Author: Aleksandar Milenkoski

The Windows Insight repository now hosts the Windows Telemetry ETW Monitor framework. The framework monitors and reports on Windows Telemetry ETW (Event Tracing for Windows) activities – ETW activities for providing data to Windows Telemetry. It consists of two components:

• the Windbg Framework: a set of scripts for monitoring Windows Telemetry ETW activities. The scripts are fed to a running windbg instance, connected to the Windows instance whose Windows Telemetry ETW activities are monitored.
• the Telemetry Information Visualization (TIV) framework for visualization of information and statistics. The TIV framework is a set of Python scripts that visualize information and statistics based on the data produced by the Windbg Framework. The output of the TIV framework is a report in the form of a web page.

The Windows Telemetry ETW Monitor has been tested on Windows 10, version 1909.

Continue reading “Windows Insight: The Windows Telemetry ETW Monitor”

The Windows Insight repository now hosts three articles on Windows code integrity and WDAC (Windows Defender Application Control):

• Device Guard Image Integrity: Architecture Overview (Aleksandar Milenkoski, Dominik Phillips): In this work, we present the high-level architecture of the code integrity mechanism implemented as part of Windows 10.
• Windows Defender Application Control: Initialization (Dominik Phillips, Aleksandar Milenkoski): This work describes the process for initializing WDAC performed by the Windows loader and the kernel when Windows 10 is booted.
• Windows Defender Application Control: Image verification (Aleksandar Milenkoski): This work discusses the workflow of WDAC for verifying images.

– Aleksandar Milenkoski

The Windows Insight repository currently hosts four articles on VSM (Virtual Secure Mode):

• Virtual Secure Mode: Architecture Overview (Aleksandar Milenkoski): In this work, we discuss the architecture of a virtualized Windows environment.
• Virtual Secure Mode: Communication Interfaces (Aleksandar Milenkoski): In this work, we discuss the communication interfaces that VSM implements: Isolated User Mode (IUM) system calls, normal-mode services, secure services, and hypercalls.
• Virtual Secure Mode: Protections of Communication Interfaces (Aleksandar Milenkoski): This work discusses implemented mechanisms for securing the above VSM communication interfaces. This includes restrictions on issuing hypercalls, data marshalling and sanitization, and secure data sharing.
• Virtual Secure Mode: Initialization (Dominik Phillips, Aleksandar Milenkoski): This work describes the process for VSM initialization activities performed by the Windows loader and the Windows kernel when Windows 10 is booted.

– Aleksandar Milenkoski

The Windows Insight repository currently hosts three articles on the TPM (Trusted Platform Module):

• The TPM: Communication Interfaces (Aleksandar Milenkoski): In this work, we discuss how the different components of the Windows 10 operating system deployed in user-land and in kernel-land, use the TPM. We focus on the communication interfaces between Windows 10 and the TPM. In addition, we discuss the construction of TPM usage profiles, that is, information on system entities communicating with the TPM as well as on communication patterns and frequencies;
• The TPM: Integrity Measurement (Aleksandar Milenkoski): In this work, we discuss the integrity measurement mechanism of Windows 10 and the role that the TPM plays
  as part of it. This mechanism, among other things, implements the production of measurement data. This involves calculation of hashes of relevant executable files or of code sequences at every system startup. It also involves the storage of these hashes and relevant related data in log files for later analysis;

Continue reading “Windows Insight: The TPM”

We are glad to announce the Windows Insight repository. The content of this repository aims to assist efforts on analysing inner working principles, functionalities, and properties of the Microsoft Windows operating system. This repository stores relevant documentation as well as executable files needed for conducting analysis studies.

Some of the content of this repository has been created in the course of a project named ‘Studie zu Systemaufbau, Protokollierung, Härtung und Sicherheitsfunktionen in Windows 10 (SiSyPHuS Win10)’ (ger.) – ‘Study of system design, logging, hardening, and security functions in Windows 10’ (eng.). This project has been contracted by the German Federal Office for Information Security (ger., Bundesamt für Sicherheit in der Informationstechnik – BSI). The work planned as part of the project is conducted by ERNW GmbH, starting in May 2017.

Continue reading “Windows Insight: A New ERNW Repository”