Day: May 1, 2022

How to Use EfiGuard to Disable PatchGuard

Here is a cool video demonstrating how to use EfiGuard: https://www.youtube.com/watch?v=EJGuJp2fqpM. This post will condense the information into a non-video format, and is explicitly for vmware VMs. Download the release version of EfiGuard here: https://github.com/Mattiwatti/EfiGuard Open an administrator powershell and run the following: The mountvol command with the /S flag

Read More »

Debugging a Windows Service

There’s a nice guide on how to debug a service here: https://bugslasher.net/2010/10/14/how-to-debug-a-windows-service/, but in my experience trying to configure the registry with gflags has never actually worked. I also find using regedit to be clumsy and tedious. So here, I am sharing some 1 liners for setting up service debugging.

Read More »

Defeating Anti-Debugging with TitanHide

Recently I was looking for bugs in a Windows program which employs a variety of anti-debugging techniques including: Executing the INT 2d instruction (https://anti-debug.checkpoint.com/techniques/assembly.html#int2d) Hiding threads from the debugger with NtSetInformationThread (https://anti-debug.checkpoint.com/techniques/interactive.html#ntsetinformationthread) Calling IsDebuggerPresent (https://anti-debug.checkpoint.com/techniques/debug-flags.html#using-win32-api-isdebuggerpresent) These measures and more can be defeated with an off the shelf driver called TitanHide

Read More »