I recently built a new computer and enabled BitLocker on it. When doing so, it asked me to save my recovery key, but I didn’t have a working printer or a flash drive to hand to save my recovery key to (also it doesn’t seem sane to store the recovery key in cleartext on a… Read More Recovering BitLocker when the BCD has been modified
I just hit 100,000 reputation on Information Security StackExchange! 🎉 I thought this would be a good moment to talk about why StackExchange is so important to me, and what my journey into security looked like. The story starts way back in 2012, before I worked in infosec. Back then I was a few months… Read More Reflections on 100k
A lesser-known feature of the Windows memory manager is that it can maintain write watches on allocations for debugging and profiling purposes. Passing the MEM_WRITE_WATCH flag to VirtualAlloc “causes the system to track pages that are written to in the allocated region”. The GetWriteWatch and ResetWriteWatch APIs can be used to manage the watch counter. This… Read More Anti-debug with VirtualAlloc’s write watch
I’ll be speaking at 44CON this year, at the community evening on Wednesday 9th September. The community evening is free to attend – you just need to register to attend if you don’t have a conference ticket. My talk is currently scheduled at 19:45, and I’m speaking about writing Windows drivers, with the goal of… Read More Talking about Windows drivers at 44CON 2015’s Community Evening
Another year has rolled by (damn, I really don’t update this blog much, do I?) and Securi-Tay IV is coming up. I’ll be speaking about security issues related to serialisation and deserialisation of data in modern programming languages, including PHP and C#. My colleague FreakyClown will be talking about robbing banks for a living, which… Read More Another year, another Securi-Tay, another talk… and this time we’re sponsoring the bar!
Just a quick tip for anyone doing a code review of a Java EE web application: LAPSE+ is a very useful tool to have in the arsenal, whether you’ve got the original source or just the JAR/WAR file. In my case, the client provided me with a single .WAR file which contained the application. As… Read More Pentesting Java EE web applications with LAPSE+
In my previous post I talked about a vulnerability in Steam which allows you to bypass UAC. I’m going to be totally transparent here: I fucked up. I wrote the draft post a few days back, then did some more work on the vulnerability. I discovered something much more serious in the process. I posted… Read More Steam Code Execution – Privilege Escalation to SYSTEM (Part 2)
Dropbox has become a daily part of my life. I rely on it to synchronise data between my growing set of devices. But how much of an impact does it have on the security of my system? I decided to find out by digging around in exactly what it does to my machine, or more… Read More Installing Dropbox? Prepare to lose ASLR.
In light of the numerous recent attacks against SSL, I thought I’d offer up a quick and simple crypto lesson about why MAC-then-encrypt schemes are bad. This post will require only a minimum of knowledge about cryptography, so hopefully it’ll be useful to a wide range of people. This is not designed to be a… Read More A quick crypto lesson – why “MAC then encrypt” is a bad choice
As far as I’m concerned, anti-virus systems are as good as dead. Or, if they aren’t just yet, they’re certainly headed that way. Signature-based analysis, both static (e.g. SHA1 hash) and heuristic (e.g. pattern matching) is useless against polymorphic malware, which is becoming a big concern when you consider how easy it is to write… Read More The anti-virus age is over.