- The document discusses how ordinary people can understand Windows code despite it previously being kept secret.
- It outlines resources now available from Microsoft to learn Windows internals like debuggers, symbol files, documentation and communities. Skills needed are also discussed.
- Case studies are presented showing how tools like debuggers and disassemblers can be used to understand techniques used by rootkits and find undocumented Windows functions.
- In conclusion, the document argues Windows code is not as secret as assumed and many means exist for both security experts and developers to learn it through resources Microsoft now provides.
Ahmed sallam technical_journey_1992_1999Ahmed Sallam
Author, Ahmed Said Sallam is known for his work in the US on computer system security and virtualization. Very little has been told about his work beginning of his career in the period 1992-1999. It was great system work performed at a very early stage of the PC era and Internet time.
This is an attempt to document such journey methodically. Hopefully, it will inspire younger generation to focus on science and technology as a mean to generate value, create jobs, build smart communities and transform societies.
The incorporation of Security-Enhanced Linux in Android (SEAndroid) is an important security enhancement to the platform.
Android is built on top of the Linux kernel, with a collection of traditional and customized Linux libraries and daemons.
....
Ahmed sallam technical_journey_1992_1999Ahmed Sallam
Author, Ahmed Said Sallam is known for his work in the US on computer system security and virtualization. Very little has been told about his work beginning of his career in the period 1992-1999. It was great system work performed at a very early stage of the PC era and Internet time.
This is an attempt to document such journey methodically. Hopefully, it will inspire younger generation to focus on science and technology as a mean to generate value, create jobs, build smart communities and transform societies.
The incorporation of Security-Enhanced Linux in Android (SEAndroid) is an important security enhancement to the platform.
Android is built on top of the Linux kernel, with a collection of traditional and customized Linux libraries and daemons.
....
Mobile Threats and Trends Changing Mobile App SecurityDevOps.com
Deploying your high-value mobile app to untrusted environments such as consumer mobile devices can be a risky proposition. Are some of your customers’ devices compromised? Do your users also download apps from untrusted sources? Is there malware residing on their devices that target apps such as yours?
Despite your best efforts to code secure apps, assess their security posture, and remediate any identified vulnerabilities – it’s not quite enough in today’s mobile threat landscape. Safeguarding mobile apps during runtime and empowering them to protect themselves in hostile environments is becoming a necessity in the face of ever-evolving mobile attack tactics and techniques.
During this webinar, we will:
Discuss today’s mobile app threat landscape
Explain how changing distribution models (e.g., Fortnite for Android) affect your app’s security
Illustrate the potential financial impact of mobile threats on a business’s bottom line
Demonstrate mobile overlay and other attacks
Reveal how mobile apps can protect themselves against these attacks with app shielding and runtime protection
www.webliquidinfotech.com/
Android apps are huge market(over 80% of mobile devices worldwide run android), and it’s continuously growing.
If you are going to invest in an app development, then its important to choose a developer with great track record.
Android Pie, the latest release of Android, is officially available to World. In this talk, I will summarize new features and behaviour changes. This session will be useful for developers as well product managers who are getting their apps ready for Android 9.
This talk is going to give an overview of Android operating system and it´s apps ecosystem from the security point of view of a penetration tester.
So lets dive into topics like Pentest Environment Setup, Tools of the Trade, App Analysis and some security hints for Android developers.
Anti key logging and real-time encrypting software | keystrokes encrypting so...Mike Taylor
Anti-Key logging and Real-time Encrypting Software using Windows Framework to protect against malware using cryptography methodology providing real time encryption
CNIT 126: 10: Kernel Debugging with WinDbgSam Bowne
Slides for a college course at City College San Francisco. Based on "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software", by Michael Sikorski and Andrew Honig; ISBN-10: 1593272901.
Instructor: Sam Bowne
Class website: https://samsclass.info/126/126_F18.shtml
Mobile Threats and Trends Changing Mobile App SecurityDevOps.com
Deploying your high-value mobile app to untrusted environments such as consumer mobile devices can be a risky proposition. Are some of your customers’ devices compromised? Do your users also download apps from untrusted sources? Is there malware residing on their devices that target apps such as yours?
