Satoshi Tanda @standa_t Twitter profile

Pinned Tweet

Satoshi Tanda

10 days

I am excited to be back and offer the in-person training course at the awesome conference, @hexacon_fr Gain hands-on experience with virtualization and learn real-world applications of it.

Hexacon - Hypervisor development for security analysis

Offensive security conference organized by seasoned professionals, in the heart of Paris. 4-5th October 2024, save the date!

www.hexacon.fr

2

26

Last Seen Profiles

@AirtrainAI

@jenddukie_S2

@AboutElizabethM

@ferguson_k37829

@UHOHinAfrica

@Moisty4k

@BryceCurry7

@Crocodilo113598

@TheTimesBooks

@Laurapisani5

@RuddyCorp

@halulupu

@UK_BIC

@WolfGir55370013

@teixeira_marcao

@dannydoodar

@HEATSHOWYOO

@MaceToTheFaceOW

@JaguarsPR

@Officialkalpna1

@SolakHayrettin

@pauldepp07

@hiskinnywife

@hard_piss

@RealestAxoHunt

@Mthigo_

@Muff1nMunch3r

@FCB_PANDA

@victorconti_

@nimoprosper

@MaguMonero

@ShodanFofon

@RevMusicProject

@znovak15

@disruptivesport

@moritashimpei17

Satoshi Tanda

@standa_t

3 years

For those who are curious about UEFI module reverse engineering but never tried it, I wrote a short tutorial post. Do not need special hardware or expensive software to get started.

5

244

630

Satoshi Tanda

@standa_t

1 year

Pleased to announce that the materials of Hypervisor 101 in Rust🦀is now public! A one-day long course taught at #gccsec , to quickly learn hardware-assisted virtualization technology and its application for high-performance fuzzing on Intel/AMD processors

GitHub - tandasat/Hypervisor-101-in-Rust: The materials of "Hypervisor 101 in Rust", a one-day long...

The materials of "Hypervisor 101 in Rust", a one-day long course, to quickly learn hardware-assisted virtualization technology and its application for high-performance fuzzing on ...

github.com

3

149

555

Satoshi Tanda

@standa_t

1 year

Updated my fuzzing hypervisor to run on both AMD and Intel. This will be published as part of my new class materials next month. Stay tuned!

Satoshi Tanda

@standa_t

2 years

Cool talk lineups @reconmtl ! Seats of my hypervisor class are still available. Check it out at One of fun applications of what we will learn is fuzzing hypervisors running at the pre-OS stage, avoiding waste of CPU/memory for host OS and apps

0

13

61

2

30

387

Satoshi Tanda

@standa_t

10 months

A new blog post on Intel VT-rp! Part 1 is about how HLAT prevents the remapping attack, taking Windows as an example platform. Sample hypervisor code:

3

114

336

Satoshi Tanda

@standa_t

4 months

Write up of the HVCI bypass vuln (CVE-2024-21305) with @aall86 !

5

122

295

Satoshi Tanda

@standa_t

3 years

New blog about using DCI with WinDbg and debugging SMM code Plus, accompanying my first kernel-to-SMM LPE exploit & demo

4

131

293

Satoshi Tanda

@standa_t

4 years

You can write and test your type-1 hypervisor on Hyper-V. I wrote up step-by-step instructions for this with MiniVisor. Big thanks to @Intel80x86 for sharing tricks about Hyper-V compatibility!

2

97

271

Satoshi Tanda

@standa_t

10 months

Another one confirmed to be a real issue too (arbitrary kernel-mode code exec under HVCI) :)

Satoshi Tanda

@standa_t

10 months

Confirmed with MSFT engineers that page corruption was a legit issue.

0

7

53

1

46

262

Satoshi Tanda

@standa_t

4 years

If you are interested in developing hypervisors as UEFI modules, MiniVisor is for you: Also @brucedang and I are offering a 5-day class on the development of hypervisor, including UEFI version, in October. See details at

Hypervisor development for security analysis

gracefulbits.regfox.com

3

86

247

Satoshi Tanda

@standa_t

4 years

If you are curious about how DMA remapping (VT-d) can be configured to protect memory from DMA, here is a short introduction to it with sample code. Code:

4

84

231

Satoshi Tanda

@standa_t

4 years

Wrote a DXE runtime driver to monitor/block UEFI access. I felt it was little boring to implement it C so made the Rust version as well

GitHub - tandasat/UefiVarMonitor: The runtime DXE driver monitoring access to the UEFI variables by...

