET Bypass Challenge

IERAE CTF had one of the coolest pwn challenges I've done in the while. It was written by hugeh0ge.

Here's the full source:

// gcc chal.c -fno-stack-protector -static -o chal
#include <stdio.h>
#include


	// color1 and color2 are R4G4B4 12bit RGB color values, alpha is 0-255
	uint16_t blend_12bit( uint16_t color1, uint16_t color2, uint8_t alpha ) {
	uint64_t c1 = (uint64_t) color1;
	uint64_t c2 = (uint64_t) color2;
	uint64_t a = (uint64_t)( alpha >> 4 );
	// bit magic to alpha blend R G B with single mul
	c1 = ( c1 \| ( c1 << 12 ) ) & 0x0f0f0f;
	c2 = ( c2 \| ( c2 << 12 ) ) & 0x0f0f0f;
	uint32_t o = ( ( ( ( c2 - c1 ) * a ) >> 4 ) + c1 ) & 0x0f0f0f;

	//
	// ViewController.m
	// JBDetectTest
	//
	// Created by seo on 3/27/25.
	//

	#import "ViewController.h"
	#import <dlfcn.h>

	S3_3_c4_c5_0 at min EL0: DSPSR
	S3_3_c4_c5_1 at min EL0: DLR
	S3_6_c4_c0_0 at min EL3: SPSR_EL3
	S3_6_c4_c0_1 at min EL3: ELR_EL3
	S3_1_c0_c0_0 at min EL1: CCSIDR_EL1
	S3_6_c1_c0_0 at min EL3: SCTLR_EL3
	S3_6_c1_c0_1 at min EL3: ACTLR_EL3
	S3_6_c1_c1_2 at min EL3: CPTR_EL3
	S3_6_c1_c1_0 at min EL3: SCR_EL3
	S3_6_c1_c3_1 at min EL3: MDCR_EL3

	#!/bin/bash

	# Run the lsregister command and store the output in a variable
	output=$(/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/LaunchServices.framework/Versions/A/Support/lsregister -dump)

	# Use awk to parse the relevant sections
	echo "$output" \| awk '
	# When "CFBundleDisplayName" is found, store the app name
	/CFBundleDisplayName/ {
	app_name = substr($0, index($0, "=") + 2)

	#include <stdint.h>
	#include <stdio.h>
	#include <stdlib.h>
	#include <stdbool.h>
	#include <windows.h>

	#include "nt_crap.h"

	#define ArrayCount(arr) (sizeof(arr)/sizeof(arr[0]))
	#define assert(expr) if(!(expr)) { (char)0 = 0; }

	"""
	31-round sha256 collision.

	Not my research, just a PoC script I put together with numbers plugged in from the slide at
	https://twitter.com/jedisct1/status/1772647350554464448 from FSE2024

	SHA256 impl follows FIPS 180-4
	https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf
	"""

	### Test on https://github.com/yousseb/meld/releases/tag/osx-20
	### OSX - 3.21.0 (r4) Sonoma
	### !!! Note: You need put the Meld.app r4 build to the /Applications path first.

	#!/bin/zsh

	#Fix libpng16.16.dylib not found
	install_name_tool -change /usr/local/opt/libpng/lib/libpng16.16.dylib @executable_path/../Frameworks/libpng16.16.dylib /Applications/Meld.app/Contents/Frameworks/libfreetype.6.20.0.dylib

	#Fix libbrotlidec.1.dylib not found

	// Sometimes you have a large file on a small disk and would like to "transform"
	// it in some way: for example, by decompressing it. However, you might not have
	// enough space on disk to keep both the the compressed file and the
	// decompressed results. If the process can be done in a streaming fashion, it
	// would be nice if the file could be "drained"; that is, the file would be
	// sequentially deleted as it is consumed. At the start you'd have 100% of the
	// original file, somewhere in the middle you'd have about half of the original
	// file and half of your output, and by the end the original file will be gone
	// and you'll be left with just the results. If you do it this way, you might
	// be able to do the entire operation without extra space!