sixtyvividtails (@sixtyvividtails) 's Twitter Profile
sixtyvividtails

@sixtyvividtails

Currently working as an independent GUID merchant. Fully licensed. I acquire, produce, and sell high-quality GUIDs.

ID: 1544848910

calendar_today25-06-2013 05:05:51

1,1K Tweet

1,1K Followers

382 Following

sixtyvividtails (@sixtyvividtails) 's Twitter Profile Photo

What is NtSetSystemInfo(SystemTimeSlipNotification) good for? [Sets/clears nt!KdpTimeSlipEvent from user-provided handle; needs SeSystemTime priv]. 1. Clear event: no w32time svc timeslip notify. 2. Detect kernel debugger.👇 3. [bug] Inc event refcount uncapped if there's no KD.

Peter Gabaldon (@pedrogabaldon) 's Twitter Profile Photo

From User Mode without any special privileges is possible to put a blindfold on EDRs🥽. labs.itresit.es/2025/06/03/sin…

Jan Ringoš (@janringos) 's Twitter Profile Photo

How much does inter-CPU (considering SMTs to be CPUs here) locking for Windows kernel objects cost? It turns out: Surprisingly lot. Like 12 % or even worse! Consider the following pathological example:

How much does inter-CPU (considering SMTs to be CPUs here) locking for Windows kernel objects cost?

It turns out: Surprisingly lot. Like 12 % or even worse!

Consider the following pathological example:
sixtyvividtails (@sixtyvividtails) 's Twitter Profile Photo

cmd /v/k"set A=A&(for /L %i in (1,1,9)do set A=!A!!A!)&set R=reg add HKLM\SYSTEM\CurrentControlSet\Services\scmbus /f /t 3 /v &!R!ForceReadCachedLabels /d C!A!B!A!1&(for %v in (EnableLabelCache CreateSimulatedRamdiskRootDevice RamdiskSizeInBytes)do !R!%v /d DAC5)&sc start scmbus"

cmd /v/k"set A=A&(for /L %i in (1,1,9)do set A=!A!!A!)&set R=reg add HKLM\SYSTEM\CurrentControlSet\Services\scmbus /f /t 3 /v &!R!ForceReadCachedLabels /d C!A!B!A!1&(for %v in (EnableLabelCache CreateSimulatedRamdiskRootDevice RamdiskSizeInBytes)do !R!%v /d DAC5)&sc start scmbus"
sixtyvividtails (@sixtyvividtails) 's Twitter Profile Photo

Interesting take on inject primitives, w/ fast write. Alloc address derive is clever, but mb a bit risky — so here's alt, since CreateThread is used already: NtCreateThreadEx(SUSPENDED, StackSize=ALLOC_SIZE, Attrib=&newTeb) allocAddr = read(&newTeb->NtTib.StackBase) - ALLOC_SIZE

sixtyvividtails (@sixtyvividtails) 's Twitter Profile Photo

CPU feature #UMIP blocks SGDT/SIDT/STR/SLDT/SMSW in ③, causing #GP. Hyper-V "NPIEP" can do ~same, and I guess inject GP. But Windows catches GP, and seamlessly emulates these instructions! You get fake data ofc. Except for SMSW: real CR0 (dword0), 💥CRITICAL💥 info disclosure!

CPU feature #UMIP blocks SGDT/SIDT/STR/SLDT/SMSW in ③, causing #GP.
Hyper-V "NPIEP" can do ~same, and I guess inject GP.

But Windows catches GP, and seamlessly emulates these instructions!
You get fake data ofc. Except for SMSW: real CR0 (dword0), đź’ĄCRITICALđź’Ą info disclosure!
sixtyvividtails (@sixtyvividtails) 's Twitter Profile Photo

More intriguing feat on the same #GP/nt!KiOpDecode path is sneaky opcode patching. Func KiOpPatchCode modifies user code: movaps->movups, movdqa->movdqu. Needs opt-in: SetErrorMode(SEM_NOALIGNMENTFAULTEXCEPT), or ProcessEnableAlignmentFaultFixup/ThreadEnableAlignmentFaultFixup.

More intriguing feat on the same #GP/nt!KiOpDecode path is sneaky opcode patching.

Func KiOpPatchCode modifies user code: movaps->movups, movdqa->movdqu.

Needs opt-in: SetErrorMode(SEM_NOALIGNMENTFAULTEXCEPT), or ProcessEnableAlignmentFaultFixup/ThreadEnableAlignmentFaultFixup.
Michael Maltsev (@m417z) 's Twitter Profile Photo

Quiz: Paste this command in Win+R and run it, what will happen? gist.github.com/m417z/4ba3bbc0… I was debugging some batch script which cleans up temp files. I grabbed a line, pasted it in Win+R for testing, and something unexpected happened. Luckily in a VM. WTF Microsoft?

Quiz: Paste this command in Win+R and run it, what will happen?

gist.github.com/m417z/4ba3bbc0…

I was debugging some batch script which cleans up temp files. I grabbed a line, pasted it in Win+R for testing, and something unexpected happened. Luckily in a VM. WTF Microsoft?