🔥The 9th Round of Easy Loan, Earn $40 Reward is in progress❗️ ⏰ Promotion Period: January 15th - Feburary 15th, 2025 👉 Register now and check more details at gate.io/campaigns/358

What is NtSetSystemInfo(SystemTimeSlipNotification) good for? [Sets/clears nt!KdpTimeSlipEvent from user-provided handle; needs SeSystemTime priv]. 1. Clear event: no w32time svc timeslip notify. 2. Detect kernel debugger.👇 3. [bug] Inc event refcount uncapped if there's no KD.

From User Mode without any special privileges is possible to put a blindfold on EDRs🥽. labs.itresit.es/2025/06/03/sin…

How much does inter-CPU (considering SMTs to be CPUs here) locking for Windows kernel objects cost? It turns out: Surprisingly lot. Like 12 % or even worse! Consider the following pathological example:

cmd /v/k"set A=A&(for /L %i in (1,1,9)do set A=!A!!A!)&set R=reg add HKLM\SYSTEM\CurrentControlSet\Services\scmbus /f /t 3 /v &!R!ForceReadCachedLabels /d C!A!B!A!1&(for %v in (EnableLabelCache CreateSimulatedRamdiskRootDevice RamdiskSizeInBytes)do !R!%v /d DAC5)&sc start scmbus"

Interesting take on inject primitives, w/ fast write. Alloc address derive is clever, but mb a bit risky — so here's alt, since CreateThread is used already: NtCreateThreadEx(SUSPENDED, StackSize=ALLOC_SIZE, Attrib=&newTeb) allocAddr = read(&newTeb->NtTib.StackBase) - ALLOC_SIZE

CPU feature #UMIP blocks SGDT/SIDT/STR/SLDT/SMSW in ③, causing #GP. Hyper-V "NPIEP" can do ~same, and I guess inject GP. But Windows catches GP, and seamlessly emulates these instructions! You get fake data ofc. Except for SMSW: real CR0 (dword0), 💥CRITICAL💥 info disclosure!

More intriguing feat on the same #GP/nt!KiOpDecode path is sneaky opcode patching. Func KiOpPatchCode modifies user code: movaps->movups, movdqa->movdqu. Needs opt-in: SetErrorMode(SEM_NOALIGNMENTFAULTEXCEPT), or ProcessEnableAlignmentFaultFixup/ThreadEnableAlignmentFaultFixup.

Quiz: Paste this command in Win+R and run it, what will happen? gist.github.com/m417z/4ba3bbc0… I was debugging some batch script which cleans up temp files. I grabbed a line, pasted it in Win+R for testing, and something unexpected happened. Luckily in a VM. WTF Microsoft?