Nostr notes by James Forshaw :donor:

I've put up the slides from my Zer0Con 2026 presentation on ...

2026-04-07T08:32:00Z

I've put up the slides from my Zer0Con 2026 presentation on Administrator Protection. https://github.com/tyranid/infosec-presentations/blob/master/Zer0Con/2026/Protecting%20your%20Administrator.pdf

the real question, is "gib" pronounced with a hard g like ...

2026-04-06T19:11:33Z

In reply to nevent1q…t78l
_________________________

the real question, is "gib" pronounced with a hard g like gif, or a soft g like gif?

My final blog related to admin protection is up. ...

2026-02-26T19:51:32Z

My final blog related to admin protection is up. https://projectzero.google/2026/02/gphfh-deep-dive.html I go into a bit of history of the interesting GetProcessHandleFromHwnd API, how it ended up allow you to bypass protected process restrictions and how it's now "fixed".

My first blog post on Windows Administrator Protection is out. ...

2026-01-26T18:37:06Z

My first blog post on Windows Administrator Protection is out. https://projectzero.google/2026/26/windows-administrator-protection.html probably the most interesting and complex bug out of the 9 I found, but that doesn't mean the rest weren't interesting as well, stay tuned :D

Project Zero have finally got around to updating the blog to ...

2025-12-16T23:17:22Z

Project Zero have finally got around to updating the blog to something less blogger-esc, check it out at https://projectzero.google. To coincide with this momentous occasion I dug out the draft of my blog post about Windows Object Manager performance which became the basis of my article in PoC||GTFO #13 and updated it to see if it still worked in Windows 11. You can read it at https://projectzero.google/2025/12/windows-exploitation-techniques.html

the most concerning part of admin protection's design was ...

2025-11-23T17:35:50Z

In reply to nevent1q…gufe
_________________________

the most concerning part of admin protection's design was just that UI Access seemed to not considered part of the boundary. Of the 9 bugs I reported, 5 were basically ways of getting control over a UI Access process and from there full admin. I think if you're going to break app compat anyway you might as well have done something more than UAC with bells on it.

I wasn't imagining things, Administrator Protection has ...

2025-11-21T20:10:32Z

I wasn't imagining things, Administrator Protection has indeed been pulled for now. https://learn.microsoft.com/en-us/windows/security/application-security/application-control/administrator-protection/?tabs=intune#system-requirements

Nostr event nevent1qqsve7503c2rllm9rxxeahgkuejn6we8jqzvva2khz8zdvkw077xxaczypcx4qnq5mw6gmaasyc8d37lwpe2nsja36vj096wnvwg7rtfs7mn2x5nayk

2025-11-12T22:47:01Z

Neat!

Administrator Protection has finally been released in KB5067036. ...

2025-10-29T10:17:47Z

Administrator Protection has finally been released in KB5067036. This is an optional update, but it does fix 7 of the 9 issues that I reported to MSRC (hopefully the other 2 get fixed next month as security bulletins). I honestly don't know if they've actually fixed the SSPI issues like my Kerberos bypass or not, I'm not inclined to check. People should kick the tyres on it, maybe there's still some bounties to be had :D

unsafe BinaryFormatter usage has been on the shit list for at ...

2025-10-24T18:48:49Z

In reply to nevent1q…rcun
_________________________

unsafe BinaryFormatter usage has been on the shit list for at least a decade, this should have been found in less than a hour with grep. This should never have been in the code so long, it should have been audited out.

honestly, just calling the bug RCE almost undersells the damage ...

2025-10-24T18:32:46Z

In reply to nevent1q…69pl
_________________________

honestly, just calling the bug RCE almost undersells the damage this bug can do. Such as stupid bug as well.

Honestly, WTF Microsoft. ...

2025-10-20T15:10:46Z

Honestly, WTF Microsoft. https://hawktrace.com/blog/CVE-2025-59287

RE: https://infosec.exchange/@tiraniddo/115295709143228986 Well, ...

