Elliot

Calling all experts in Windows internals and low-level systems architecture! 'The Root of DllMain Problems' (or 'DllMain Rules Rewritten') is now in preparation for its final publication! Feedback and sign-offs from the community are greatly appreciated. #the-root-of-dllmain-problems" target="_blank" rel="nofollow noopener">github.com/ElliotKillick/…

To all my infosec friends, if your blog doesn't yet have an email newsletter for your subscribers... well now you can have one set up in no time at virtually no cost - all open source. You're welcome. github.com/ElliotKillick/…

Today, I'm releasing a new project that automates sending email newsletter notifications for new content on your blog: rss2newsletter! In just 300 lines of code, it easily replaces any overpriced and bloated proprietary solution that charges you per-contact. See link in bio 🔗

Today, I'm releasing a new project that automates sending email newsletter notifications for new content on your blog: rss2newsletter! In 300 lines of code, it easily replaces any overpriced and bloated proprietary solution that charges you per-contact github.com/ElliotKillick/…

I just released a new tool for searching Microsoft Developer Blogs in bulk and fully local. Really helpful for finding information on that one Windows internals component github.com/ElliotKillick/…

I think I have a problem with going down rabbit holes

A comprehensive analysis of all the internal Windows 10 loader states? Done - Have a look at that and a high-level analysis of how a library load works under the parallel loader #ldr_ddag_nodestate-analysis" target="_blank" rel="nofollow noopener">github.com/ElliotKillick/…

Reverse engineering the Windows 10 parallel loader is challenging but interesting work. I recently fully reversed the pivotal LdrpDrainWorkQueue function and I'm just now working on LdrpLoadDllInternal plus others #reverse-engineered-windows-loader-functions" target="_blank" rel="nofollow noopener">github.com/ElliotKillick/…

DllMain Rules Rewritten are Microsoft's infamous DllMain Rules - rewritten. After countless spent hours researching and reverse engineering the new and old Windows loaders, they are now complete. #the-root-of-dllmain-problems" target="_blank" rel="nofollow noopener">github.com/ElliotKillick/…

I just spent the last few months of my life reverse engineering the Windows 10 parallel loader and figuring out how it does concurrency. Updates have now been published! github.com/ElliotKillick/…

@sixtyvividtails Sure. You have to break on data access of the SRW lock because the loader modifies it directly without calling RtlAcquireSRWLockExclusive sometimes

@ElliotKillick No contradictions here. Now accept that the first entry in the module list is a regular entry. Then correct FreeLibrary info: it is able to unload dependencies. Then explain wth module deinit "done before" refcount decremented. Dupe instr - where? Locks count 20 is wrong. Etc...

What is Loader Lock? 🤔 Going BEYOND undocumented, we delve into the heart of the modern Windows loader investigating some internals for the first time and demystifying Loader Lock. 🔒 Check out the research article elliotonsecurity.com/what-is-loader…

@sixtyvividtails Thanks for contributing, I'll update the repo shortly

@ElliotKillick LDR_DATA_TABLE_ENTRY.Lock is srwlock used to protect saving resolved delay-load imports into module. See ntdll!LdrpWriteBackProtectedDelayLoad.

Thrilled to unveil the "Windows vs Linux Loader Architecture" project! The FIRST side-by-side comparison ever done unraveling the similarities and differences of this core component between operating systems. Check out the new repo! github.com/ElliotKillick/…

@sixtyvividtails Yes, so the list heads are part of the circular list. Look for yourself in WinDbg. I didn't make the pic but I'll check that. Any more perceived errors could only be due to your misunderstanding for which I would be happy to clarify.

@ElliotKillick Var ntdll!PebLdr type is PEB_LDR_DATA. It contains list heads. Module lists are linked into these heads. So the first LDR_*_ENTRY *is* regular entry, and arrow (4) from the lower-left quad in your pic should actually point to PEB_LDR_DATA+30. And much more errors in the article.

@sixtyvividtails Nope, you don't know what you're on about. ntdll!PebLdr is part of the module linked list. I verified this in multiple ways. My research is entirely accurate. Twitter commenters like you are unfortunately common.

@ElliotKillick I have to retract that first statement. While it's obvious a lot of effort was put into the research, closer look reveals that article contains a number of substantial innaccuracies, and has certain self-contradictory issues.

The full and open source code used in "Perfect DLL Hijacking" has now been released on GitHub: LdrLockLiberator github.com/ElliotKillick/…

@dazzyddos @NetSPI eos.md/3

@ElliotKillick @NetSPI How to retweet your bio 🤣

Perfect DLL Hijacking: It's now possible with the latest in security research. Building on previous insights from @NetSPI, we reverse engineer the Windows library loader to disable the infamous Loader Lock and achieve ShellExecute straight from DllMain. 🔍 Link in bio 🔗

@_xpn_ @HenriNurmi @NetSPI The algorithm doesn't like links 😂

@ElliotKillick @HenriNurmi @NetSPI Link in bio… gonna try that next time.. well played 😂