The runtime DXE driver monitoring access to the UEFI variables by hooking the runtime service table. - tandasat/UefiVarMonitor

github.com

4

63

210

Satoshi Tanda

@standa_t

3 years

You must know what VM-exit reason 33 (0x21) is if you ever wrote a hypervisor from scratch. Too much researchers' time was wasted to diagnose it I am sharing diagnostics code I have been using. This finds out why that VM-exit happened and saves your time

Simulation of checks performed as per 26.3 CHECKING AND LOADING GUEST STATE

Simulation of checks performed as per 26.3 CHECKING AND LOADING GUEST STATE - CheckGuestVmcsFieldsForVmEntry.c

gist.github.com

4

56

211

Satoshi Tanda

@standa_t

3 years

Happy to learn that windows drivers can be written in #rustlang fairly smoothly. Here is my leet Rust code :-) and an accompanying note about dumping runtime drivers.

4

61

205

Satoshi Tanda

@standa_t

6 years

blogged about bland new AMSI bypass fixed this week.

2

136

197

Satoshi Tanda

@standa_t

3 years

Can I run my own SMM (ring -2) code for research? Sure, go nuts👍 Here is how you can get started with only 70 lines of code

5

56

191

Satoshi Tanda

@standa_t

10 months

Part 2 of the Intel VT-rp blog series is up! It introduces paging-write and guest-paging verification in combination with HLAT

Satoshi Tanda

@standa_t

10 months

A new blog post on Intel VT-rp! Part 1 is about how HLAT prevents the remapping attack, taking Windows as an example platform. Sample hypervisor code:

3

114

336

2

56

168

Satoshi Tanda

@standa_t

11 months

Sharing the hvext Windbg extension to help you study Hyper-V. Using this, I found what appears to be a Hyper-V bug where the root partition could bypass EPT and corrupt an arbitrary page :)

2

53

164

Satoshi Tanda

@standa_t

2 years

Any modern EDR should alert when a random process drops a random PE file onto the ESP, right? No, I do not think so. Apply the DBX update. This is ridiculously easy to exploit Another great discovery by @HackingThings and @jessemichael !

4

48

166

Satoshi Tanda

@standa_t

6 months

A write-up and new blog post on one of the Hyper-V issues I reported. Technical write up: Non-technical post: Case closed

How I found Microsoft Hypervisor bugs as a by-product of learning

Finding and Exploitation How it started The bug Validation Exploitation with S3/S4 Thoughts Verify your assumption Not so many eyeballs Same bug might exist elsewhere Security feature bypass matters...

tandasat.github.io

Satoshi Tanda

@standa_t

10 months

Confirmed with MSFT engineers that page corruption was a legit issue.

0

7

53

1

52

158

Satoshi Tanda

@standa_t

6 years

Wasn’t aware of that Detours for x64/ARM64 was open sourced. Could be handy or a good reference implementation to make your own. CC @brucedang

GitHub - microsoft/Detours: Detours is a software package for monitoring and instrumenting API...

Detours is a software package for monitoring and instrumenting API calls on Windows. It is distributed in source code form. - microsoft/Detours

github.com

1

89

158

Satoshi Tanda

@standa_t

2 years

New blog post about bypassing EPT and IOMMU with unsafely exposed hardware features. Happy holidays.

3

64

159

Satoshi Tanda

@standa_t

7 months

Microsoft is integrating Rust into their UEFI as well. Here are a couple of examples: GloalAllocator: UefiHidDxe module: I admire their effort to move to the safer language

1

37

154

Satoshi Tanda

@standa_t

3 months

Ever wondered what resources the Windows hypervisor protected from NTOS, SK, and VMs, or which VT-x features the hypervisor used? I have been, so here you are.

Hypervisor enforced security policies for NTOS, secure kernel and a child partition

This post aims to clarify security policies implemented by the Windows hypervisor for the root partition VTL 0 (NTOS), 1 (secure kernel), and a child partition (guest VM) by comparing their VMCSes on...

tandasat.github.io

1

58

153

Satoshi Tanda

@standa_t

3 months

Intel Hardware Shield deep dive: part 1 is user-mode System Management Mode (ISRD). ISRD is beautifully architected, and I have enjoyed studying it a lot. Excellent work by Intel.

