- General Internals
- Linux Internals
- macOS Internals
- Windows Internals
- Access Control
- Accounts
- Active Directory
- Advanced Threat Protection(ATP)
- Alternate Data Streams
- Anti-Malware Scan Interface
- Windows Native API
- App Containers
- Application Shims
- Authentication
- Authenticode
- AutoStart Locations
- Background Intelligent Transfer Service
- Boot Process
- Callbacks
- Common Log File System
- (Distributed) Component Object Model
- Credential Storage
- Credential Provider
- Dynamic Data Exchange
- Device Guard
- DLLs
- DNS
- Drivers
- Event Tracing for Windows
- Exchange Web Services
- Exploit Mitigations
- File Formats
- Files, Paths, and Namespaces
- Guarded Fabric/Shielded VMs
- Handles
- HTML Applications
- Hyper-V
- HyperVisor Code Integrity
- Interrupt Descriptor Table
- Isolated User Mode
- Kerberos
- Kernel
- Lightweight Directory Access Protocol
- Linux Subsystem
- LNK Files
- Local Security Authority
- Logon
- Memory
- Named Pipes
- .NET
- Netlogon
- Networking
- NTFS
- NTLM
- PE Loader & Execution Environment
- Powershell
- Printing
- Processes/Threads
- Prefetch
- Registry
- Remote Desktop
- User Rights
- RPC
- Sandboxing
- Scripting Host
- Security Descriptor Definition Language
- Security Support Providers
- Services
- Service Accounts
- Server Message Block(SMB)
- Sessions
- Subsystems
- Symbol Files
- Syscalls
- System Service Descriptor Table
- Tokens
- User Account Control(UAC)
- Volume Shadow Copy Service
- Windows Filtering Platform
- Windows Communication Foundation- Linux Reference
- Miscellaneous
- ARM Reference
- Kerberos / Related
- Stuff
- clear backlog
- add missing things
- Building an OS
- Boot Process
- File Systems
- Memory
- Processes
- Unsorted Stuff
- Linux General
- Introduction to Linux - Machtelt Garrels
- Excellent doc covering every aspect of linux. Deserves at least 1 skim through.
- Linux Documentation Project
- The Linux Documentation Project is working towards developing free, high quality documentation for the Linux operating system. The overall goal of the LDP is to collaborate in all of the issues of Linux documentation.
- Bash Guide for Beginners
- pagexec - GRSEC
- Introduction to Linux - Machtelt Garrels
- Linux Internals
- 101
- Info
- linux-insides
- A series of posts about the linux kernel. The goal is simple - to share my modest knowledge about the internals of the linux kernel and help people who are interested in the linux kernel, and other low-level subject matter.
- Introduction to Linux - Machtelt Garrels
- Excellent doc covering every aspect of linux. Deserves at least 1 skim through.
- Linux Kernel Security Subsystem Wiki
- This is the Linux kernel security subsystem wiki, a resource for developers and users.
- Compilers/Exploit Mitigations
- Linkers and Loaders - Book
- These are the manuscript chapters for my Linkers and Loaders, published by Morgan-Kaufman. See the book's web site for ordering information.
- All chapters are online for free at the above site.
- Linkers and Loaders - Book
- Linker and Libraries
- Boot Process
- 101
- Kernel booting process
- This chapter describes linux kernel booting process.
- Kernel booting process
- Info
- 101
- Drivers
- 101
- Info
- ELF
- 101
- Info
- Understanding the ELF
- The Anatomy of an Executable - mewmew
- The dissection of a simple "hello world" ELF binary.
- Exploit Mitigations
- FileSystems
- Kernel
- 101
- Info
- Linux Kernel Explanation/Walk through
- Linux Kernel Map
- Interactive map of the Linux Kernel
- Linux kernel development(walkthrough)
- Linux Kernel Explanation/Walk through
- Memory
- 101
- How the Kernel manages Memory - Linux
- Understanding glibc malloc
- Memory Management: Paging
- Anatomy of a program in memory
- Writeup on the structure of program memory in Linux.
- Understanding !PTE - Non-PAE and X64
- Info
- Out-of-Memory(OOM) Killer
- Taming the OOM killer - Goldwyn Rodrigues
- OOM_Killer - linux-mm.org
- How does the OOM killer decide which process to kill first? - stackexchange
- OOM - Linux kernel user's and administrator's guide
- Linux Kernel limits - eloquence.marxmeier
- This document provides an overview of the default Linux Kernel limits (kernel parameter) and where they are defined.
- The OOM killer may be called even when there is still plenty of memory available - bl0g.krunch.be
- How to Configure the Linux Out-of-Memory Killer - Robert Chase
- 101
- Processes
- Syscalls
- 101
- Info
- FlexSC: Flexible System Call Scheduling with Exception-Less System Calls
- List of Linux/i386 system calls
- Linux Syscall Table
- Complete listing of all Linux Syscalls
- X Window System
- X Window System Explained
- Foreign LINUX
- Foreign LINUX is a dynamic binary translator and a Linux system call interface emulator for the Windows platform. It is capable of running unmodified Linux binaries on Windows without any drivers or modifications to the system. This provides another way of running Linux applications under Windows in constrast to Cygwin and other tools.