Despite your best efforts to code secure apps, assess their security posture, and remediate any identified vulnerabilities – it’s not quite enough in today’s mobile threat landscape. Safeguarding mobile apps during runtime and empowering them to protect themselves in hostile environments is becoming a necessity in the face of ever-evolving mobile attack tactics and techniques.
During this webinar, we will:
Discuss today’s mobile app threat landscape
Explain how changing distribution models (e.g., Fortnite for Android) affect your app’s security
Illustrate the potential financial impact of mobile threats on a business’s bottom line
Demonstrate mobile overlay and other attacks
Reveal how mobile apps can protect themselves against these attacks with app shielding and runtime protection
www.webliquidinfotech.com/
Android apps are huge market(over 80% of mobile devices worldwide run android), and it’s continuously growing.
If you are going to invest in an app development, then its important to choose a developer with great track record.
Android Pie, the latest release of Android, is officially available to World. In this talk, I will summarize new features and behaviour changes. This session will be useful for developers as well product managers who are getting their apps ready for Android 9.
This talk is going to give an overview of Android operating system and it´s apps ecosystem from the security point of view of a penetration tester.
So lets dive into topics like Pentest Environment Setup, Tools of the Trade, App Analysis and some security hints for Android developers.
Anti key logging and real-time encrypting software | keystrokes encrypting so...Mike Taylor
Anti-Key logging and Real-time Encrypting Software using Windows Framework to protect against malware using cryptography methodology providing real time encryption
CNIT 126: 10: Kernel Debugging with WinDbgSam Bowne
Slides for a college course at City College San Francisco. Based on "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software", by Michael Sikorski and Andrew Honig; ISBN-10: 1593272901.
Instructor: Sam Bowne
Class website: https://samsclass.info/126/126_F18.shtml
CNIT 126: 10: Kernel Debugging with WinDbgSam Bowne
Slides for a college course at City College San Francisco. Based on "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software", by Michael Sikorski and Andrew Honig; ISBN-10: 1593272901.
Instructor: Sam Bowne
Class website: https://samsclass.info/126/126_F19.shtml
Developer Special: How to Prepare Applications for Notes 64-bit Clientspanagenda
Webinar Recording: https://www.panagenda.com/webinars/developer-special-how-to-prepare-applications-for-notes-64-bit-clients/
Why 64-bit? Do you need it? Is it painful to switch? Will your applications stop working? Do you have to rewrite everything? Will the new Java 17 break things? We have the answers to these questions and more!
Spoiler warning: 64-bit clients are coming, and your applications are not ready. But not to worry; everything is fixable.
Join this webinar special with Notes development legend and HCL Lifetime Ambassador Julian Robichaux to find out. He will guide you through this journey and give you all the tools, tips, and tricks you need to outmaneuver any dangers and pitfalls. Get started today!
Dive into these 64-bit topics
- HCL guidelines for updating applications
- LotusScript: known issues, patterns to look for, debugger bugs, compiling with older Designers
- API calls: parameters, dealing with structs, NotesSession.UseDoubleAsPointer
- Java: Java 17, added/removed functionalities, compiler settings, XPages
- Eclipse plugins
Slides for a college course at City College San Francisco. Based on "The Shellcoder's Handbook: Discovering and Exploiting Security Holes ", by Chris Anley, John Heasman, Felix Lindner, Gerardo Richarte; ASIN: B004P5O38Q.
Instructor: Sam Bowne
Class website: https://samsclass.info/127/127_S17.shtml
Overcoming software development challenges by using an integrated software fr...Design World
With ever increasing Connectivity options, Security Protocols and Sophisticated Human Interfaces, Software and AP developers find themselves caught more deeply in the dichotomy of dealing with increasing complexity of designs and shrinking timelines. Resource constraints and constantly evolving software landscape provide challenges to software Integration that have to be overcome to enable designers to focus on the actual application.
Developers need a Modular Software Framework that accelerates software integration, provides flexible programming options and enables application re-use across multiple platforms. “That framework is MPLAB® Harmony.”
Join us for the webinar series where we provide a technical overview of MPLAB® Harmony, Live tool demos, Microchip and third party Middleware support and finally demonstrate how Harmony accelerates software integration and moves development focus and resources to Application Development and testing.
