Virtual File Systems for Beginners

A virtual File System (VFS), sometimes referred to as a Hidden File System, is a storage technique most commonly used by kernel mode malware, usually to store components outside of the existing filesystem. By using a virtual filesystem, malware developers can both bypass antivirus scanners as well as complicating work …


MS14-066 In Depth Analysis

A few days ago I published an article detailing how a second bug, in the schannel TLS handshake handling, could allow an attacker to trigger the DecodeSigAndReverse heap overflow in an application that doesn’t support client certificates. I had stated I was not familiar with ECC signatures and was unsure …


How MS14-066 (CVE-2014-6321) is More Serious Than First Thought

If you’ve been in a coma for the past week, MS14-066 (CVE-2014-6321) is a TLS heap overflow vulnerability in Microsoft’s schannel.dll, which can result in denial of service and even remote code execution on windows systems (the bug is exploitable during the TLS handshake stage, prior to any authentication). According to beyondtrust the …


Passive UAC Elevation

I had a cool idea for a way to get the user to passively elevate your application without socially engineering them to do so or requiring exploits. Obviously you could just go ahead and start mass infecting executables, but that would cause a lot of unforeseen problems and would also …