1

63

152

Satoshi Tanda

@standa_t

3 years

I have just finished my and @brucedang ‘s first time, remote hypervisor development class! Thank you very much for those who joined and spent time with me. Hopefully you enjoyed it! I look into holding the class for public this year too

8

14

146

Satoshi Tanda

@standa_t

4 months

"Hypervisor-Protected Code Integrity (HVCI) Security Feature Bypass Vulnerability" @aall86 and I will write up a post together and share some technical details soon

0

30

136

Satoshi Tanda

@standa_t

7 years

Have AMD processors and interested in hypervisors? Learn how to program AMD-V including Nested Page Tables with:

GitHub - tandasat/SimpleSvm: A minimalistic educational hypervisor for Windows on AMD processors.

A minimalistic educational hypervisor for Windows on AMD processors. - tandasat/SimpleSvm

github.com

2

81

138

Satoshi Tanda

@standa_t

7 years

little known powershell tips to specify a version

3

80

131

Satoshi Tanda

@standa_t

4 years

I wrote up what I learned to design and develop the type-1 (UEFI-based) hypervisor. This should be helpful to explore MiniVisor's and other type-1 hypervisor's code base, especially for those who know about blue-pill style hypervisors but not type-1.

1

61

132

Satoshi Tanda

@standa_t

2 years

New UEFI implant. Unlike predecessors, this requires boot guard for prevention, not secure boot Speaking of those, here is the lecture and hands-on exercises I went through with #gccsec students last week for analyzing UEFI implants and hacking tools

Mark

@_marklech_

2 years

[1/n] Today I'm sharing the details of a research done by @vaber_b , @legezo , Ilya Borisov and myself on a UEFI firmware implant found in the wild, dubbed #MoonBounce . We assess that this formerly unknown threat is the work of the infamous #APT41 . A 🧵

11

285

524

0

44

130

Satoshi Tanda

@standa_t

7 years

Thanks for coming to my session at #codeblue_jp ! It is an awesome conf. My slides and sample code are available at

GitHub - tandasat/DotNetHooking: Sample use cases of the .NET native code hooking technique

Sample use cases of the .NET native code hooking technique - tandasat/DotNetHooking

github.com

2

72

128

Satoshi Tanda

@standa_t

3 years

Announcement: the details and registration of our hypervisor development class for the public is finally open! Check out the details at The last private class was a big success, and this time will be even better🔥

2

35

125

Satoshi Tanda

@standa_t

6 years

Hiding kernel-code modification with AMD-V. Some limitation and more performance degradation compared with the VT-x based-implementation, but still doable and realistic for some use cases.

GitHub - tandasat/SimpleSvmHook: SimpleSvmHook is a research purpose hypervisor for Windows on AMD...

SimpleSvmHook is a research purpose hypervisor for Windows on AMD processors. - tandasat/SimpleSvmHook

github.com

0

73

125

Satoshi Tanda

@standa_t

8 months

セキュリティキャンプ修了生などの若手、特に、いわゆる「低レイヤー技術」に惹かれている人に向けて、セキュリティソフトウェアの研究開発という仕事を紹介します。 RT元の良記事に触発されて書きました。 #seccamp

低レイヤー技術＋セキュリティ❤️ソフトウェアの研究開発という職業

セキュリティソフトウェアの研究開発、という仕事を自分の経験をもとに紹介します。主な想定読者は、情報セキュリティ関連を仕事にしたいと考…

anond.hatelabo.jp

sat

@satoru_takeuchi

9 months

さっそく書いたze！

1

54

238

0

36

124

Satoshi Tanda

@standa_t

10 months

Added a command to dump DMA remapping structures. You can study how Hyper-V protects the system from DMA

Satoshi Tanda

@standa_t

11 months

Sharing the hvext Windbg extension to help you study Hyper-V. Using this, I found what appears to be a Hyper-V bug where the root partition could bypass EPT and corrupt an arbitrary page :)

2

53

164

0

35

122

Satoshi Tanda

@standa_t

1 year

A short blog post about debugging winload, tcblaunch and Hyper-V on a physical device over USB EEM. Helpful when a target device cannot be debugged with traditional KDNET and USB3 etc. Big thanks to @KelvinMsft for teaching me about this for x64 devices.

Setting up KDNET over USB EEM for Bootloader and Hyper-V debugging

This post notes how to enable a debugger for winload, tcblaunch and Hyper-V on a physical device over USB EEM. This instruction may be helpful when a target device cannot be debugged with any of...

tandasat.github.io

4

46

121

Satoshi Tanda

@standa_t

2 months

Intel Hardware Shield deep dive: part 2 is SMM security policy reporting (ISSR, aka PPAM) and interaction with Windows' Secure Launch. Another fascinating piece of technology! I have wanted to review this for a while and am glad I have spent time for it.