- Kernel Extensions(KEXTs)
- Tools
- Instruments - OS X system analysis
- Instruments is a performance-analysis and testing tool for dynamically tracing and profiling OS X and iOS code. It is a flexible and powerful tool that lets you track a process, collect data, and examine the collected data. In this way, Instruments helps you understand the behavior of both user apps and the operating system.
- Instruments - OS X system analysis
-
Windows Internals
- theForger's Win32 API Programming Tutorial
- x86 Disassembly/Windows Executable Files - WikiBooks
- WinAPIs for Hackers
- About Atom Tables
- GlobalGetAtomName function
- windows-operating-system-archaeology
- subTee stuff
- BATTLE OF SKM AND IUM - How Windows 10 rewrites OS Architecture - Alex Ionescu
- RtlEncryptMemory function
- RtlDecryptMemory function
-
Unsorted
-
- 101
- AD Accounts - docs.ms
- AD Security Groups
- Microsoft Accounts - docs.ms
- Service Accounts - docs.ms
- Special Identities - docs.ms
- Group Managed Service Accounts Overview - docs.ms
- Managed Service Accounts - docs.ms
- Getting Started with Group Managed Service Accounts - docs.ms
- Managed Service Accounts - docs.ms
- Managed Service Accounts - docs.ms
- Service Accounts Step-by-Step Guide - docs.ms
- Info
- AD Accounts
- Microsoft Accounts
- Services Accounts
- Managed Service Accounts
- Group Managed Service Accounts
- 101
-
- 101
- Active Directory Architecture
- AD Local Domain groups, Global groups and Universal groups.
- Active Directory Control Paths
- Active Directory Control Paths auditing and graphing tools
- [MS-ADTS]: Active Directory Technical Specification
- Specifies the core functionality of Active Directory. Active Directory extends and provides variations of the Lightweight Directory Access Protocol (LDAP).
- How the Data Store Works - technet.ms
- KCC and Topology Generation - technet.ms
- The KCC is a built-in process that runs on all domain controllers. It is a dynamic-link library that modifies data in the local directory in response to systemwide changes, which are made known to the KCC by changes to the data within Active Directory. The KCC generates and maintains the replication topology for replication within sites and between sites.
- How Domain and Forest Trusts Work - docs.ms
- Info
- Group Policy
- 101
-
Advanced Threat Protection(ATP)
- 101
- Info
- Windows Defender ATP data storage and privacy - docs.ms
- This document explains the data storage and privacy details related to Windows Defender ATP
- Windows Defender ATP data storage and privacy - docs.ms
-
- 101
- Info
- Protecting Anti-Malware Services - docs.ms
- AMSI_RESULT enumeration (amsi.h)
- The AMSI_RESULT enumeration specifies the types of results returned by scans.
- AMSIScriptContentRetrieval.ps1 - Matt Graeber
-
- 101
- Info
- Windows API Index
- The following is a list of the reference content for the Windows application programming interface (API) for desktop and server applications.
- Windows-Hacks
- Creative and unusual things that can be done with the Windows API.
- Windows API Index
-
- 101
- Info
-
- 101
- Windows Authentication Overview - docs.ms
- Windows Authentication Architecture - docs.ms
- Windows Authentication Technical Overview - docs.ms
- Group Policy Settings Used in Windows Authentication - docs.ms
- Windows Logon and Authentication Technical Overview(Win10) - docs.ms
- Windows Logon and Authentication Technical Overview(Server08R2) - docs.ms
- Digest Authentication
- 101
-
- 101
- Authenticode - MSDN
- Microsoft Authenticode, which is based on industry standards, allows developers to include information about themselves and their code with their programs through the use of digital signatures.
- Authenticode - MSDN
- Info
- 101
-
Background Intelligent Transfer Service(BITS)
- 101
- Background Intelligent Transfer Service - docs.ms
- "Background Intelligent Transfer Service (BITS) is used by programmers and system administrators to download files from or upload files to HTTP web servers and SMB file shares. BITS will take the cost of the transfer into consideration, as well as the network usage so that the user's foreground work has as little impact as possible. BITS also handles network interuptions, pausing and automatically resuming transfers, even after a reboot. BITS includes PowerShell cmdlets for creating and managing transfers as well as the BitsAdmin command-line utility."
- About BITS - docs.ms
- Background Intelligent Transfer Service - docs.ms
- Info
- 101
-
(Distributed) Component Object Model
- 101
- Info
- Minimal COM object registration
- The COM Library - docs.ms
- Security in COM - docs.ms
- Scripting(COM) - thrysoee.dk
- Active Directory Service Interfaces - docs.ms
- CLSID Key - docs.ms
- A CLSID is a globally unique identifier that identifies a COM class object. If your server or container allows linking to its embedded objects, you need to register a CLSID for each supported class of objects.