2025-10-15T15:20:49Z

RE: https://infosec.exchange/@tiraniddo/115295709143228986

Well, Windows Administration Protection still hasn't been released even though technically 25H2 has. So none of those 6 bypasses have been fixed, but then again there's no code to bypass, so.... At least some of them are fun UAC bypasses :)

quoting
note1cqj…0fdz

Seems Windows 11 25H2 is finally rolling out, and they're shipping the new Administrator Protection feature. Hopefully MS should have fixed 6 bypasses I found in it during insider preview :D

Seems Windows 11 25H2 is finally rolling out, and they're ...

2025-09-30T22:55:05Z

Seems Windows 11 25H2 is finally rolling out, and they're shipping the new Administrator Protection feature. Hopefully MS should have fixed 6 bypasses I found in it during insider preview :D

creative for sure, but I wonder if there's not other places ...

2025-09-24T06:22:59Z

In reply to nevent1q…u2cx
_________________________

creative for sure, but I wonder if there's not other places that could force a process to suspend at least if you already have admin access. Ultimately EDR lives and dies by it's ability to catch the malware before it disables the EDR. Not sure how MS would fix this in the OS.

Errata ID [sic] is just too complex for it's own good. ...

2025-09-17T18:05:01Z

In reply to nevent1q…hmrz
_________________________

Errata ID [sic] is just too complex for it's own good. It's like they looked at AD, and went "What if more, and harder to reason about", then bolted on on-prem AD connection for good measure.

such a valuable feature then, but I shouldn't need to do ...

2025-08-13T11:57:32Z

In reply to nevent1q…flv8
_________________________

such a valuable feature then, but I shouldn't need to do stupid approaches to bypass it. Honestly I wouldn't really care if it blocked "adult content" in the feed, as that could always be disabled. But I have no idea what they were thinking when they decided that DMs were needing of age verification.

While I've always focussed on using Mastodon I did try and ...

2025-08-13T11:37:06Z

While I've always focussed on using Mastodon I did try and give Bluesky a go, but the community doesn't seem there and I never got much engagement on security topics. Bluesky's decisions regarding the stupid UK's Online Safety Act to make DMs locked behind age verification is the final straw, so I've deactivated the account and maybe it'll get deleted eventually. I'll go back to not posting anything exclusively on here :D

"Gone are the days of trying to memorize and remember file ...

2025-04-25T19:39:08Z

In reply to nevent1q…m6hs
_________________________

"Gone are the days of trying to memorize and remember file names or exact words. With improved Windows search..." we can shove AI generated garbage straight from Bing to your eyeballs with no way of disabling any of it if all you wanted was finding your own files.

I still can't quite believe _this_ was their fix.

2025-04-22T19:24:48Z

In reply to nevent1q…lyy2
_________________________

I still can't quite believe _this_ was their fix.

I never managed to the get the updated version working on the ARM ...

2025-04-17T15:28:47Z

In reply to nevent1q…v7dd
_________________________

I never managed to the get the updated version working on the ARM CoPilot laptop I bought specifically for that purpose. I don't know of any current write ups other than the puffery from MS.

I'd certainly focus on the encryption, how it ties into Windows Hello, whether there's any obvious bypasses and also whether you can still hoover up the details _if_ the user has unlocked it first (as in how hard is it to access the database once the key is available).

The second blog is about an interesting bug class in COM servers ...

2025-01-30T18:35:20Z

The second blog is about an interesting bug class in COM servers that implement IDispatch, which allows you to potentially create other objects in the process. For example every OOP COM server with IDispatch allows you to create a STDFONT object which isn’t really designed to be safely used cross process. To demo its usefulness I then use the trick to get code injection in a Windows-PPL process from where you could open protected LSASS etc. https://googleprojectzero.blogspot.com/2025/01/windows-bug-class-accessing-trapped-com.html

A companion blog to my Bluehat 2024 presentation on OleView.NET ...

