Background Not too long ago, a friend’s coworker wanted to know how to find the VM exit dispatching function in HyperV. I don’t have any interest in HyperV but decided to explore the question out of curiosity. It is not a difficult problem but it can be somewhat annoying if you have not done it… Continue reading Some notes on identifying exit and hypercall handlers in HyperV
Background A while ago I was at Alex Ionescu's house and we were discussing random Windows internals stuff. I learned that we both discovered cool things in the Windows Notification Framework (WNF). Alex and Gabrielle Viala presented their research on the topic at Black Hat USA 2018 (BHUSA2018) . It is fairly comprehensive and will… Continue reading Find which process is using the microphone, from a kernel-mode driver
System call dispatching on Windows ARM64 Background Microsoft recently announced that there will be Windows ARM64 devices. Technically, it should be "AArch64" but ARM64 is easier to type. This article briefly documents the system call dispatching mechanism for Windows on ARM64. Readers are assumed to be familiar with ARM64 assembly and system call dispatching on… Continue reading System call dispatching for Windows on ARM64
In an effort to always keep my mind in motion, I will be using this platform to blog and share my knowledge about a variety of topics in information security. There may be non-technical entries once in a while. The blog layout is a bit strange because I am clueless about web technologies. Hopefully this… Continue reading I am blogging!