Reading view
Disclosure Policy
Delaying Kernel Payloads by Hijacking KTIMERs & KDPCs (Part 2)
In this two part blog post series we present KTIMER hijacking, a novel post-exploitation technique that delays the execution of kernel-mode payloads.
In the first part whe focussed on Windows 11 timer internals and deferred procedure calls and showed that we can hijack KTIMER
and KDCP
objects to delay the execution of a function pointer. This second part focusses on implementing these findings in a proof of concept, illustrating the delay in execution of a kernel-mode payload.
Delaying Kernel Payloads by Hijacking KTIMERs & KDPCs (Part 1)
In this two part blog post series we present KTIMER hijacking, a novel post-exploitation technique that delays the execution of kernel-mode payloads.
This first part will focus on Windows 11 timer internals and deferred procedure calls and how we can hijack KTIMER
and KDCP
objects to delay the execution of a function pointer. The second part focusses on implementing these findings in a proof of concept, illustrating the delay in execution of a kernel-mode payload.
OSEE Certification Review
βThe OSEE is the most difficult exploit development certification you can earn.β (OffSec). To attempt the 72-hour exam you have to have physically attended the demanding EXP-401: Advanced Windows Exploitation (AWE) course that has limited seats available. At the time of writing it is estimated that there are only around 100 OSEEs in the world whilst the course is taught since 2011.
Flare-On 9: 09_encryptor
Flare-On is an annual single player reverse engineering CTF that represents the skills and challenges that the Mandiant FLARE team faces. The 8-12 challenges increase in difficulty and participants have about 6 weeks to complete them all in order to win a prize.
CVE-2022-27438
Caphyon Ltd Advanced Installer 19.3 βCustomDetectionβ Update Check Remote Code Execution Vulnerability (PDF)
CVE-2022-28944
EMCO Software Multiple Products Unauthenticated Update Remote Code Execution Vulnerability (PDF)
CVE-2022-24644
ZZ Inc. KeyMouse 3.08 (Windows) Unauthenticated Update Remote Code Execution Vulnerability (PDF)
New OpenPGP Key
I updated the OpenPGP key for secure communication.