In this first installment of a three part webinar series attendees will learn:
-Current Software Development Challenges and how MPLAB® Harmony, Microchip’s software framework, overcomes them.
-Technical Overview of MPLAB® Harmony Framework.
-Integrating RTOS in an embedded development ecosystem.
-Graphics Application demo illustrating how MPLAB® Harmony facilitates changing system requirements.
Dot net Online Training | .Net Training and Placement onlineGaruda Trainings
The .NET Framework is a software framework, developed by Microsoft that was primarily intended to run on Windows operating system. Microsoft started developing it since late 1990’s and its first beta version was released in the end of 2000, however its first commercial version was released in the year of 2002. Wide genres of applications can be developed using .NET framework and it is hugely popular in the IT market currently.
P2Cinfotech is one of the leading, Online IT Training facilities and Job Consultant, spread all over the world. We have successfully conducted online classes on various Software Technologies that are currently in Demand. To name a few, we provide quality online training for QA, QTP, Manual Testing, HP LoadRunner, BA, Java Technologies.
Unique Features of P2Cinfotech:
1. All online software Training Batches will Be handled by Real time working Professionals only.
2. Live online training like Real time face to face, Instructor ? student interaction.
3. Good online training virtual class room environment.
4. Special Exercises and Assignments to make you self-confident on your course subject.
5. Interactive Sessions to update students with latest Developments on the particular course.
6. Flexible Batch Timings and proper timetable.
7. Affordable, decent and Flexible fee structure.
8. Extended Technical assistance even after completion of the course.
9. 100% Job Assistance and Guidance.
Courses What we cover:
Quality Assurance
Business Analsis
QTp
JAVA
Apps Devlepoment Training
Register for Free DEMO:
www.p2cinfotech.com p2cinfotech@gmail.com +1-732-546-3607 (USA)
This paper is a technology preview that describes a new hardware-based capability known as Intel® Virtual Machine Control Structure (Intel® VMCS) Shadowing, which will be available with 4th generation Intel® CoreTM vProTM processor and describes the hardware-assisted security provided by XenClient, Deep Defender. Intel VMCS Shadowing can enable faster performance for multi-VMM usage models. Both Citrix and McAfee are evaluating this capability for inclusion in future product releases.
Hosted desktop and evolution of hardware server technologies - 2015 editionAhmed Sallam
Three key server hardware technologies are shaping the future of Desktop Virtualization:
1. Hardware-Assisted System Virtualization.
2. Hardware-Assisted System Security
3. Hardware Servers Physicalization.
This paper covers the three of them.
Hosted desktops and server evolution technologies - 2014 EditionAhmed Sallam
Three key server hardware technologies are shaping the future of Desktop Virtualization:
1. Hardware-Assisted System Virtualization.
2. Hardware-Assisted System Security
3. Hardware Servers Physicalization.
The three are covered in this paper.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
Let's dive deeper into the world of ODC! Ricardo Alves (OutSystems) will join us to tell all about the new Data Fabric. After that, Sezen de Bruijn (OutSystems) will get into the details on how to best design a sturdy architecture within ODC.
"Impact of front-end architecture on development cost", Viktor TurskyiFwdays
I have heard many times that architecture is not important for the front-end. Also, many times I have seen how developers implement features on the front-end just following the standard rules for a framework and think that this is enough to successfully launch the project, and then the project fails. How to prevent this and what approach to choose? I have launched dozens of complex projects and during the talk we will analyze which approaches have worked for me and which have not.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
Key Trends Shaping the Future of Infrastructure.pdf
RSA SF Conference talk-2009-ht2-401 sallam
1. Windows Code Shredded
Can an ordinary person
understand Windows
code?
Ahmed Sallam
Chief Software Architect
McAfee Avert Labs
04/24/09 | HT2-401
2. Notes
• This is not the final presentation. This is an initial
draft that tells the story. I will be working with
Jeffrey Cufaude on completing the presentation.
• I will deliver the presentation using my own
laptops as I will be showing simple code
breaking techniques using IDA and WinDBG.
2
3. What this presentation is all about?
• Is Windows code the big secret people think it is?
• Who knows Windows code very well?
• Can you contact and learn from those who knows
Windows source code?
• Why some of you need to know Windows code?
• Can you learn Windows code and how?
• Is Windows code changing much?