2024-12-12T23:32:48Z

A companion blog to my Bluehat 2024 presentation on OleView.NET is up now. https://googleprojectzero.blogspot.com/2024/12/windows-tooling-updates-oleviewnet.html

I had no idea they released Otomedius outside Japan, tis weird, ...

2024-12-09T14:05:08Z

In reply to nevent1q…rhxh
_________________________

I had no idea they released Otomedius outside Japan, tis weird, but no less weird and kinky than its Parodius predecessor, especially Sexy Parodius :)

FFS

2024-12-02T23:25:29Z

In reply to nevent1q…e5m4
_________________________

FFS

comical :D

2024-11-29T16:19:09Z

In reply to nevent1q…qreg
_________________________

comical :D

as far as I know mine doesn't crash but it's still yet to ...

2024-11-29T03:52:28Z

In reply to nevent1q…ah6w
_________________________

as far as I know mine doesn't crash but it's still yet to capture a single snapshot. I did take a look an the enclave binaries though, first (and minimal) pass seems it's "maybe better", at least no obvious bug assuming they're using it correctly.

Awesome that MS are supported and documenting VBS enclaves ...

2024-11-25T02:46:54Z

Awesome that MS are supported and documenting VBS enclaves properly now *apropos of nothing in particular*. https://learn.microsoft.com/en-us/windows/win32/trusted-execution/vbs-enclaves-dev-guide. Also awesome that in the example exported entry point they provide they don't seem to mention how careful you need to be with the input pointer that you don't just read/write enclave memory :)

actually scratch that, it seems that this feature was removed ...

2024-11-07T21:46:22Z

In reply to nevent1q…z402
_________________________

actually scratch that, it seems that this feature was removed from Windows 11, boo :|

what would be fun is to deploy the undocumented ...

2024-11-07T21:39:46Z

In reply to nevent1q…u34p
_________________________

what would be fun is to deploy the undocumented "adminless" mode through a code integrity policy. That basically disables the administrator group SID, so it might look like you're an admin but only SYSTEM is really an admin :D

for now at least you can uninstall notepad (right click the start ...

2024-11-07T15:43:53Z

In reply to nevent1q…czca
_________________________

for now at least you can uninstall notepad (right click the start icon and choose uninstall) and it'll revert to the classic version. How long that lasts I don't know. Also it breaks it being used as a target for opening .txt files as modern explorer is garbage.

Put up the slides for my Bluehat 2024 presentation on ...

2024-10-31T01:39:55Z

Put up the slides for my Bluehat 2024 presentation on improvements to OleView.NET https://github.com/tyranid/infosec-presentations/blob/master/Bluehat/2024/DCOM%20Research%20for%20Everyone!.pdf You can also grab v1.15 of OleView.NET from the PS Gallery which has the new features to generate proxy clients on the fly.

The new Windows 11 Admin approval mode certainly needs some ...

2024-10-15T03:47:10Z

The new Windows 11 Admin approval mode certainly needs some tweaking. Currently you're required to elevate taskmgr, which only used to be the case if you disabled auto-elevation. Why taskmgr starts elevated is one of Microsoft's many dumb decisions in Windows 10.

Now this is interesting, Windows 11 24H2 allows you to connect to ...

2024-10-02T09:35:14Z

Now this is interesting, Windows 11 24H2 allows you to connect to an SMB server with an arbitrary TCP port. Could come in handy ;-)
https://techcommunity.microsoft.com/t5/storage-at-microsoft/smb-alternative-ports-now-supported-in-windows-insider/ba-p/3974509

from the article "a sentencing hearing was postponed for a ...

2024-09-02T17:36:33Z

In reply to nevent1q…twxy
_________________________

from the article "a sentencing hearing was postponed for a 12-year-old boy who admitted taking part in two separate incidents of disorder in Manchester because his mother had gone on holiday to Ibiza". Hmm I wonder what could possibly be the root problem of the boys misdeeds?