- The CLSID key contains information used by the default COM handler to return information about a class when it is in the running state.
- What registry entries are needed to register a COM object.
-
- 101
- Info
- Credential Provider
- 101
- Credential Providers in Windows 10 - msdn
- "Credential providers are the primary mechanism for user authentication—they currently are the only method for users to prove their identity which is required for logon and other system authentication scenarios. With Windows 10 and the introduction of Microsoft Passport, credential providers are more important than ever; they will be used for authentication into apps, websites, and more. Microsoft provides a variety of credential providers as part of Windows, such as password, PIN, smartcard, and Windows Hello (Fingerprint, Face, and Iris recognition). These are referred to as "system credential providers" in this article. OEMs, Enterprises, and other entities can write their own credential providers and integrate them easily into Windows. These are referred to as "third-party credential providers" in this article."
- ICredentialProvider interface - msdn
- Exposes methods used in the setup and manipulation of a credential provider. All credential providers must implement this interface.
- Windows Interactive Logon Architecture - technet
- Winlogon and Credential Providers
- Winlogon is the Windows module that performs interactive logon for a logon session. Winlogon behavior can be customized by implementing and registering a Credential Provider.
- Credential Providers in Windows 10 - msdn
- Info
- Registering Network Providers and Credential Managers - msdn
- V2 Credential Provider Sample - code.msdn
- Demonstrates how to build a v2 credential provider that makes use of the new capabilities introduced to credential provider framework in Windows 8 and Windows 8.1.
- Custom Credential Provider for Password Reset - blogs.technet
- Starting to build your own Credential Provider
- If you’re starting to work on a Credential Provider (CredProv or CP, for short) for Windows Vista, Windows Server 2008, Windows Server 2008 R2 or Windows 7, there are a few steps I would strongly recommend you take, because it will make life easier for you.
- 101
- Credential Storage
- 101
- Info
- ReVaulting! Decryption and opportunities - Francesco Picasso
- Windows credentials manager stores users’ credentials in special folders called vaults. Being able to access such credentials could be truly useful during a digital investigation for example, to gain access to other protected systems. Moreover, if data is in the cloud, there is the need to have the proper tokens to access it. This presentation will describe vaults’ internals and how they can be decrypted; the related Python Open Source code will be made publicly available. During the session, credentials and vaults coming from Windows 7, Windows 8.1 and Windows 10 will be decrypted, focusing on particular cases of interest. Finally, the presentation will address the challenges coming from Windows Phone, such as getting system-users’ passwords and obtaining users’ ActiveSync tokens.
- ReVaulting! Decryption and opportunities - Francesco Picasso
-
- 101
- Info
- Dynamic Data Exchange - msdn.ms
- This section provides guidelines for implementing dynamic data exchange for applications that cannot use the Dynamic Data Exchange Management Library (DDEML).
- Dynamic Data Exchange - msdn.ms
-
- 101
- Info
- Everything You Never Wanted To Know About DLLs
- Everything You Ever Wanted to Know about DLLs” - James McNellis(CppCon 2017)
- Slides
- If you build software for Windows, you use DLLs, and it’s likely that you may build DLLs of your own. DLLs are the primary mechanism for packaging and encapsulating code on the Windows platform. But have you ever stopped to think about how DLLs work? What goes into a DLL when you build it, what happens when you link your program with a DLL, or how do DLLs get located and loaded at runtime? Many of us build and use DLLs without fully understanding them. In this session, we’ll give an in-depth introduction to DLLs and how they work. We’ll begin by looking at what’s in a DLL—the kinds of things a DLL can contain and the basic data structures that are used—and the benefits and drawbacks of packaging code in a DLL. We’ll look at how DLLs are loaded, including the details of how the loader locates DLLs and maps them into the process; how dependencies are resolved among DLLs; and DLL lifetime and how DLLs get unloaded. We’ll also look at how DLLs get built, including what makes DLLs “special,” what goes into an import library, and how the linker uses import libraries. Finally, we’ll look at several other miscellaneous topics, including how DLLs interact with threads and thread-local storage, and mechanisms for solving or mitigating the dreaded “DLL hell.”
-
- 101
- [MS-DNSP]: Domain Name Service (DNS) Server Management Protocol - docs.ms(2019)
- Specifies the Domain Name Service (DNS) Server Management Protocol, which defines the RPC interfaces that provide methods for remotely accessing and administering a DNS server. It is a client and server protocol based on RPC that is used in the configuration, management, and monitoring of a DNS server.
- [MS-DNSP]: Domain Name Service (DNS) Server Management Protocol - docs.ms(2019)
- Info
- 101
-
- 101
- Info
- Samples
- Minispy File System Minifilter Driver
- The Minispy sample is a tool to monitor and log any I/O and transaction activity that occurs in the system. Minispy is implemented as a minifilter.
