Anti-debug with VirtualAlloc’s write watch

A lesser-known feature of the Windows memory manager is that it can maintain write watches on allocations for debugging and profiling purposes. Passing the MEM_WRITE_WATCH flag to VirtualAlloc “causes the system to track pages that are written to in the allocated region”. TheĀ GetWriteWatch and ResetWriteWatch APIs can be used to manage the watch counter. This… Read More Anti-debug with VirtualAlloc’s write watch

ASUS UEFI Update Driver Physical Memory Read/Write

A short while ago, slipstream/RoL dropped an exploit for the ASUS memory mapping driver (ASMMAP/ASMMAP64) which was vulnerable to complete physical memory access (read/write) to unprivileged users, allowing for local privilege escalation and all sorts of other problems. An aside to this was that there were also IOCTLs available to perform direct I/O operations (in/out… Read More ASUS UEFI Update Driver Physical Memory Read/Write

W^X policy violation affecting all Windows drivers compiled in Visual Studio 2013 and previous

Back in June, I was doing some analysis on a Windows driver and discovered that the INIT section had the read, write, and executable characteristics flags set. Windows executables (drivers included) use these flags to tell the kernel what memory protection flags should be applied to that section’s pages once the contents are mapped into… Read More W^X policy violation affecting all Windows drivers compiled in Visual Studio 2013 and previous

Preventing executable analysis – Part 1, Static Analysis

In this series of posts, I’m going to discuss executable analysis, the methods that are used and mechanisms to prevent them. There are three types of analysis that can be performed on executables: Static – Analysis of the sample file on disk. Emulated – Branch and stack analysis of the sample through an emulator. Live… Read More Preventing executable analysis – Part 1, Static Analysis