• home
  • systems blog
  • data science blog
  • about

Inner Workings of UEFI Secure Boot Signature Revocation List (DBX) Updates

10 February, 2023 | |
  • UEFI  
  • dbx  
  • revocation list  
  • secure boot  
  • differential update  
  • Windows  

Presents a UEFI revocation-list-update-file (dbxupdate.bin) parser written in python and explores the contents of various dbxupdate.bin versions form UEFI Forum and Microsoft; touches on the subject of Windows updates structure and differential compression.

Using WinSxS to Retrace Windows Update History

09 February, 2023 | |
  • WinSxS  
  • differential update  
  • Windows  

Describes the part WinSxS plays in installation of differential compression-based Windows updates. Introduces a python script that reconstructs an update history for a given file by enumerating WinSxS entries and establishing sequences of delta patches.

A Tale of Omnipotence or How a Windows Update Broke Ubuntu Live CD

16 December, 2022 | |
  • UEFI  
  • dbx  
  • revocation list  
  • secure boot  
  • CVE-2020-10713  
  • bootloader  
  • Windows  

Explains why installing KB5012170 may prevent some Ubuntu Live CDs from booting and describes inner workings of secure boot.

First-Stage Bootloader: Hey, You've Got Pointy Ears Sticking out of Your Window

15 December, 2022 | |
  • PE  
  • ELF  
  • COFF  
  • shim  
  • UEFI  
  • secure boot  
  • reverse engineering  
  • symbol file  

A sample of static binary analysis; therein we examine the method by which a first-stage bootloader verifies the second-stage Linux bootloader, GRUB2, as part of UEFI Secure Boot and, in the process, dissect the structure of UEFI images compiled under Linux.

A Quick Note: What Is EXCEPTION_CONTINUE_EXECUTION Good for?

16 July, 2021 | |
  • SEH  
  • Windows  

A brief note on the specifics of implementing an exception handler that returns EXCEPTION_CONTINUE_EXECUTION.

Boots for Walking Backwards: Teaching pefile How to Understand SEH-Related Data in 64-bit PE Files

13 July, 2021 | |
  • PE  
  • stack unwinding  
  • prolog  
  • epilog  
  • reverse engineering  
  • SEH  

Explains how SEH-related data is stored in 64-bit PE+ files and used by Windows to perform stack unwinding and documents the process of implementing an extension to pefile that would read relevant sections of PE+ images.

Bringing My OS Back from the Abyss : Restoring Windows Registry (Part 3)

20 April, 2021 | |
  • Windows 10  
  • registry  
  • volume shadow snapshots  

A registry recovery procedure walk-through. Describes internal organization of Windows registry to the extent necessary to understand the recovery procedure and presents a python script implementing it; touches on the subject of VSS operation.

Bringing My OS Back from the Abyss : Reversing basesrv.dll Initialization Procedure (Part 2)

26 December, 2020 | |
  • Windows 10  
  • radare2  
  • reverse engineering  
  • decompilation  

Introduces a general approach to machine code reverse engineering and gives a sample of a step-by-step reversing process; touches on the subject of automatic decompilation.

A Quick Note : Locating All Code Blocks Belonging to a (Fragmented) Function with pdbparse

01 December, 2020 | |
  • pdbparse  
  • symbol file  
  • PDB  
  • separated code  
  • reverse engineering  

Shows how to compute addresses of all code fragments belonging to the same function with the help of a pdb file.

On Using pdbparse to Retrieve Type Information from PDB Files

13 November, 2020 | |
  • pdbparse  
  • symbol file  
  • PDB  
  • reverse engineering  

Explains how to extend pdbparse python library with the functionality of retrieving function prototypes, variable declarations, and structure definitions from Microsoft pdb files

Bringing My OS Back from the Abyss : Windows Crash Dump Analysis (Part 1)

06 February, 2019 | |
  • Windows 10  
  • WinDbg  
  • crash dump  

A Windows crash dump analysis walkthrough

  •  
  • Top
  •  

Arthur felt happy. He was terribly pleased that the day was for once working out so much according to plan. Only twenty minutes ago he had decided he would go mad, and now here he was already chasing a Chesterfield sofa across the fields of prehistoric Earth.

- Douglas Adams, Life, the Universe and Everything
© 2019-2023 Ry Auscitte. ALL RIGHTS RESERVED.