- Minispy File System Minifilter Driver
-
- 101
- Info
- ETW Providers Docs
- Project to document ETW providers
- Controlling Event Tracing Sessions - docs.ms
- what's wrong with Etw - redp(2020)
- ETW Providers Docs
- Tools
- TiEtwAgent
- This project was created to research, build and test different memory injection detection use cases and bypass techniques. The agent utilizes Microsoft-Windows-Threat-Intelligence event tracing provider, as a more modern and stable alternative to Userland-hooking, with the benefit of Kernel-mode visibility.
- TiEtwAgent
-
- 101
- Compiler Security Checks In Depth - MSDN Library
- A Crash Course on the Depths of Win32™ Structured Exception Handling
- Antimalware Scan Interface Reference
- prevents certain kinds of powershell attacks
- Info
- Control Flow Guard(CFG/CFI)
- 101
- Control-flow integrity - Wikipedia
- Control Flow Guard - docs.ms
- "Control Flow Guard (CFG) is a highly-optimized platform security feature that was created to combat memory corruption vulnerabilities. By placing tight restrictions on where an application can execute code from, it makes it much harder for exploits to execute arbitrary code through vulnerabilities such as buffer overflows. CFG extends previous exploit mitigation technologies such as /GS, DEP, and ASLR."
- Info
- 101
- 101
-
- Common Log File System
- 101
- Common Log File System - Wikipedia
- Introduction to the Common Log File System - docs.ms
- "The Common Log File System (CLFS) is a general-purpose logging service that can be used by software clients running in user-mode or kernel-mode. This documentation discusses the CLFS interface for kernel-mode clients. For information about the user-mode interface, see Common Log File System in the Microsoft Windows SDK."
- Common Log File System - docs.ms
- Info
- 101
- Misc
- [MS-CFB]: Compound File Binary File Format - docs.ms
- Specifies the Compound File Binary File Format, a general-purpose file format that provides a file-system-like structure within a file for the storage of arbitrary, application-specific streams of data.
- [MS-CFB]: Compound File Binary File Format - docs.ms
- .NET
- PE32 File Structure
- 101
- Info
- Peering Inside the PE: A Tour of the Win32 Portable Executable File Format
- An In-Depth Look into the Win32 Portable Executable File Format - Matt Pietrek(2002)
- Exploring the MS-DOS Stub - Osanda Malith(2020)
- Portable Executable File Format - Krzysztof Kowalczyk
- αcτµαlly pδrταblε εxεcµταblε - Justine Tunney
- Cosmopolitan
- Cosmopolitan Libc makes C a build-once run-anywhere language, like Java, except it doesn't need an interpreter or virtual machine. Instead, it reconfigures stock GCC and Clang to output a POSIX-approved polyglot format that runs natively on Linux + Mac + Windows + FreeBSD + OpenBSD + NetBSD + BIOS with the best possible performance and the tiniest footprint imaginable.
- Exploring the PE File Format via Imports - Anuj Soni(2018)
- Understanding PE Structure, The Layman’s Way – Malware Analysis Part 2 - Satyajit Daulaguphu(2018)
- Common Log File System
-
- 101
- Info
-
- 101
- HTML Applications - msdn
- HTML Applications (HTAs) are full-fledged applications. These applications are trusted and display only the menus, icons, toolbars, and title information that the Web developer creates. In short, HTAs pack all the power of Windows Internet Explorer—its object model, performance, rendering power, protocol support, and channel–download technology—without enforcing the strict security model and user interface of the browser. HTAs can be created using the HTML and Dynamic HTML (DHTML) that you already know.
- HTML Applications - msdn
- Info
- 101
-
- 101
- Hypervisor-Protected Code Integrity (HVCI) - docs.ms
- Hypervisor-Protected Code Integrity can use hardware technology and virtualization to isolate the Code Integrity (CI) decision-making function from the rest of the Windows operating system. When using virtualization-based security to isolate Code Integrity, the only way kernel memory can become executable is through a Code Integrity verification.
- Hypervisor-Protected Code Integrity (HVCI) - docs.ms
- Info
- 101
-
Interrupt Descriptor Table(IDT)
- 101
- Interrupt descriptor table - Wikipedia
- Interrupt descriptor table - HandWiki
- "The Interrupt Descriptor Table (IDT) is a data structure used by the x86 architecture to implement an interrupt vector table. The IDT is used by the processor to determine the correct response to interrupts and exceptions."
- Interrupt Descriptor Table - osdev.org
- Info
- 101
-
- 101
- Info
-
LNK Files
- 101
- Shortcut (computing) - Wikipedia
- [MS-SHLLINK]: Shell Link (.LNK) Binary File Format - docs.ms
- Specifies the Shell Link Binary File Format, which contains information that can be used to access another data object. The Shell Link Binary File Format is the format of Windows files with the extension "LNK".
- Shell Links - docs.ms
- A Shell link is a data object that contains information used to access another object in the Shell's namespace—that is, any object visible through Windows Explorer. The types of objects that can be accessed through Shell links include files, folders, disk drives, and printers. A Shell link allows a user or an application to access an object from anywhere in the namespace. The user or application does not need to know the current name and location of the object.
