Волчьи IT-мысли » Без перевода

Building the next generation file system for Windows: ReFS

SWW — Wed, 18 Jan 2012 11:20:32 +0000

We wanted to continue our dialog about data storage by talking about the next generation file system being introduced in Windows 8. Today, NTFS is the most widely used, advanced, and feature rich file system in broad use. But when you’re reimagining Windows, as we are for Windows 8, we don’t rest on past successes, and so with Windows 8 we are also introducing a newly engineered file system. ReFS, (which stands for Resilient File System), is built on the foundations of NTFS, so it maintains crucial compatibility while at the same time it has been architected and engineered for a new generation of storage technologies and scenarios. In Windows 8, ReFS will be introduced only as part of Windows Server 8, which is the same approach we have used for each and every file system introduction. Of course at the application level, ReFS stored data will be accessible from clients just as NTFS data would be. As you read this, let’s not forget that NTFS is by far the industry’s leading technology for file systems on PCs.

Дальше

Windows Kernel-mode GS Cookies and 1 bit of entropy

SWW — Wed, 12 Jan 2011 08:03:51 +0000

Today, I would like to present the results of the research, performed by me and Gynvael Coldwind, during the last three or four weeks – an almost forty-page long article, entitled “Exploiting the otherwise non-exploitable: Windows Kernel-mode GS cookies subverted” (yes, that’s an obvious reference to the “Exploiting the otherwise non-exploitable on Windows” by Skywing and Skape, Uninformed 4). The paper aims to describe the current protection level of a specific stack protection found in a majority of Windows device drivers (both default and 3rd party) – the GS cookies, and cover the cookie generation weaknesses, found in the actual protection implementations on Windows XP, Windows Vista and Windows 7 (both 32-bit and 64-bit platforms).

Дальше

P.S. PDF доступен в конце оригинального блогпоста.

Stuxnet Memory Analysis and IOC creation

SWW — Thu, 22 Jul 2010 09:11:57 +0000

The stuxnet malware has been making the press recently for two reasons. First it contains two drivers signed with a legitimate (at the time) cert. Second is it’s targeting SCADA systems. The malware is cool for a host of other geeky reasons. Nick Harbour, Stephen Davis, and I started looking at the malware Sunday afternoon. We had hoped to write a blog post about the specifics of the malware before we left for Vegas on Friday. However, in the short term I thought this malware would provide a great opportunity to demonstrate how memory analysis can be leveraged to find malware easily, and how the MANDIANT’s Indicator of Compromise editor (IOCe) tool can be used to describe the malware and what to look for.

Вся статья

Getting Started with the Windows Driver Development Environment

SWW — Fri, 28 May 2010 12:13:30 +0000

Getting started with Microsoft Windows device drivers can be difficult, even for experienced developers. This paper presents an overview of the debugging and testing tools that developers use to create a device driver for Windows operating systems. In particular, the paper examines ways to find and fix bugs early in development, to help you produce a high-quality device driver.

WDK MVP Don Burn shares his experience and insights about the hardware and software you need for driver development, how to get started with the WDK build environments and Build utility, and tips, techniques, and tools for all phases of development.

Неплохая статья для начинающих. Рекомендуется к просмотру.

How to use the DedicatedDumpFile registry value to overcome space limitations on the system drive when capturing a system memory dump

SWW — Thu, 08 Apr 2010 08:32:09 +0000

Prior to Windows Vista and Windows Server 2008 we had to keep a large page file on the system drive (typically drive C:) in order to properly capture system memory dumps for troubleshooting. This presented problems as systems with very large amounts of RAM became more common, resulting in requirements for very large amounts of free space on the C: drive, or requiring that system visible memory be artificially limited for troubleshooting purposes. This is no longer a requirement thanks to the Dedicated Dump File feature, which is available for use in Windows Vista and later operating systems.

ATM Skimmers, Part II

SWW — Fri, 12 Feb 2010 09:52:25 +0000

Крайне забавные картинки про скиммеры, рекомендую.

via ATM Skimmers, Part II.

Hex-Rays plugin contest

SWW — Sat, 21 Nov 2009 11:01:01 +0000

We are happy to announce the results of our first Hex-Rays plugin contest! The submitted files are very interesting. We are sure that you too will find them useful and increasing your productivity.

While we had no difficulties determining the first winner, the second place was not that obvious, both candidates were very good. In the end we did choose, but decided that the third place deserves the prize as well. In fact, we feel that all submissions are good and deserve a prize, but the number of winning places is always limited. Probably we will be better prepared for the next time.

Все плагины доступны для загрузки, предлагаю внимательно на них посмотреть. Мне понравился IDAStealth. А в общем все полезные. А что полезного для вас в них?

Hex-Rays Decompiler primer

SWW — Thu, 15 Oct 2009 19:39:59 +0000

The Hex-Rays Decompiler 1.0 was released more than two years ago. Since then it has improved a lot and does a great job decompiling real-life code, but sometimes there are additional things that you might wish to do with its output. For that purpose we have released the Hex-Rays Decompiler SDK and several sample plugins. However, the header files alone do not give a complete picture and it can be difficult to see where to start.

In this post we will outline the architecture of the Hex-Rays Decompiler SDK, cover some principles and finally wrap everything we discussed and write a small plugin.

Читать интересную статью

Windows 7 Kernel Architecture Changes

SWW — Fri, 07 Aug 2009 11:03:32 +0000

Windows 7 introduces a new set of dll files containing exported functions of many well-known WIN32 APIs. All these filenames begins with ‘api-ms-win-core’ prefix, followed by the functions category name. For example, api-ms-win-core-localregistry-l1-1-0.dll contains the exported names for all Registry functions, api-ms-win-core-file-l1-1-0.dll contains the exported names for all file-related functions, api-ms-win-core-localization-l1-1-0.dll contains the exported names for all localization functions, and so on.

Your Botnet is My Botnet

SWW — Sun, 17 May 2009 13:50:36 +0000

Botnets, networks of malware-infected machines that are controlled by an adversary, are the root cause of a large number of security threats on the Internet. A particularly sophisticated and insidious type of bot is Torpig, a malware program that is designed to harvest sensitive information (such as bank account and credit card data) from its victims.

At the beginning of 2009, we took control of the Torpig botnet for ten days. Over this period, we observed more than 180 thousand infections and recorded more than 70 GB of data that the bots collected.

Читать «Сказ о том, как мужики ботнет воровали»