Satoshi Tanda

@standa_t

3 months

Intel Hardware Shield deep dive: part 1 is user-mode System Management Mode (ISRD). ISRD is beautifully architected, and I have enjoyed studying it a lot. Excellent work by Intel.

1

63

152

0

44

116

Satoshi Tanda

@standa_t

6 years

On the Full Language Mode, you can do whatever you want. Here is just another example, which kills Script Block Logging. No protection works perfect, so know attackers as much as possible (and defense options like the Constrained Language Mode)

Disable ETW of the current PowerShell session

Disable ETW of the current PowerShell session. GitHub Gist: instantly share code, notes, and snippets.

gist.github.com

2

63

110

Satoshi Tanda

@standa_t

1 month

I have been making progress in adding hypervisor learning resources in Rust for my upcoming classes. ✅Supports both AMD and Intel with single code ✅Compiles into UEFI and Windows drivers ✅Uses stable Rust ✅Runs on Bochs and VMware with one shortcut key

0

17

110

Satoshi Tanda

@standa_t

7 months

:feelsgood: Will write up details.

Satoshi Tanda

@standa_t

10 months

Another one confirmed to be a real issue too (arbitrary kernel-mode code exec under HVCI) :)

1

46

262

9

11

101

Satoshi Tanda

@standa_t

10 months

Solidify your understanding of virtualization technology and hypervisor implementations for reversing, fuzzing, tooling or your low-level thirst! The 4-day long remote class with in-depth discussions and hands-on exercises in the comfort of your home🏠

Satoshi Tanda

@standa_t

11 months

Excited to announce that my next remote class is on Nov 27-28 and Dec 4-5 (4 days). Checkout details at . Registration is open! It is an unique opportunity to quickly learn Intel VT-x, -d, -rp and UEFI by writing a lightweight hypervisor together.

0

8

43

1

14

98

Satoshi Tanda

@standa_t

3 years

We just finished my hypervisor development class. Thanks to everyone's passionate and active participation, we had a lot of additional discussions and experiments on the top of planned topics. It was fun!

2

8

97

Satoshi Tanda

@standa_t

3 months

Thrilled to announce the schedule of my next remote class in June. Checkout details at It is a rare opportunity to quickly learn Intel VT-x, -d, -rp and UEFI by writing a lightweight hypervisor and analyzing design options and security risks!

3

20

95

Satoshi Tanda

@standa_t

3 years

Happy to discover my name in Windows Internals Part 2 along with the recognized experts. By the way, Microsoft Press Store offers 35% discount until the end of the month.

2

12

93

Satoshi Tanda

@standa_t

8 years

Wrote a hypervisor as a platform on Windows. Let me know if you find any issues.

GitHub - tandasat/HyperPlatform: Intel VT-x based hypervisor aiming to provide a thin VM-exit...

Intel VT-x based hypervisor aiming to provide a thin VM-exit filtering platform on Windows. - tandasat/HyperPlatform

github.com

2

74

88

Satoshi Tanda

@standa_t

5 years

Hardware and Software Support for Virtualization is an excellent book for those who are interested in the subject. Explanation is concise but gives enough details and background. Also covers ARM.

Hardware and Software Support for Virtualization

books.google.com

1

32

92

Satoshi Tanda

@standa_t

3 years

For those who write hypervisors for Intel processors, keep the current SDM (v74, April) The latest released on the 28th _deleted_ the three greatly helpful chapters. Intel, I get those chapters were little "off" as a spec, but this is not helpful

5

29

91

Satoshi Tanda

@standa_t

9 months

System-wide Intel PT+ DCI (hardware debugger) + NT symbol resolution. it is going to be🔥

Alan Sguigna

@AlanSguigna

9 months

For the first time, I can see the overall code flow of the Windows kernel , thanks to our integration of WinDbg with Intel Processor Trace. Lots of interesting functions in here:

0

36

122

0

18

91

Satoshi Tanda

@standa_t

5 years

Intel manual was updated last week. Additions of few new MSRs and clarification of execution ordering about some instructions (like LFENCE) related to meltdown/spectre.

