株式会社SliceCheese「SecureKernel」 ホワイトハッカー出身のチームが開発する、セキュリティ認証自動取得プラットフォーム。 複数のセキュリティフレームワークへの準拠支援を、APIを用いて自動診断し設定変更をサポート。 フレームワークへの準拠を現場担当者だけで実現可能にする。 #monthlypitch

WinDBG is not successfully adopted to windows securekernel, because there is no KdVersionBlock inside it, but can still give useful information about modules.

Windows 10 20H1 securekernel can be easily analyzed in runtime using WinDBG EXDi extension and pykd plugin.

Windows Device Guard description and some information about securekernel internals by @BSI_Bund https://t.co/IQgkIMBBUp

【解説資料無料ダウンロード】��産省「サプライチェーン強化に向けたセキュリティ対策評価制度」早わかりガイドを無料公開 https://t.co/gKvIBUR6ta

AIエージェントを活用したセキュリティ認証自動評価・取得プラットフォーム「SecureKernel」／Monthly Pitch! スタートアップの扉 MonthlyPitchの今月の注目4社です。二社目はこちら https://t.co/KCy9CfWZeV

Securekernel SkiSecureServiceTable is compacted in runtime (by SkiCompactSecureServiceTable function). Before every calling in KiSystemCall64, address of routine must be calculated. It can be deciphered in runtime using debugger:

Am I doing this right ? #HVCI #SecureKernel

Interesting difference between vmware and hyper-v: if the securekernel calls sk!SkeBugCheckEx, vmware lets it BSOD with SECURE KERNEL ERROR, while hyper-v catches it as a vmexit in the vmexit loop handler (MinimalLoop) as a REASON_EPT_VIOLATION, and reboot

Interesting, that hypercall names for securekernel and securekernella57.exe is different for same Windows build. It looks like that modules were written independently

RtlAcquireSRWLockShared inlined all over securekernel.exe

Modules, which is loaded in Windows Server 2022 securekernel address space (SkpgBootDrivers list)

👀Monthly Pitch 注目のスタートアップ👀として、ピッチ内容が @thebridge_jp にも掲載されています！ 株式会社SliceCheese「SecureKernel」 https://t.co/SV5uUFhU5p

WinDBG can show modules, that loaded in securekernel address space, with 'lm' command. No need to use separate python script for viewing it.

ChatGPT analysis of Intel Processor Trace collected between Windows securekernel!SkeStartProcessor and ntkrnlmp!KeStallExecutionProcessor. A new game-changing RE and debug tool: https://t.co/oxzbAcXEcz

When the hypervisor sharedpage got added a month ago (see ntdll!RtlQueryPerformanceCounter), securekernel adds SkmiMapSharedUserData and more. Last month (version 10.0.17120.1), new stuff added to the sk, but still only use for query info (comes from NtQuerySystemInformation)

One of the attack surfaces to VSM, is of-course the interface to all the VTL1 services (implemented in securekernel!IumInvokeSecureService). In RS5, there is another one! ID==0xf7, name securekernel!SkVmSvcCall :)

OK guys, RS5 17661 – let’s start with the securekernel (10.0.17661.1001). So – more changes to the interface of all the VTL1 services (IumInvokeSecureService). And - lots of hotpatch mechanism functions added! New attack surface guys! :)

Additional runtime variables from securekernel. Windows 11 Preview build 25267