Yarden Shafir
@yarden_shafir
Followers
19,090
Following
273
Media
718
Statuses
5,690
A circus artist with a visual studio license
Joined January 2018
Don't wanna be here?
Send us removal request.
Explore trending content on Musk Viewer
Rio Grande do Sul
• 134797 Tweets
Madonna
• 126157 Tweets
Boeing
• 119118 Tweets
Nathan
• 92350 Tweets
Irak
• 64008 Tweets
عدنان البرش
• 41958 Tweets
#SRHvRR
• 35919 Tweets
Olimpiade
• 28951 Tweets
Bhuvi
• 22955 Tweets
KPLC
• 19730 Tweets
Bruno Mars
• 19651 Tweets
Marselino
• 19279 Tweets
زياد
• 17375 Tweets
Ernando
• 14499 Tweets
Canna
• 14176 Tweets
ALGS
• 12294 Tweets
Guinea
• 12169 Tweets
Hubner
• 12081 Tweets
Pinned Tweet
Trying to learn security research and getting overwhelmed by all the details?
I just published a guide showing my process for step-by-step analysis of a security feature:
21
552
2K
My teenage brother interviewed for a job at McDonalds. They asked him why he wants to work there, and why he chose McDonalds specifically.
What’s the expected answer from a teenager looking for an after school job selling burgers?
2K
2K
92K
Things were so much easier when I was a kid. Then the bar was “do you have a pulse and are you willing to work for minimum wage and mild verbal abuse?”
44
310
31K
My teenage brother’s coding teacher is telling them to keep variable names short - 1-2 characters, to make their code shorter and save space.
If you teach, please don’t do this.
Im trying to undo the damage now.
468
740
13K
@cyberwabz
I worry they’ll take it the wrong way. That specific branch has been a pretty remarkable failure 😂
13
15
10K
All those hacker movies really didn't prepare me for how working in cybersecurity is mostly just moving Jira tickets around
81
488
4K
Linux integration into Windows is so much more impressive than I thought! This recent build even broke the audio drivers to give us the full Linux experience 🤩
36
272
3K
@Asher_Wolf
Not gonna lie if a kid said that to me with a serious face I don’t think I could stop myself from laughing
3
11
2K
Microsoft wiping all their old blog posts and documentation is a modern tragedy
50
85
1K
I’m proud to announce that after 2 hours of debugging I managed to get my machine back to the same working state it was in before I fucked with it
20
100
1K
Is my code pretty? No.
But does it work? Also no.
But is it well documented? Absolutely not.
38
211
1K
This is a historical moment. After 5 years in cybersecurity I finally decided that I actually do need more than one screen.
54
32
1K
I hate that I’ve become the person who answers technical questions with “it depends” and “what are you actually trying to do”
59
79
1K
@cyberwabz
Haha I don’t care if the branch succeeds or fails. He doesn’t need a 20 year career there, he just wants some money for snacks and football games
8
1
873
The WinDbg data model is awesome and still being ignored by way too many people! So I wrote a guide for using it, hoping it would change your debugging experience the same way it changed mine:
10
260
725
As promised, I wrote about my Windows 11 post exploitation technique to go from an arbitrary write/increment to a full read/write through I/O rings:
3
266
688
Be warned, anyone asking me how to become a hacker will receive this PDF of the full intel manual that is eternally open in my browser
42
32
631
Microsoft is preparing to kill many known KASLR bypasses in the next release.
Unless the calling process has debug privilege enabled, kernel addresses will be stripped from the output data for all leaking NtQuery APIs
12
150
628
Today my code is failing because calling rand() only ever returns 41. On every single run.
No, I have no answers.
44
28
599
When has anyone ever wanted the full Teams experience
12
57
577
MacOS people, how do you do it?
This is the worst UX I’ve ever seen. Nothing is where I expect it to be. Nothing works the way I think it will,l. Error messages don’t mean anything and there’s no confirmation when an action is done???
What is this system???
101
32
543
Can we talk about how Windows Defender is using undocumented features that other EDRs aren't supposed to know about or use (officially)?
26
92
535
“A day in the life of a hacker” but it’s just me setting up Python virtual environments and fighting VM networking issues for 12 hours straight
11
58
534
Anticheat engines are a whole other level. Great blog post about hiding user mode memory
11
131
522
Trying to learn RE?
Compile an open source project and RE it side by side with the source code. Try to guess what the assembly does and compare your guesses with the code until you intuition gets better and you learn to recognize patterns.
12
85
476
I pretended I'm an exploit dev and created a stable exploit to CVE-2020-1034, that's tagged by MS as "low complexity". But only if crashing the machine is your only goal:
Thank you
@aionescu
for all the help and reviews! 😄
4
157
480
Want to practice your kernel VM and exploitation skills? Pick any driver from the HVCI driver block list and see what you can find.