2

26

88

Satoshi Tanda

@standa_t

1 year

!dump_vmcs: Windbg JavaScript to dump values of the current VMCS for Hyper-V debugging. I was 100% sure this pre-existed somewhere (probably a lot) but could not find it. So wrote one last night.

1

35

88

Satoshi Tanda

@standa_t

3 years

My class at @offensive_con will discuss hiding code patches with EPTs and give away an example implementation. It is not novel, but everyone at the conf likes to bypass integrity check and stuff like that, right? ⬅️patching pre-boot UEFI code ➡️patching user-mode code

0

16

82

Satoshi Tanda

@standa_t

6 months

"Bypassing the HVCI memory protection" at #HEXACON2023 discusses remapping attack with an application to code pages. If you wonder what mitigates this, you can check out HLAT (VT-rp)

HEXACON2023 - Bypassing the HVCI memory protection by Viviane Zwanger...

https://www.hexacon.fr/conference/speakers/#hvci

www.youtube.com

Satoshi Tanda

@standa_t

10 months

A new blog post on Intel VT-rp! Part 1 is about how HLAT prevents the remapping attack, taking Windows as an example platform. Sample hypervisor code:

3

114

336

0

23

85

Satoshi Tanda

@standa_t

2 years

Playing with libFuzzer I just learned from @richinseattle 's fuzzing class today I can recommend his class even if you are not a security researcher. A lot of tools out there and their flags are overwhelming, but his class helps me go through some of the learning curves quickly

1

12

80

Satoshi Tanda

@standa_t

10 years

Advanced skinning plugin for IDA Pro: http://t.co/jIJQ5N3Ygg

1

37

77

Satoshi Tanda

@standa_t

9 years

Reversing Windbg commands as an alternative to reversing the kernel. http://t.co/Np2PGF4SKd

0

68

76

Satoshi Tanda

@standa_t

3 years

For friends who wanted to play with the Windows Platform Binary Table (WPBT) in response to Eclypsium's report, here is the tool for you. @HackingThings Thank you a lot for helping me reproduce this!

Mickey

@HackingThings

3 years

Want to make your own persistent rootkit? Just sign your native windows binary with one of Hacking Team's revoked code signing certificates and you are all set! Certificate:

4

77

215

6

30

75

Satoshi Tanda

@standa_t

2 years

I will be teaching hypervisor (Intel and AMD) in Rust at GCC 2023 Very honored to help next-generation engineers learn security and low-level technologies! If interested, check out the organization of your country listed there to see if you can apply

2

17

73

Satoshi Tanda

@standa_t

2 years

Funny enough. I was notified of an advisory for a vuln last night -- 8+ years after I reported it. Nothing technically useful or interesting but tossing it

GitHub - tandasat/CVE-2022-25949: A years-old exploit of a local EoP vulnerability in Kingsoft...

A years-old exploit of a local EoP vulnerability in Kingsoft Antivirus KWatch Driver version 2009.3.17.77. - tandasat/CVE-2022-25949

github.com

1

15

71

Satoshi Tanda

@standa_t

3 years

How S3 sleep and resume are implemented, taking EDK2 and Windows as an implementation example. + how type-1 hypervisors can handle it.

0

17

72

Satoshi Tanda

@standa_t

6 years

One of very few examples of MSR hooking implementation with SVM (AMD-V). Nice work!

GitHub - hrbust86/HookMsrBySVM: hook msr by amd svm

hook msr by amd svm. Contribute to hrbust86/HookMsrBySVM development by creating an account on GitHub.

github.com

0

23

67

Satoshi Tanda

@standa_t

2 years

I am offering an in-person class for hypervisor development at @reconmtl ! We will also discuss taking and reverting to snapshots for fast full-system fuzzing, as well as stealth hooking and hardware debuggers for lower footprint reverse engineering

REcon

@reconmtl

2 years

Recon 2022 Registration and CFP is now Open! May 30 to June 5th . We are excited to see you all in person in Montreal again!

0

51

123

0

12

64

Satoshi Tanda

@standa_t

9 years

Writing a Hypervisor for Kernel Mode Code Analysis and Fun http://t.co/UpZPYXiLu2

2

51

64

Satoshi Tanda

@standa_t

9 months

Explains issues with prematurely busy shadow stacks and how OS and hypervisors can remediate it. It is a rare example of Intel explaining "why" certain enhancements are made. Also, surprisingly readable. When Intel consistently does this, it is when my teaching business can end.

