This post is for my future self, but maybe it will help you to. I will outline the instructions for building a kernel, running it in qemu, and debugging with GDB. The same info is at this github repo which is probably a better format for this info: https://github.com/w0ot-net/KernelBuildingAndDebug Build

Here is a cool video demonstrating how to use EfiGuard: https://www.youtube.com/watch?v=EJGuJp2fqpM. This post will condense the information into a non-video format, and is explicitly for vmware VMs. Download the release version of EfiGuard here: https://github.com/Mattiwatti/EfiGuard Open an administrator powershell and run the following: The mountvol command with the /S flag

There’s a nice guide on how to debug a service here: https://bugslasher.net/2010/10/14/how-to-debug-a-windows-service/, but in my experience trying to configure the registry with gflags has never actually worked. I also find using regedit to be clumsy and tedious. So here, I am sharing some 1 liners for setting up service debugging.

Recently I was looking for bugs in a Windows program which employs a variety of anti-debugging techniques including: Executing the INT 2d instruction (https://anti-debug.checkpoint.com/techniques/assembly.html#int2d) Hiding threads from the debugger with NtSetInformationThread (https://anti-debug.checkpoint.com/techniques/interactive.html#ntsetinformationthread) Calling IsDebuggerPresent (https://anti-debug.checkpoint.com/techniques/debug-flags.html#using-win32-api-isdebuggerpresent) These measures and more can be defeated with an off the shelf driver called TitanHide

Exploitation Summary Moodle is vulnerable to 2nd order sqli by users with Teacher or higher privileges. The reason these privileges are required is because the sqli is in the badge management functionality. When one has the Teacher role for a course it is possible to add a badge which students

In this blog I’m going to share the details of the vulnerabilities and exploit chain mr_me and I used to try (and fail) to pwn Inductive Automation Ignition at the 2022 ICS Pwn2own. The tl;dr is that the Ignition server is vulnerable to authentication bypass due to a poorly seeded

This post is going to describe the exploit chain used by mr_me and myself to pwn the Rockwell Studio 5000 Logix Designer at the 2020 ICS Pwn2Own. This was our favorite chain of the contest. Speaking for myself, the reason this chain is so satisfying is because it is kind

I recently started doing some vulnerability analysis against a popular Industrial Control System (ICS) software looking for remote code execution bugs. This bug hunting was motivated by the 2020 Pwn2Own in Miami, which @steventseeley and I ended up winning! The program that was targeted is written in C# and follows

One of my vulnerability research goals is to find and exploit a privilege escalation bug in a real world driver. In preparation to meet this goal I started working with the HackSys Extreme Vulnerable Driver, specifically the 2.0 version on an x64 Windows 7 sp1 system. Being a new comer