Stephan Bridger

Detecting WoW64 Processes

Sun, 11 May 2025 00:00:00 +0000

WoW64 (Windows 32-bit on Windows 64-bit) is a subsystem within Microsoft Windows that lets Windows run 32-bit programs on 64-bit hardware.

One way to glean what processes are currently running in WoW64 mode is by querying NtQuerySystemInformation and checking whether IsWow64Process returns true or not.

This returns a pointer to a value that is set to TRUE if the process is running under WOW64 on an Intel64, x64, or ARM64 processor.

Bypassing Windows Defender

Wed, 16 Apr 2025 00:00:00 +0000

Lately I’ve been poking around at Windows internals and writing low level code. This morning I thought I’d try to bypass Windows Defender and get a low score on Virus Total.

One trick I’ve been playing with is writing shellcode to the Windows registry to keep things “fileless.” It’s not super fancy, but it’s kind of neat. I combined that with indirect syscalls and some cryptographic routines to get Windows Defender to chill out.

Extracting Windows WiFi Profiles

Wed, 19 Mar 2025 00:00:00 +0000

wifiExtract

The other day my grandmother forgot her Windows WiFi SSID and password when she wanted to share it with a friend. So I thought if I could just automate the retrieval of her wireless profiles, she would never forget them again in the future.

It turns out, the Windows API offers a nice way to enumerate WLAN information. First, we open a handle to the WLAN system by first calling the WlanOpenHandle function, which we can then use to enumerate WLAN interfaces with the WlanEnumInterfaces function. ¹

Infecting Linux ELF Files

Sun, 23 Feb 2025 00:00:00 +0000

Elfland

Lately I’ve been thinking about Linux internals and malware. In this blog post, we’re going to hark about the ELFs. Just as Windows has its own executable format, so too does Linux.

If we look at the source code¹ to the Executable and Linkable Format specification in elf.h, we can see the definition of the ELF header and some of its core machinery to get an idea of how it works.

A Sideblog on Blogspot

Mon, 04 Sep 2023 00:00:00 +0000

I’ve been somewhat mute here lately and haven’t updated my GitHub Pages in a while. However, I’ve been actively engaged in research and taking notes on a new sideblog on Blogspot.

So, I’ve been writing a little Rust, Python, and C# code, exploring operating system internals. And utilizing aspects of .NET to do stuff on Windows. And occasionally, I’ve been analyzing malware.

Using C Sharp to Enumerate Windows Processes

Sun, 03 Sep 2023 00:00:00 +0000

In previous posts, I covered how to observe process information in Windbg by starting a debugging session and dumping the Process Environment Block.

And how we can view the EPROCESS structure, including a doubly linked-list of active processes via ActiveProcessLinks.

But in this post, we’ll discuss yet another way of gleaning information about processes in Windows, this time from another structure within the Windows ecosystem: the SYSTEM_PROCESS_INFORMATION structure.

SYSTEM_PROCESS_INFORMATION Structure

Microsoft tells us in their documentation that this structure holds various entries which hold system and process information.

Finding Active Processes with Windbg

Sat, 02 Sep 2023 00:00:00 +0000

In the Windows kernel, each process is assigned an EPROCESS structure, which is a kernel object that represents a program or process. And a Process Environment Block (PEB) is just one of many structures pointed to by the EPROCESS structure. A snippet from _EPROCESS as documented on Vergilius Project:

volatile ULONGLONG OwnerProcessId;
struct _PEB* Peb;
struct _MM_SESSION_SPACE* Session;
VOID* Sparel;

In user space however, we cannot directly reference all of the EPROCESS structures and their data. At most, we can do something like dt nt!_EPROCESS in windbg and get a peek at the layout. We’ll have to enable kernel debugging to more closely examine things. But here’s what we can see in user mode. The EPROCESS structure is large. The entire output from windbg is as follows:

Inference: Side-Channel Attacks

Fri, 17 Sep 2021 00:00:00 +0000

A Brief History

Inference, that is, induction and deduction, are perhaps my personal favorite classes of problem-solving methods. Given very little initial information, depending on our model and situation, we can utilize just a few points to infer other information which was never directly presented to us. From Pythagoras, to Euclid, and Spinoza—to the use of modern inductive algorithms like those being developed at MIRI—inference is a powerful primitive, and somewhat of a universal open secret, playing a role almost everywhere we look—from philosophy, to economics, game theory, aerospace, medicine, computer science, and any scenario in which probability is of importance. In the spirit of Lewis Carrol:

Security (Theater) Questions

Thu, 16 Sep 2021 00:00:00 +0000

In the time before improved multi-factor authentication schemes like Authy and Yubikeys, there were security questions. And for some reason, they seem as though they’ll never give us up. Even today, some organizations still rely on them, asking users to set questions and answers as a way to validate users out-of-band, in the event of forgetting a password. You might recall services like AOL and AIM using these. But if anything, they’re more of a security vulnerability.

Small Bugs, Big Bugs

Thu, 09 Sep 2021 00:00:00 +0000

Then

In February 2020, I decided to check out web application security programs on HackerOne. I set my eyes on AT&T for the novel fact that, in the 1960s, they almost invented the internet, but their research was prematurely halted citing costs and technical hurdles. Nonetheless, AT&T’s Picturephone is a historical but often forgotten piece of history.

After burning nearly $500 million dollars on the effort, AT&T, then known as Bell Labs, scrapped the project entirely. And later, the Advanced Research Projects Agency and Department of Defense would lay claim to inventing the base technologies which would eventually grow to become the Internet.

About

Mon, 01 Jan 0001 00:00:00 +0000

Once upon a time, I worked as a musician. This is just another github blog. I’m interested in physics, math, engineering, brains, language, and economics.