• Case studies from McAfee’s research
3
4. What this session is not about
• Not about teaching you how to break Windows
code for fun or for bad purpose.
• Not about discovering Windows vulnerabilities
• Not about exploiting Windows code
• If you are looking for any of the above then sorry
you won’t find any of it here
4
5. Historical perspectives
5
• Microsoft always kept windows source code as a big secret over the
past twenty years
Source: http://www.microsoft.com/presspass/press/2004/Feb04/02-12windowssource.mspx
6. More historical perspectives
• Besides few technical articles and the popular “Windows
Internals” book series, Microsoft never provided any
serious documentation on their operating systems
secrets
• Microsoft used not to provide good kernel debugger
• Microsoft used not to provide symbol files
• Windows internals were only known mostly to hackers
• Hackers had their own communities where they share
information about Windows internals
• Security companies have skillful people who tries to
understand windows code
6
7. Windows secret books
• Any Windows book with
the words “secret”,
“undocumented”,
“internals”, etc. would
sell immediately.
7
8. How people used to break Windows
code?
• Using a disassembler like IDA:
– With no symbols debugging was painful
• Using a low level debugger like Numega SoftIce:
– Major compatibility issues
– Platform support always late
– Operating system frequent crashes
• Runtime instrumentation tools and debuggers
– Thousands of irrelevant events per second
– Required some data mining and reporting engines
8
9. Skill set required to break Windows code?
• Understanding of assembly language
• Understanding of CPU architecture
• Understanding of operating systems architecture
• Understanding of file structure on disk and in memory
• Patience, patience, patience, patience
• Who has all of the above;
– Only people with clear targets and strong intentions
– Mostly hackers
– Few security experts
9
10. Why this is all changing now?
• Microsoft is providing:
– Symbol files for Windows core modules and applications
– Windows kernel Debugger, WinDBG
– Documentation to abide to EC rulings
– Online communities and groups for people to ask Windows
experts
• Virtualization making whole system debugging simpler
• Disassemblers are designed with Windows APIs and symbols
knowledge in mind.
• Online Windows open source documentation projects
• And off course Google
10
11. Microsoft Windows Symbols
• Available as a download package from Microsoft debugging web site:
http://www.microsoft.com/whdc/DevTools/Debugging/symbolpkg.mspx
• Microsoft making symbols available online via the Microsoft Symbol Server
• For WinDBG Set the debugger symbol path as follows:
SRV*DownstreamStore*http://msdl.microsoft.com/download/symbols
• Microsoft provides a programmable library to read symbols (Debug help)
• IDA and other Disassemblers can automatically load Windows symbols from
server
• Private symbols files have all information in them for the debugger to resolve
data (local variables, structure type information, functions, source file name/line
info...).
• In next slides will show how understanding Windows code is pretty
straightforward with the availability of Windows symbols
11
12. Debugging Windows in A virtual
Environment
• Using WinDbg and a desktop virtual environment like
Microsoft Virtual PC or VMware workstation you can
debug an entire Windows environment
• Trick is to debug over a virtual serial port
• Trick is to map a virtual serial port to a named pipe and
configure WinDbg to do kernel debugging via the virtual
serial port
• Good instructions from VMware site:
http://www.vmware.com/support/gsx3/doc/devices_serial_debug
• Here will show a live demo of how this looks like
12
13. Dumping Windows Private Symbols
using WinDbg
• In this slide will present a video or active demo
that shows how to use WinDbg to list all
Windows kernel internal data structure
13
14. Traversing windows key code modules
via a disassembler
• You can use WinDbg but requires interactive session
• You can use a commercial Disassembler
• Here will place a video recording that shows how to
traverse through windows disassembled code.
• Will cover:
– Windows system service dispatch table and transfer
of control form user mode to kernel mode
– Windows ntoskrnl covering object manager, I/O
manager, security reference monitor, etc.
– Windows device drivers: ntfs driver, tcip, etc.
– Internet explorer internal modules
14
15. Simple debugging techniques
• Using both kernel debugger and a disassembler
can provide good results
• Example, finding Windows functions inter-
dependencies:
– Use disassembler as it shows who calls who
– Works but gives many results
– Use WinDBG and put a break point at an internal function then
dump the stack.