Here for example is NCHGBIOS2x64.sys, that has some pretty clear issues (systemBuffer is user input):
5
98
469
Today's post for those of you interested in debugging, memory forensics, and obscure driver communication methods:
6
150
474
After a lot of work and some crypto-related delays, I couldn't be more proud to publish
@aionescu
's and mine latest research - The complete overview of CET internals on Windows (so far!):
10
219
466
A new blog post in which I get in touch with my inner dev and write about a non-security feature - I/O Rings:
As always, thank you
@aionescu
for the technical help and the reminder that sometimes code is added to do stuff, not just break them.
11
138
453
Just published a new research I worked on recently, documenting an undocumented kernel callbacks mechanism:
9
206
444
Running out of EDR bypass techniques (that's funny, of course you're not)? Don't worry, Microsoft is here to help you with a new one:
5
181
427
I get lots of requests for recommended resources for learning Windows, exploitation, VR, etc.
I have some good links but there’s lots of others I don’t know or forgot about.
Give me your best suggestions please! Feel free to link your own stuff, I wanna see it!
24
123
418
If you’re considering a career in low level research and exploitation please keep in mind that in the last 36 hours I spent 8 hours staring at a raw physical memory dump looking for byte patterns that might not exist there
14
19
403
Be prepared to lose your kernel pointers! Windows will soon start restricting KASLR leaks to non-admins:
(mentioned this here before but figured it's worth a blog post)
10
132
396
Did you know you can mark things in WinDbg in different colors to keep track of repeated values? I find it super useful when debugging things involving large data structures with no available symbols
9
59
390
Can your EDR detect symbolic link callback rootkits? Because ours sure as heck can't.
@aionescu
and I wrote about these!
4
151
362
170 of the drivers load with the most recent HVCI driver blocklist. Do with this information what you will.
8
90
351
- Write driver that blocks all DNS traffic for a project
- Load driver to test
- Get distracted by unfamiliar API
- Google the API, get network error
- Debug network issues for 30 minutes
- Remember DNS-blocking driver
Wish I could say this only happened once.
5
18
350
If you’re interested in Windows IPC mechanisms, this is an excellent series by
@0xcsandker
:
1
88
330
Tech enthusiast: computers are deterministic. None of it is magic. Everything has a rational explanation.
Tech professionals: My compiler doesn’t like it when the screen is facing the door so I need to turn the screen to make it happy
12
45
325
I know comparing ourselves to others is dumb. But my research hasn’t been going well lately and seeing all the amazing pwn2own winners this week got me feeling a bit down.
So, taking a short break from computers and going to touch sand.
21
7
323
As of build 25915 (latest Preview) all known API based kernel address leaks no longer work unless requested by a process with SeDebugPrivilege (only available to admin processes)
Microsoft is preparing to kill many known KASLR bypasses in the next release.
Unless the calling process has debug privilege enabled, kernel addresses will be stripped from the output data for all leaking NtQuery APIs
12
150
628
6
106
314
Attention EDR developers:
In 24H2 MS will allow you to receive notifications for drivers blocked by HVCI through SeRegisterImageVerificationCallback through a new CallbackType.
You'll need to register twice: once for image loads and once for HVCI-blocked images.
4
83
316
As a security person I appreciate all the browser and system features that make it harder for users to accidentally download and run malware.
As someone who just spent 15 minutes trying to get a malicious driver I need for testing, fuck this.
11
25
313
Never imagined I’d get such positive feedback on my OffensiveCon talk from all the people I look up to so much. You all are the best and made me so happy 🥰
Slides + recording will be published.
Photo by
@daveaitel
10
16
293
After the WinDbg guide, here's another useful thing you should get to know better - the Windows Debugger API.
Thank you
@aionescu
for introducing me to this and for making this post better :)
1
117
293
Getting lots of questions lately about how I approach a new research project. So here's a new post documenting the research process of another mitigation: module tampering protection:
5
102
284
Today is my last day at CrowdStrike. I had the privilege to work with the most incredible people and learned so much. I can't wait to see all the amazing things they'll keep building.
Now I'll see if I can remember how to rest before doing my next thing soon!
19
3
276
Another glamorous day in the life of a reverse engineer
15
23
273
We have just launched - a space for the security and low level community including forums, articles and tools. Join, ask questions, answer questions and read the awesome blogs!
7
81
272
Love seeing this exploit use my I/O ring exploitation technique 🥰
Waiting for the blog post!
For any other potential exploit writers, the technique is described here:
Releasing a Windows 11 LPE exploit by
@FuzzySec
and I. Exploits CVE-2023-21768, a vuln in afd.sys. Blog post soon!