- Info *
- 101
-
- 101
- LSA Authentication
- LSA Authentication describes the parts of the Local Security Authority (LSA) that applications can use to authenticate and log users on to the local system. It also describes how to create and call authentication packages and security packages.
- LSA Authentication
- Info
- 101
-
MS Office
-
- 101
- Info
-
- 101
- NTFS - Wikipedia
- NTFS overview - docs.ms
- New Technologies File System (NTFS)
- NTFS is the primary file system for Microsoft Windows versions that are based on Windows NT. This specification is based on publicly available work on the format and was enhanced by analyzing test data. This document is intended as a working document of the data format specification for the libfsntfs project.
- NTFS Documentation - Richard Russon, Yuval Fledel
- "This is technical documentation, created to help the programmer. It was originally written to complement the Linux NTFS driver"
- Info
- 101
-
PE Loader & Execution Environment
- Different from proceses/threads section in that this is about everything else involved.
- 101
- Info
- PE-Runtime-Data-Structures
- "Originally posted by me in 2013: http://uncomputable.blogspot.com/2013/08/pe-runtime-data-structures-v1.html, just migrating it to a better home. This is a diagram of PE runtime data structures created using WinDbg and OmniGraffle. I have included jpg and PDF versions in the repository. I was inspired by Ero Carrera's 1 diagrams and Corkami 2. I made this diagram because I was teaching myself Windows data structures and was unsatisfied with what was out there. The information for these structures was obtained from WinDbg and Windows Internals 6 by Russinovich, Solomon, and Ionescu [Windows Internals]."
- PE-Runtime-Data-Structures
- PE File Structure
-
- 101
- [MS-SAMR]: Security Account Manager (SAM) Remote Protocol (Client-to-Server)
- Specifies the Security Account Manager (SAM) Remote Protocol (Client-to-Server), which supports printing and spooling operations that are synchronous between client and server.
- [MS-RPRN]: Print System Remote Protocol - docs.ms
- [MS-RPRN]: Print System Remote Protocol - msdn.ms
- [MS-SAMR]: Security Account Manager (SAM) Remote Protocol (Client-to-Server)
- Info
- 101
-
- 101
- Info
- Know your Windows Processes or Die Trying
- Excellent quick reference on Windows proccesses with a focus on Win7. Good resource.
- Run-Time Dynamic Linking
- Windows 8 Boot)
- PEB/TEB/TIB Structure Offsets - Travis Mathison
- Know your Windows Processes or Die Trying
- Relevant Functions
* VirtualAlloc function
- SetProcessMitigationPolicy function - docs.ms
- Sets a mitigation policy for the calling process. Mitigation policies enable a process to harden itself against various types of attacks.
- GetProcessMitigationPolicy function - docs.ms
- Retrieves mitigation policy settings for the calling process.
- OpenProcessToken function - msdn
- SetProcessMitigationPolicy function - docs.ms
- Asynchronous Procedure Call
- 101
- Asynchronous Procedure Calls - docs.ms
- "An asynchronous procedure call (APC) is a function that executes asynchronously in the context of a particular thread. When an APC is queued to a thread, the system issues a software interrupt. The next time the thread is scheduled, it will run the APC function. An APC generated by the system is called a kernel-mode APC. An APC generated by an application is called a user-mode APC. A thread must be in an alertable state to run a user-mode APC."
- Asynchronous Procedure Calls - docs.ms
- Info
- 101
- DLL
- 101
- What is a DLL?
- This article describes what a dynamic link library (DLL) is and the various issues that may occur when you use DLLs. Then, this article describes some advanced issues that you should consider when you develop your own DLLs. In describing what a DLL is, this article describes dynamic linking methods, DLL dependencies, DLL entry points, exporting DLL functions, and DLL troubleshooting tools.
- What is a DLL?
- Info
- 101
- _EPROCESS
- 101
- Windows kernel opaque structures - docs.ms
- EPROCESS - Geoff Chappell
- "The EPROCESS structure is the kernel’s representation of a process object. For instance, if the ObReferenceObjectByHandle function successfully resolves a handle though directed to do so only if the object type is PsProcessType, then what the function produces as its pointer to the object is a pointer to an EPROCESS."
- Understanding EProcess Structure - Tushar Panhalkar
- Info
- 101
- Import/Export Address Table
- 101
- Info
- Many roads to IAT - Nicolas Krassas(2011)
- Windows PE file Learning (1: Export tables), pe Export - ?
- PE's Import Address Table and Export Table Walkthrough using Windbg - cod3inj3ct(2011)
- Import Address Tables and Export Address Tables - 0x14c(2014)
- Import Address Table (IAT) in action - Mohammad Sina Karvandi(2017
- Why PE need Original First Thunk(OFT)? - Milad Kahsari Alhadi(2018)
- A Journey Towards an Import Address Table (IAT) of an Executable File - Satyajit Daulaguphu(2019)
- Writing a PE packer – Part 2 : imports and relocations - bidouillesecurity
- Windows PEB parsing – A binary with no imports - bidouillesecurity(2021)
- "We’re going to see how a program can parse the PEB to recover Kernel32.dll address, and then load any other library. Not a single import is needed !"
