SyscallProvider is a feature available from Windows 11 22H2, that allows for inline hooking of syscalls.
This unfinished research was done on Windows 11 22H2. The feature is fully undocumented at the moment and it looks like it's locked to Microsoft-signed drivers.
All of the information here was gathered by manual reverse engineering of securekernel.exe, skci.dll and ntoskrnl.exe.
The kernel exports three functions to work with the new feature: PsRegisterSyscallProvider, PsQuerySyscallProviderInformation, PsUnregisterSyscallProvider.
This writeup will explore how this feature is initialized, how it works internally, and how to interact with it and use it.
Aleksei Kulaev flatz
xv0nfers
/ chrome-bug-commit-tracker.py
Last active
July 4, 2025 07:53
A lightweight Python script that, given a Chrome bug ID, fetches its Stable Channel Update entry from Chrome Releases RSS and lists all related commits from GitHub and Gerrit
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python3 | |
| import sys | |
| import json | |
| import requests | |
| import feedparser | |
| import re | |
| BUG_ID = sys.argv[1] if len(sys.argv) > 1 else None | |
| if not BUG_ID or not BUG_ID.isdigit(): | |
| print("Usage: python3 chrome-bug-commit-tracker.py <bug_id>") |
Kristal-g
/ SyscallProvider.md
Created
May 12, 2025 09:02
mattiasgustavsson
/ rgb_blend.c
Last active
May 30, 2025 20:11
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // color1 and color2 are R4G4B4 12bit RGB color values, alpha is 0-255 | |
| uint16_t blend_12bit( uint16_t color1, uint16_t color2, uint8_t alpha ) { | |
| uint64_t c1 = (uint64_t) color1; | |
| uint64_t c2 = (uint64_t) color2; | |
| uint64_t a = (uint64_t)( alpha >> 4 ); | |
| // bit magic to alpha blend R G B with single mul | |
| c1 = ( c1 | ( c1 << 12 ) ) & 0x0f0f0f; | |
| c2 = ( c2 | ( c2 << 12 ) ) & 0x0f0f0f; | |
| uint32_t o = ( ( ( ( c2 - c1 ) * a ) >> 4 ) + c1 ) & 0x0f0f0f; |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // | |
| // ViewController.m | |
| // JBDetectTest | |
| // | |
| // Created by seo on 3/27/25. | |
| // | |
| #import "ViewController.h" | |
| #import <dlfcn.h> |
justtryingthingsout
/ accp-h16g-core-sysregs.txt
Created
January 8, 2025 12:33
some SysRegs may be missing, but this should be the majority
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| S3_3_c4_c5_0 at min EL0: DSPSR | |
| S3_3_c4_c5_1 at min EL0: DLR | |
| S3_6_c4_c0_0 at min EL3: SPSR_EL3 | |
| S3_6_c4_c0_1 at min EL3: ELR_EL3 | |
| S3_1_c0_c0_0 at min EL1: CCSIDR_EL1 | |
| S3_6_c1_c0_0 at min EL3: SCTLR_EL3 | |
| S3_6_c1_c0_1 at min EL3: ACTLR_EL3 | |
| S3_6_c1_c1_2 at min EL3: CPTR_EL3 | |
| S3_6_c1_c1_0 at min EL3: SCR_EL3 | |
| S3_6_c1_c3_1 at min EL3: MDCR_EL3 |
sroettger
/ ierae_cet.md
Last active
May 5, 2025 07:29
IERAE CTF had one of the coolest pwn challenges I've done in the while. It was written by hugeh0ge.
Here's the full source:
// gcc chal.c -fno-stack-protector -static -o chal
#include <stdio.h>
#include 
theevilbit
/ lsregister_urlscheme.sh
Created
August 27, 2024 12:34
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # Run the lsregister command and store the output in a variable | |
| output=$(/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/LaunchServices.framework/Versions/A/Support/lsregister -dump) | |
| # Use awk to parse the relevant sections | |
| echo "$output" | awk ' | |
| # When "CFBundleDisplayName" is found, store the app name | |
| /CFBundleDisplayName/ { | |
| app_name = substr($0, index($0, "=") + 2) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <stdint.h> | |
| #include <stdio.h> | |
| #include <stdlib.h> | |
| #include <stdbool.h> | |
| #include <windows.h> | |
| #include "nt_crap.h" | |
| #define ArrayCount(arr) (sizeof(arr)/sizeof(arr[0])) | |
| #define assert(expr) if(!(expr)) { *(char*)0 = 0; } |
DavidBuchanan314
/ 31_round_sha256_poc.py
Last active
February 7, 2025 12:24
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| """ | |
| 31-round sha256 collision. | |
| Not my research, just a PoC script I put together with numbers plugged in from the slide at | |
| https://twitter.com/jedisct1/status/1772647350554464448 from FSE2024 | |
| SHA256 impl follows FIPS 180-4 | |
| https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.180-4.pdf | |
| """ |
NewerOlder