32
574
2K
2
67
269
I could tweet that my laptop died cause I dropped it in the ocean and some people here would still reply to tell me I should use Linux
33
18
266
Is there a way to leave infosec without starting a tomato planting business or is that required?
28
20
261
Closing 100 chrome tabs without looking at their content is self care
9
19
265
Someone this morning was very upset that they are forced to see my circus content on their feed.
So anyway, here’s more circus content.
22
7
262
This occasionally comes up in my DMs so here's a few Windows Internals / RE exercises and projects for people at different knowledge levels:
1. What happens when you call CreateFile?
From Win32, syscall, filter drivers, filesystems, disk access, etc.
1/2
4
39
255
Yesterday was my first day
@trailofbits
😱
I’m excited and terrified and feel like an imposter all over again. Overall I have a good feeling about this change!
17
8
253
For the new year I started a new blog post series on HyperGuard: PatchGuard’s lesser-known sibling:
3
89
252
The real heroes of RE work:
- Plain txt websites in Russian
- GitHub pages in Chinese
- anonymous webpage created in 2007 called input.c.html
6
19
249
appid.sys receives 2 function pointers from a user and blindly calls them. 0 validations are done.
The most interesting part of this bug to me is that this very trivial bug isn't an ancient one that hasn't been discovered for decades -- it was introduced in Windows 10.
#Lazarus
exploited a flaw in the Windows AppLocker driver (appid.sys) as a zero-day to gain kernel-level access and turn off security tools.CVE-2024-21338
Beyond BYOVD with an Admin-to-Kernel Zero-Day
7
180
503
5
66
241
It's impossible for me to do time estimates because my 3-day hyperfocus got me 80% through a huge task but now it's over so the last 20% will take 6-8 weeks
3
20
238
Quick blog post on a new ETW event to monitor "valid" KASLR bypasses through system calls:
7
104
239
xmm instructions are all generated by cats walking on keyboards.
If I'm wrong, explain this: punpcklqdq
10
37
228
WinDbg tip of the day:
!chksvctbl -v
Prints all NT system calls, their indexes and addresses
@windbgtips
1
35
224
ADHD people: how do you keep a healthy eating schedule, especially in non-work days?
Almost every day I look at the time around lunch and discover it's 7pm and all I ate today is too much coffee.
47
17
217
Windows persistence tip: lots of binaries run from user-writeable paths and search for DLLs in their own directory before they try System32. Create a fake common DLL in their dir and it'll get autoloaded when the app runs (bonus points if app auto-runs at boot)
7
42
209
This is where I go to pretend that computers don’t exist
19
4
212
Pro tip for Windows kernel researchers: read the Linux kernel docs. Yes, seriously.
3
11
205
It's been a while since part 2 so here's part 3 of the HyperGuard analysis series: registers, intercepts, extents and more:
1
70
207
Can't get any actual research to happen lately so I wrote about how I do research and what helps me when I get stuck:
3
62
205
Officially presenting PoolViewer - a pool analyzing tool for RS5+:
I'm super excited about this tool and hope you will be too!
4
59
198
Slides for my talk "Windows Heap-backed pool: the good, the bad and the encoded" are available here:
1
74
201
Fangirling over
@chompie1337
for facing every speaker’s worst nightmare and delivering a 🔥🔥 talk
7
3
198
I’m using a debugger to debug my kernel debugger that I set up to debug the user-mode debugger on my VM so I think this is the time to switch from coffee to wine
9
18
195
@tony_bridges_el
I’d feel the same way. You clearly wanted that job more than any other candidate.
1
1
196
Fun WinDbg TTD (Time Travel Debugging) fact: you can query all the function calls done by a process, and the query supports wildcards
6
35
191
@vxunderground
Starting the timer until a vulnerability through malicious document “history” leads to code execution in explorer.exe
2
4
189
This is my only contribution to the xz backdoor discussion
4
36
194
21H1 introduced a new change to the kernel dispatcher for the first time in a decade - so I had to write about it and find creative uses for it:
2
72
193
For someone used to reverse engineering every little thing on Windows being able to read the source code for Linux features feels like cheating
7
9
187
@netspooky
Today I found a technical discussion between 2 Russian researchers where they agreed that they could switch to Russian but will keep using English for future people who look into the topic and I don’t know who they are but I love them
2
6
185
No idea why but seems like lots of people here think I’m a man.
Doesn’t especially bother me, but um… I’m not.
Anyway.
16
2
186
Shout out to
@aall86
for building SkTool. The easiest way to find out what Hypervisor / secure kernel features are enabled on a system
6
39
183
Can’t share any details but I did a cool thing today and wanna be excited about it so please be excited for me
17
3
184