InstLatX64

@InstLatX64

9 months

#Intel "Complex Shadow-Stack Updates (Intel® Control-Flow Enforcement Technology)" paper about CET_SSS feature (CPUID.(EAX=07H,ECX=1H):EDX[bit 18]) (CET_Supervisor_Shadow_Stack) 356628-001US

1

6

37

1

14

62

Satoshi Tanda

@standa_t

8 years

Thank you for listening my talk at #reconmtl . Here is a link to the slides

3

60

61

Satoshi Tanda

@standa_t

2 years

Cool talk lineups @reconmtl ! Seats of my hypervisor class are still available. Check it out at One of fun applications of what we will learn is fuzzing hypervisors running at the pre-OS stage, avoiding waste of CPU/memory for host OS and apps

0

13

61

Satoshi Tanda

@standa_t

6 years

A DebugView-like open source tool. You may like this if you are messing around with Windows on ARM64, where DebugView cannot run.

GitHub - tandasat/DebugLogger: A software driver that lets you log kernel-mode debug output into a...

A software driver that lets you log kernel-mode debug output into a file on Windows. - tandasat/DebugLogger

github.com

1

38

58

Satoshi Tanda

@standa_t

2 years

Are you interested in executing arbitrary uCode & undocumented debug instructions on an Intel chip as @_markel___ , @_Dmit and @h0t_max did? I certainly am! A friend of mine is putting up video tutorials for it. Let him know you too are interested!

Lee

@endbr64

2 years

Want to unlock undocumented Intel instructions and execute custom microcode? I am starting a tutorial series to delve into some of the work from the uCode Research Team! Unlock your CPU and Execute Arbitrary Microcode! Tutorial Introduction

4

88

219

2

15

59

Satoshi Tanda

@standa_t

4 years

It was all fun and game until I discover my AMD HV was unstable on a device without a serial port. I ended up with debugging it through DMA with PCILeech (thx @UlfFrisk for the project) But, can anyone suggest what else I could do if DMA is not an option?

6

8

59

Satoshi Tanda

@standa_t

2 years

Can confirm this works as advertised. Do not even need to flash BIOS to make DCI DbC3 work. Anyone who wants to debug and reverse engineer firmware from the reset vector, SMM, hypervisor, or any pieces of software that do not work with kernel debuggers, I recommend this

Alan Sguigna

@AlanSguigna

2 years

Taking a cue from @ilfak , we're offering our JTAG debugger SourcePoint at a new low price of $365 for hobbyists and researchers, to work with the AAEON UP Xtreme i11 Tiger Lake board over DCI:

2

7

25

3

15

55

Satoshi Tanda

@standa_t

5 years

Thank you for having me #vxcon2019 #vxcon @vxresearch ! Here is the slide deck

0

13

54

Satoshi Tanda

@standa_t

1 year

The UEFI Forum started to publish mapping of DBX entries and CVEs since last October. That helps IT pros and security software understand which threats are blocked or not significantly. Great improvement.

1

19

53

Satoshi Tanda

@standa_t

8 years

A simple elevation of privilege detector . Idea given by @halsten . Let me know your ideas on how VMM can be used for

GitHub - tandasat/EopMon: Elevation of privilege detector based on HyperPlatform

Elevation of privilege detector based on HyperPlatform - tandasat/EopMon

github.com

0

41

51

Satoshi Tanda

@standa_t

3 years

Can your hypervisor handle execution of instructions from the APIC region in the 16-bit protected mode? Probably not. You had not even thought of that, and even if you did, SDM is not explicit what processors do. Amazing research paper.

Xinyang Ge

@aegiryy

3 years

We build a hybrid fuzzer for the Hyper-V hypervisor, and have caught 11 critical bugs in the most-privileged software! It enables symbolic execution over a control-flow trace logged by Intel PT, so you can enjoy fuzzing it at full speed. Full paper here:

2

148

518

1

5

53

Satoshi Tanda

@standa_t

10 months

Confirmed with MSFT engineers that page corruption was a legit issue.

Satoshi Tanda

@standa_t

11 months

Sharing the hvext Windbg extension to help you study Hyper-V. Using this, I found what appears to be a Hyper-V bug where the root partition could bypass EPT and corrupt an arbitrary page :)

2

53

164

0

7

53

Satoshi Tanda

@standa_t

3 years

Highly recommend this class if you are interested in PC firmware security, including relevant details of the x86-64 architecture, HW/SW protection mechanisms, its misconfiguration, and attacks through SMM and S3. I helped as a private beta tester and enjoyed it a lot.

