Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
Alex Ionescu Profile picture
Alex Ionescu
@aionescu
Technical Director, Platform Operations and Research at @cse_cst. Windows Internals author and trainer. He/Him. RTs are not endorsements, opinions are my own.
Grant Willcox Profile picture 1 subscribed
May 16, 2021 4 tweets 1 min read
Playing around with my first AMD Ryzen system. Turns out the "AMD PCI Driver" isn't actually a PCI Driver... at all.

Here's a few fun facts:

1) It registers a process creation notify routine, and checks all process names against a list of 19 hashed names. 2) If it finds a match, it sets bit 5 in the 0xC0011021 [C001_1021] MSR, also called "Instruction Cache Configuration Register (IC_CFG)". This particular bit isn't documented anywhere (and there's no longer a BKDG for Ryzen).

Who wants to guess what this might be about?
May 5, 2021 4 tweets 1 min read
I’m not sure why are you are externally replying this way instead of reaching out to me directly if you felt my answer offended you in any way (I apologize).I genuinely was trying to be helpful — provided a reference, and really meant the fact the answer would not fit in a tweet. I would’ve loved nothing more than to provide you with a through answer by email or in a short call if you had followed up. I have a career built on helping others. My correction wasn’t meant to cancel your question but rather to refine it. I’m not sure why you decided to mock me
Apr 14, 2021 5 tweets 1 min read
1) Note the Windows binary in ACPI memory. This is a lovely "Windows Platform Binary Table" (WPBT) rootkit that most OEM vendors now shove in your systems. 2) Most OS developers assume they have the standard 5 UEFI runtime DXEs mapped (PcRtc, MonotonicCounterRuntime, ResetSystemRuntime, VariableSmmRuntime, CapsuleRuntime) because that's what Windows captures in the HAL.
There's a lot more in there, including SPI, PCH, and SMM DXEs.
Jan 26, 2021 9 tweets 2 min read
I was repeatedly targeted by the threat actor from December 4th until January 24th. I never received any LPE. It surprised me so many people did, given the context. I’d like to offer some non-technical advice on how you can avoid becoming a victim of this specific type of attack: First, the lure was the ask of advice on weaponizing a DirectX Kernel 0day exploit.

Unless you know a researcher, it seems like a dubious choice to advise in the exploitation of an 0day. You never know what they’re going to be doing with it.
Apr 25, 2018 4 tweets 1 min read
1/ Of all the weird stuff I have ever seen Win32k.sys do, and trust me, I've seen a lot, I have to say this takes the icing on the cake. This is now all over it. Is there a new dev team that does't understand how (why?) the code base works? Is someone desperately hunting a bug? Image 2/ I am a huge fan of assertions -- use them all over the place. But _runtime_ assertions, with textual strings which send a live crash/telemetry back to the developer? They also happens to basically provide a guided map to where the bugs are. I love seeing words like "should".