- Fibers
- 101
- Info
- Process Environment Block
- 101
- Process Environment Block - Wikipedia
- "In computing the Process Environment Block (abbreviated PEB) is a data structure in the Windows NT operating system family. It is an opaque data structure that is used by the operating system internally, most of whose fields are not intended for use by anything other than the operating system. Microsoft notes, in its MSDN Library documentation — which documents only a few of the fields — that the structure "may be altered in future versions of Windows". The PEB contains data structures that apply across a whole process, including global context, startup parameters, data structures for the program image loader, the program image base address, and synchronization objects used to provide mutual exclusion for process-wide data structures."
- PEB structure (winternl.h) - docs.ms
- PEB_LDR_DATA structure (winternl.h) - docs.ms
- Process Environment Block - Wikipedia
- Info
-
Anatomy of the Process Environment Block (PEB) (Windows Internals) - ntopcode(2018)
-
Undocumented 32-bit PEB and TEB Structures - bytepointer.com
- This file contains the undocumented TEB (Thread Environment Block) and PEB (Process Environment Block) definitions for the Intel x86 32-bit Windows operating systems starting from NT 3.51 through Windows 10. The TEB is also known as the TIB (Thread Information Block), especially under the Windows 9.x operating systems.
-
Exploring PEB (Process Environment Block) - Marc Rainer Kranz
-
How to get the Process Environment Block (PEB) from extern process? - Stackoverflow
-
- Getting a pointer to the PEB in C, for every architecture that NT was ported to (where at least one build of the port was leaked/released)
- 101
- Protected Processes
- Thread Environment Block
- 101
- Win32 Thread Information Block - Wikipedia
- TEB structure (winternl.h) - docs.ms
- The Thread Environment Block (TEB structure) describes the state of a thread.
- Win32 Thread Information Block Explained - everything.explained.today
- Thread Environment Block (Debugging Notes) - docs.ms
- TEB - Undocumented functions of NTDLL - ntinternals.net
- Info
- 101
- Thread Local Storage
- Structured Exception Handling
-
- 101
- Info
- WinPrefetchView v1.25
- Each time that you run an application in your system, a Prefetch file which contains information about the files loaded by the application is created by Windows operating system. The information in the Prefetch file is used for optimizing the loading time of the application in the next time that you run it. WinPrefetchView is a small utility that reads the Prefetch files stored in your system and display the information stored in them. By looking in these files, you can learn which files every application is using, and which files are loaded on Windows boot.
- WinPrefetchView v1.25
-
- 101
- Info
-
- 101
- Info
- Tools
- UniversalDVC
- Universal Dynamic Virtual Channel connector for Remote Desktop Services
- UniversalDVC
-
- 101
- Info
-
- 101
- wscript - docs.ms
- Windows Script Host provides an environment in which users can execute scripts in a variety of languages that use a variety of object models to perform tasks.
- wscript - docs.ms
- Info
- 101
-
Security Descriptor Definition Language
- 101
- Info
- The Security Descriptor Definition Language of Love (Part 1) - technet.ms
- The Security Descriptor Definition Language of Love (Part 2) - technet.ms
- SECURITY_DESCRIPTOR_CONTROL - docs.ms
- The SECURITY_DESCRIPTOR_CONTROL data type is a set of bit flags that qualify the meaning of a security descriptor or its components. Each security descriptor has a Control member that stores the SECURITY_DESCRIPTOR_CONTROL bits.
-
- 101
- Info
- SSP Packages Provided by Microsoft - docs.ms
- Secure Channel - docs.ms
- Secure Channel, also known as Schannel, is a security support provider (SSP) that contains a set of security protocols that provide identity authentication and secure, private communication through encryption. Schannel is primarily used for Internet applications that require secure Hypertext Transfer Protocol (HTTP) communications.
- The NTLM Authentication Protocol and Security Support Provider - davenport.sourceforge.net
- Microsoft Digest SSP - docs.ms
- Microsoft Digest is a security support provider (SSP) that implements the Digest Access protocol, a lightweight authentication protocol for parties involved in Hypertext Transfer Protocol (HTTP) or Simple Authentication Security Layer (SASL) based communications. Microsoft Digest provides a simple challenge response mechanism for authenticating clients. This SSP is intended for use by client/server applications using HTTP or SASL based communications.
-
- 101
- Info
- Creating a service using sc.exe
- Services: Windows 10 Services(ss64)
- A list of the default services in Windows 10 (build 1903).
- Service Accounts
- 101
- Info
- Service Account best practices Part 1: Choosing a Service Account
- In this article you will learn the fundamentals of Windows service accounts. Specifically, we discover the options and best practices concerning the selection of a service account for a particular service application.