OpenSecurityTraining2

@OpenSecTraining

3 years

📣A new #OST2 class, "Architecture 4001: x86-64 Intel Firmware Attack & Defense" by @XenoKovah is now open to the public!📸💻⚔️🖖🎉

1

32

105

0

18

53

Satoshi Tanda

@standa_t

1 year

If you are ever interested in what platform config checks are performed by a SINIT ACM for DRTM, here are a few tricks to reverse engineer them (1/n)

1

14

51

Satoshi Tanda

@standa_t

1 year

Looked at Intel implementation of SMM hardening and PPAM last night. Few pointers in a thread. Starting from the official overview, and terms: - Intel System Resources Defense (ISRD); marketing name of the SMM hardening technology

1

13

50

Satoshi Tanda

@standa_t

7 months

How to find crappy drivers at scale. > discovered 34 unique vulnerable drivers (...). All give full control of the devices to non-admin users. (...) could load them all on HVCI-enabled Windows 11 except five drivers. or, how to professionally tell "you suck, driver devs."

Takahiro Haruyama

@cci_forensics

7 months

VMW Carbon Black TAU discovered 34 unique vulnerable WDF/WDM drivers (237 file hashes), including ones made by major chip/BIOS/PC makers. By exploiting the drivers, an attacker without privilege may erase/alter firmware, and/or elevate OS privileges.

7

91

193

2

6

52

Satoshi Tanda

@standa_t

1 year

Global Cybersecurity Camp 2023 in Singapore just kicked off🇸🇬 Very excited to meet with exceptional students and amazing organizers from 8 countries and teach virtualization technology! #gccsec

0

13

49

Satoshi Tanda

@standa_t

11 months

This amazing talk by @SpecterDev at #hw_ioUSA2023 includes very through analysis of the PS5 AMD hypervisor. Perhaps, comparing what VBS does and this visor does could be an interesting avenue to explore to find subtle attack vectors.

Wololo

@frwololo

11 months

PS5 Hacks: SpecterDev's Hardwear presentation slides available

5

39

249

1

13

49

Satoshi Tanda

@standa_t

3 years

I have just finished my 2nd private hypervisor development course! It was a fulfilling run with very technical, passionate engineers (again). Lot of questions made and motivated me to learn further too

1

2

49

Satoshi Tanda

@standa_t

1 month

I am thrilled to present the latest virtualization-based security features with @aall86 at @reconmtl !

REcon

@reconmtl

1 month

Recon 2024 approaches fast and we have preselected a few talks. CFP end on April 26th @_lucas_georges_ @hexnomad @aall86 @standa_t @j00ru @oliverlavery @0xeb @m_u00d8 @mr_phrazer @WeldPond @sergeybratus @ilfak @criscifuentes

1

28

77

0

7

48

Satoshi Tanda

@standa_t

10 years

I've uploaded PatchGuard disabler and a note. I recommend to reverse engineer PG. It was the best exercise ever!

0

33

45

Satoshi Tanda

@standa_t

7 years

Our talk about hypervisor at @nullcon . Thank you all attendees and organizers for the awesome conference!

2

33

44

Satoshi Tanda

@standa_t

1 year

Intro and exploitation of Huawei's ARM hypervisor, Secure Monitor, and Trusted OS (kind of like Secure Kernel in Windows). Really cool talk

Impalabs

@the_impalabs

2 years

If you've missed our talk at @hexacon_fr , the recording of “Hara-Kirin: Dissecting Huawei Mobile Devices” is now available! Come with us for a guided tour of Huawei's Hypervisor and TrustZone, and learn about the cool bugs we discovered along the way.

0

24

61

0

9

44

Satoshi Tanda

@standa_t

11 months

Excited to announce that my next remote class is on Nov 27-28 and Dec 4-5 (4 days). Checkout details at . Registration is open! It is an unique opportunity to quickly learn Intel VT-x, -d, -rp and UEFI by writing a lightweight hypervisor together.