– Using WinDBG to understand devices stacks
• Will place a video to demonstrate the above
15
16. Windows Open Specification Online
Documentation
• Microsoft made key information available pursuant to the Consent
Decree and the European Commission's 2004 Decision
• Example of available documentation:
– Windows protocols
– Office protocols
– Office file formats
– SQL server protocols
– Computer languages
• Whole information available at MSDN Library web site:
http://msdn.microsoft.com/en-us/library under the “Open Specification”
section.
• Use the documentation along other tools and you will find answers to
how Windows work and what is happening there
16
17. Googling Windows Symbols
• Are you impatient and need immediate answer? Google everything.
• Pick a Windows internal symbols name and Google the web.
• Do you want more specialized technical info? Google the groups.
http://groups.google.com
• Are you wondering if there is open source that may explain how it works? Google the
code. http://code.google.com
• Are you looking for papers? Google the web and specify the file format to be PDF,
.DOC, PPT or whatever makes sense to you.
• Are you looking for people blogging about it? Google the blogs.
http://blogsearch.google.com
• Are you looking for books maybe talking about it? Google the books.
http://books.google.com
• Do you find what you’re looking for in a foreign language? Translate the page.
http://translate.google.com
• Point is, just pick any symbol name or even a memory address and Google it.
17
18. Windows Open Source Documentation Projects
• Many open source projects aim at building an operating system
equivalent to Windows Architecture
• Some aim at achieving full application compatibility with Windows
• React Operating System http://www.reactos.org/en/index.html is a
good example
• Exact implementation of Windows modules and device drivers
• Code is written by literally converting each Windows assembly function
back into its equivalent C code
• A good place to start learning about Windows architecture
• A video will be placed to compare some Windows assembly with its
equivalent ReactOS C function
18
19. Windows Driver Kit (WDK)
• Available on:
http://www.microsoft.com/whdc/devtools/wdk/def
ault.mspx
• Contain many useful help files and technical
docs
• Installable File System available for free in WDK
– IFS used to cost about $1000 and to require a special NDA with
Microsoft
– Contains source code of Microsoft FastFat and CDFS file
system drivers
– Contains working file system filter drivers
• Good source for documentation about Microsoft
Windows Architecture
19
20. Microsoft WinHEC Conference
• All conference papers and pres available via:
– http://www.microsoft.com/whdc/winhec/2008/pres.mspx
– http://www.microsoft.com/whdc/winhec/2008/papers.mspx
• Advanced Windows Architecture documents
designed for device driver and hardware
engineer
• Good source to learn about Windows kernel
mode and devices archiecture
20
21. Microsoft MVP / MVPSP/ open source
• Microsoft Most Valuable Professionals (MVPs) are exceptional technical
community leaders from around the world who are awarded for voluntarily
sharing their high quality, real world expertise in offline and online technical
communities. (source Microsoft MVP web site)
• The MVP Source Licensing Program (MVPSLP) recognizes some of the
most valuable individuals within the Microsoft platforms community, by
giving them the opportunity to differentiate themselves professionally as
Windows-platforms experts through access to Microsoft Windows Shared
Source access. (source Microsoft MVP web site)
• MVP official web site: http://mvp.support.microsoft.com/
• Find MVP, track their blogs, their online postings, correspond with them and
you will lean more about Windows internals
• If interested you can license Windows and application source code if you
meet certain criteria.
• You can check http://www.codeplex.com/ Microsoft’s open source project
and look for projects with participation form MVPs
21
22. Nicely Designed Windows Hacking
Web Sites
• In old days hackers used cryptic web sites with
cryptic names and cryptic content
• Nowadays, more hackers tend to find useful use
of their internal Windows knowledge and build
their own social networking alike sites
• Hacking alike documents are now written with
higher level of accuracy, clarity and
professionalism.
• Helps people find jobs as security experts or
consultants. So we can no longer call them bad
hackers anymore.