- Service Account best practices Part 1: Choosing a Service Account
-
- Linux Subsystem
- 101
- Info
- lxss -- Fun with the Windows Subsystem for Linux (WSL/LXSS)
- "This repository is dedicated to research, code, and various studies of the Windows Subsystem for Linux, also known as Bash on Ubuntu on Windows, and LXSS. It contains a variety of Proof-of-Concept Win32 and Linux binaries, both in user-mode and kernel-mode, in order to interact with the various subsystem pieces. Namely, it demonstrates usage of the Win32 COM interface between Bash.exe and LxssManager, as well as of the ADSS Bus interface between init and LxssManager. For Redstone 2, it shows off some of the new interoperability features of the subsystem."
- Emulating Windows system calls, take 2 - Jonathan Corbet(2020)
- lxss -- Fun with the Windows Subsystem for Linux (WSL/LXSS)
- Security
- Linux Subsystem
-
-
101
-
Info
- microsoft-pdb
- This repo contains information from Microsoft about the PDB (Program Database) Symbol File format.
- Public and Private Symbols - docs ms
- How to Inspect the Content of a Program Database (PDB) File
- Symbol Files
- Normally, debugging information is stored in a symbol file separate from the executable. The implementation of this debugging information has changed over the years, and the following documentation will provide guidance regarding these various implementations .
- microsoft-pdb
-
-
- 101
- Info
- windows-syscall-table
- windows syscall table from xp ~ 10 rs2
- How Do Windows NT System Calls REALLY Work?
- Debugging Functions - msdn
- Intercepting System Calls on x86_64 Windows
- windows-syscall-table
-
System Service Descriptor Table(SSDT) * System Service Descriptor Table - SSDT - @spotheplanet
-
- 101
- Info
- API Calls
- DuplicateTokenEx function - docs.ms
- The DuplicateTokenEx function creates a new access token that duplicates an existing token. This function can create either a primary token or an impersonation token.
- ImpersonateLoggedOnUser function - docs.ms
- The ImpersonateLoggedOnUser function lets the calling thread impersonate the security context of a logged-on user. The user is represented by a token handle.
- SetThreadToken function - docs.ms
- The SetThreadToken function assigns an impersonation token to a thread. The function can also cause a thread to stop using an impersonation token.
- CreateProcessWithTokenW function - docs.ms
- Creates a new process and its primary thread. The new process runs in the security context of the specified token. It can optionally load the user profile for the specified user.
- OpenProcess function - docs.ms
- Opens an existing local process object.
- OpenProcessToken function - docs.ms
- The OpenProcessToken function opens the access token associated with a process.
- OpenThread function - docs.ms
- Opens an existing thread object.
- OpenThreadToken function - docs.ms
- The OpenThreadToken function opens the access token associated with a thread.
- GetTokenInformation function - docs.ms
- The GetTokenInformation function retrieves a specified type of information about an access token. The calling process must have appropriate access rights to obtain the information.
- DuplicateTokenEx function - docs.ms
-
- 101
- Info
- Protecting Windows Networks – UAC - dfirblog.wordpress.com
- User Account Control - Steven Sinofsky(blogs.msdn)](https://blogs.msdn.microsoft.com/e7/2008/10/08/user-account-control/)
- User Account Control Step-by-Step Guide - docs.ms
-
Windows Communication Foundation
- 101
- [Windows Communication Foundation - Guide to the Documentation - docs.ms]
- What Is Windows Communication Foundation
- Windows Communication Foundation (WCF) is a framework for building service-oriented applications. Using WCF, you can send data as asynchronous messages from one service endpoint to another. A service endpoint can be part of a continuously available service hosted by IIS, or it can be a service hosted in an application. An endpoint can be a client of a service that requests data from a service endpoint. The messages can be as simple as a single character or word sent as XML, or as complex as a stream of binary data.
- Fundamental Windows Communication Foundation Concepts
- WCF is a runtime and a set of APIs for creating systems that send messages between services and clients. The same infrastructure and APIs are used to create applications that communicate with other applications on the same computer system or on a system that resides in another company and is accessed over the Internet.
- Windows Communication Foundation Architecture Architecture Graphic
- Info
- 101
-
- Blue (and other colors) Screen of Death
- AngryWindows
- "This is a driver that modifies the emoticon, color, and error messages of the Bluescreen of Death."