0

8

43

Satoshi Tanda

@standa_t

4 years

Intel SDM added the Ice Lake specific MSRs. Ice Lake introduced the concept of the access level to lock the configuration registers as the 2nd line of defense. Once the DONE bit is set, they are automatically RO. @CHIPSEC detects it if the bit is not set

1

18

43

Satoshi Tanda

@standa_t

1 year

Registration for my hypervisor development class at #OffensiveCon23 is open! If you are interested in reading, writing or reversing hypervisors, or just low-level⚙️technologies in general, this class will be a fun and great opportunity to gain a solid understanding

offensivecon

@offensive_con

1 year

Hypervisor Development for Security Analysis by Satoshi Tanda

0

3

16

0

10

42

Satoshi Tanda

@standa_t

3 years

Thrilled to meeting you all and learning the internals of hypervisors by writing one and reviewing other implementations. As a little more offensive version, we will take a look at the stealth hooking technique to hide your code patch against UEFI core, boot loader and/or kernel

offensivecon

@offensive_con

3 years

Hypervisor Development for Security Analysis by @SatoshiTanda

0

7

25

6

17

40

Satoshi Tanda

@standa_t

2 years

My PRs merged into Bochs. Now, you can test your hypervisor's AP startup handling on Bochs with OVMF. Bochs can be very useful for an early stage of development because you can debug *instructions* like VMLAUNCH by debugging their implementation.

2

7

41

Satoshi Tanda

@standa_t

7 years

Excited to announce that I am talking about defense techniques against PowerShell attacks at CODE BLUE in Japan!

4

13

42

Satoshi Tanda

@standa_t

8 years

A sample project for make use of EPT -- DdiMon: Monitoring and controlling kernel API calls with stealth breakpoint

GitHub - tandasat/DdiMon: Monitoring and controlling kernel API calls with stealth hook using EPT

Monitoring and controlling kernel API calls with stealth hook using EPT - tandasat/DdiMon

github.com

1

32

40

Satoshi Tanda

@standa_t

4 years

Good stuff. Pushed an example implementation of NMI handling during VMX root-mode for type-1. The previous commit includes a test program I used when I wrote it. Should be useful.

Inject NMI occurs during VMX root mode · tandasat/MiniVisorPkg@0dac000

NMI can occur at any time including during the VMX root mode. with this patch, should this occurs, the host "remembers" that by enabling NMI-window exiting, and then, injecting NM...

github.com

1

7

42

Satoshi Tanda

@standa_t

1 year

Debugging low-level Windows components with QEMU. Not the main point of the article, but I am happy to discover EDXi for VMware is not dead. Has anyone successfully set up yet?

Andrea Allievi

@aall86

1 year

After a lot of time, Easter NERD post! Let's debug like a PRO @s4tan :-)

4

30

65

2

5

41

Satoshi Tanda

@standa_t

10 years

It was my first x64 kernel mode shellcode ;) http://t.co/P43tmifHZi

5

29

42

Satoshi Tanda

@standa_t

2 years

fabulous work and talk. did not know PS5 AMD processor had execute-only memory (XOM)

hardwear.io

@hardwear_io

2 years

🎮 & its here....The Talk you have been eagerly waiting for... 😎Andy @theflow0 shared his journey on #hacking #PS5 & displayed bd-jb in action📀: Blu-ray Disc Java Sandbox Escape which affects PS3, PS4, PS5 🍿Enjoy the talk▶️ #hw_ioUSA2022 #jailbreak

10

65

230

2

7

40

Satoshi Tanda

@standa_t

1 year

Do it

7

9

40

Satoshi Tanda

@standa_t

10 years

windbg extension to find PatchGuard addresses (NOT disabiling). http://t.co/ez8A8DxVdn

3

33

40

Satoshi Tanda

@standa_t

2 years

セキュリティ🛡️x⚙️低レイヤー技術に興味があったらぜひ応募してみてください！　応募は無料です。合格するとシンガポール旅行も無料です今年の僕のクラスではハイパーバイザー（Intel VT-x／AMD-V）をRust🦀で書きながら勉強します。みなさんの応募を楽しみにしています #seccamp

セキュリティ・キャンプ

@security_camp

2 years

国境・国籍・人種を超えて共に学ぶトレーニングキャンプ「Global Cybersecurity Camp 2023 Singapore」を開催！　参加費用は無料（交通費、宿泊費、食費費、PCR検査費含む）申込締切：2022年12月5日（月）16:00必着学生の皆さんの挑戦をお待ちしています！ #seccamp

0

40

63

1

9

38

Satoshi Tanda

@standa_t

4 months

Debugging windows secure kernel with the “break on VM-exit” feature of JTAG. Looking forward to the next part and the update!

Alan Sguigna

@AlanSguigna

4 months

Part 1 of my blog series on debugging the Windows hypervisor and secure kernel:

0

60

170

1

4

38