• Some even have their own blog
22
23. Using Microsoft Windows Internals
• Windows Internals book series, by Mark
Russinovich and , David A. Solomon from
Microsoft Press is one of the best sources
to learn about Windows internals
• The book references many parameters
using their symbol name
• Use the symbol then use WinDbg or a
Disassembler to understand more the code
referenced by the symbol
23
24. Referencing symbols programmatically
• Microsoft provides a programmable interface called Debug Help library to
load, enumerate and find modules symbols in memory
• There was time when library was not documented. Full library
documentation is available with nice sample code under:
http://msdn.microsoft.com/en-us/library/ms679309(VS.85).aspx
• You can load a module symbol using: SymLoadModuleEx()
• You can enumerate symbols using: SymEnumerateModules64()
• You can retrieve a symbol by address (SymFromAddr(()) or by name
(SymFromName())
• Very useful to write your own memory diagnostic
• You can also use your favorite scripting language as long as it can call into
Windows DLLs
• You can even reference symbols programmatically in a kernel mode device
driver
24
25. Case studies
• Three case studies will be covered here:
– Terminating DKOM Rootkits
– Obtaining documentation for DnsQueryEx
– Finding Windows user mode API filtering code
25
26. Case study a: terminating DKOM Rootkits
• Direct Kernel Object Manipulation (DKOM) Rootkits modify Windows kernel
dynamic lists to hide their presence
• While working on terminating a Rootkit we get into some interesting
situation:
– If you terminate the Rootkit other processes in the system becomes
hidden!?
– If you terminate the hidden IE process created by the Rootkit more
processes becomes hidden!?
• How to find out what is going out?
– Contacting Microsoft is not a valid option.
– Check the Windows kernel, yes that’s simpler
• Runtime debugger
• Kernel assembly dump
26
27. Case study 1: terminating DKOM Rootkits
• Here will provdie live demo that shows:
– how to use WinDBG to identify process termination stack
through the PspProcessDelete() function
27
28. Case study 1: terminating DKOM Rootkits
Analyzing PspProcess Delete in IDA.
• Will clean this slide a little bit
28
28
29. Case study 2: DnsQueryEx
• DnsQuery() is a documented API to query public DNS records
• DnsQuery does not create another thread hence calling function has to wait until
DnsQuery returns
• But calling public DNS servers can take time
• Normal solution is create another thread which calls DnsQuery and wait until that
thread returns or time out
• While looking into the code found DnsQueryEx which internally creates a thread
• Contacted Microsoft to obtain correct prototype. Microsoft said function
undocumented
• Did a whole search inside Windows SKD found the function prototype
• Contacted Microsoft again with finding and asked for more documentation for
parameters
• Microsoft thankfully responded with full detailed documentation
• Point is, sometimes Microsoft support team say it is documented but once you prove
it is not they fully cooperate
29
30. Case study 3: finding Windows filtering
interface
• Here will do a live demo on how to find the
interface using WinDbg and how this is useful.
• Point is sometimes API you’re looking for is
available but you can not find the documentation
so WinDbg is a nice solution
30
32. Is Windows Code changing much?
• Not really, only few changes
• You can easily spot changes in Windows kernel
data structures using WinDbg “dt” command
• You can compare stack frames
• You can use Debug Help library to compare
functions, a simple MD5 hash per function body
can do it
• You can easily find newly exported functions
from WinDbg or Disassembler or even parsing
the executable file .EXPORTS section
32
33. Why do you need to understand how
Windows work?
• Obviously software developers can achieve a lot as covered in slide deck
• Software developers can write many useful system diagnostic and profiling tools
• With current economy downturn condition McAfee expects more corporate targeted attacks
• Attackers are using all available resources to learn how to break Windows and its
applications
• Security professionals ought to leverage same available resources and come up with better
defensive methods
• System security administrators can write simple scripts to explore their systems memory
and ensure kernel and applications memory integrity:
– Who is hooking Windows functions and why?
– Who is hooking browser functions and why?
– Who is loading device driver and why?
– Who is attaching as a filter driver and why?
• Many free security tools are available too but using the knowledge available online you can
write your own, especially if you are a software developer
33
34. Conclusion
• Windows code is not the top secret people think
it is
• Microsoft provide many useful means to
understand windows internals: WinDbg,
symbols, Windows Internals book, Debug Help
library, Online documentation and communites
• Not only hackers can learn Windows Internals
but also average software engineers
• Encourage your people to leverage available
resources
34
35. Finally
• Obviously Microsoft provides all of those
resources for good purpose so make sure you
keep your usage within the intended good usage
boundaries
35