- AngryWindows
- Blue (and other colors) Screen of Death
- 101
- Callbacks * Callback Functions * 101 * Callback (computer programming) - Wikipedia * Callback Objects - docs.ms(2017) * Info * Detecting Kernel-Mode Callbacks - docs.ms * Kernel Callback Functions - CodeMachine * Comprehensive list of documented and undocumented APIs available in the Windows kernel to register callback routines. * Reversing Windows Internals (Part 1) – Digging Into Handles, Callbacks & ObjectTypes - Mohammad Sina Karvandi(2019) * Talks/Presentations/Videos * Kernel Attacks through User-Mode Callbacks - Tarjei Mandt(BHUSA2011) * Paper * "15 years ago, Windows NT 4.0 introduced Win32k.sys to address the inherent limitations of the older client-server graphics subsystem model. Today, win32k still remains a fundamental component of the Windows architecture and manages both the Window Manager (User) and Graphics Device Interface (GDI). In order to properly interface with user-mode data, win32k makes use of user-mode callbacks, a mechanism allowing the kernel to make calls back into user-mode. Usermode callbacks enable a variety of tasks such as invoking applicationdefined hooks, providing event notifications, and copying data to/from user-mode. In this paper, we discuss the many challenges and problems concerning user-mode callbacks in win32k. In particular, we show how win32k’s dependency on global locks in providing a thread-safe environment does not integrate well with the concept of user-mode callbacks. Although many vulnerabilities related to user-mode callbacks have been addressed, their complex nature suggests that more subtle flaws might still be present in win32k. Thus, in an effort to mitigate some of the more prevalent bug classes, we conclusively provide some suggestions as to how users may protect themselves against future kernel attacks." * Callback objects - Yarden Shafir(BSides Delhi2020) * Slides * CallbackObjectAnalyzer * Whether you’re an attacker, trying to persist and gather information while avoiding detection, or a defender, trying to monitor everything that’s running on a box and staying a step ahead of the attackers, everyone wants to know what’s happening on a machine. Windows has a mechanism that can fulfill all these needs and isn’t getting the attention it deserves – callback objects. Used by many kernel components and easy to access for 3rd-party drivers, these objects can supply valuable information about various kernel events, internal AV communication, and more. Even Patch Guard has its own callback! As helpful as they are, they are mostly ignored by security solutions, making them a great place for rootkits to hide in, where no one is looking.- Handles
- Handles & Objects
- 101
- Info
- Tools
- Handle
- "Ever wondered which program has a particular file or directory open? Now you can find out. Handle is a utility that displays information about open handles for any process in the system. You can use it to see the programs that have a file open, or to see the object types and names of all the handles of a program."
- EnumAllHandles
- Handle
- Transaction Manager
- 101
- Kernel Transaction Manager - docs.ms
- "The Kernel Transaction Manager (KTM) enables the development of applications that use transactions. The transaction engine itself is within the kernel, but transactions can be developed for kernel- or user-mode transactions, and within a single host or among distributed hosts. The KTM is used to implement Transactional NTFS (TxF) and Transactional Registry (TxR). TxF allows transacted file system operations within the NTFS file system. TxR allows transacted registry operations. KTM enables client applications to coordinate file system and registry operations with a transaction."
- About KTM - docs.ms
- Kernel Transaction Manager - docs.ms
- Info
- Transactional NTFS
- Transactional Registry *
- 101
- A Detailed Analysis of Contemporary ARM and x86 Architectures
- RISC vs. CISC wars raged in the 1980s when chip area andprocessor design complexity were the primary constraints anddesktops and servers exclusively dominated the computing land-scape. Today, energy and power are the primary design con-straints and the computing landscape is significantly different:growth in tablets and smartphones running ARM (a RISC ISA)is surpassing that of desktops and laptops running x86 (a CISCISA). Further, the traditionally low-power ARM ISA is enter-ing the high-performance server market, while the traditionallyhigh-performance x86 ISA is entering the mobile low-power de-vice market. Thus, the question of whether ISA plays an intrinsicrole in performance or energy efficiency is becoming important,and we seek to answer this question through a detailed mea-surement based study on real hardware running real applica-tions. We analyze measurements on the ARM Cortex-A8 andCortex-A9 and Intel Atom and Sandybridge i7 microprocessorsover workloads spanning mobile, desktop, and server comput-ing. Our methodical investigation demonstrates the role of ISAin modern microprocessors’ performance and energy efficiency.We find that ARM and x86 processors are simply engineeringdesign points optimized for different levels of performance, andthere is nothing fundamentally more energy efficient in one ISAclass or the other. The ISA being RISC or CISC seems irrelevant.
- ARM Documentation
- Windows 8 Security and ARM
- Intel SGX Explained
- This paper analyzes Intel SGX, based on the 3 papers that introduced it, on the Intel Software Developer’s Manual(which supersedes the SGX manuals), on an ISCA 2015 tutorial, and on two patents. We use the papers, reference manuals, and tutorial as primary data sources, and only draw on the patents to fill in missing information. This paper’s contributions are a summary of the Intel-specific architectural and micro-architectural details needed to understand SGX, a detailed and structured presentation of the publicly available information on SGX, a series of intelligent guesses about some important but undocumented aspects of SGX, and an analysis of SGX’s security properties.
- Introducing Character Sets and Encodings - W3C
- An Introduction to Writing Systems & Unicode
- Tifinagh - Wikipedia
- Core Text - apple
- Full Emoji List - Unicode.org
- List of XML and HTML character entity references - Wikipedia
- Ambiguous ampersands
- Everything You Need To Know About Emoji 🍭
- Emoji and Pictographs - FAQ - unicode.org
- Unicode® Emoji
- This page provides information about Unicode emoji and their development.
- Emojipedia
- Emoji Meanings