Author: AlexIonescu

# Views: 1497

Just realized I forgot to post these in the last update, but perhaps it was better anyways since the post was already large enough.

NTFS On-Disk Structure - A fairly large reference to all the structures used on NTFS as well as some of the technical details behind some implementations. Was going to cover EFS and those structures, but I stopped it short there. This was written quite some time ago, and the structures are in Visual Basic format, but it should still be pretty useful. My explenation of NTFS runs was one of the best things in it.

Process Internals - Was going to become Part 1 of a series of 3 or 4 documents on each of the main executive components of NT, the Process Manger, the Object Manager and the Executive itself. Not very happy about this one in retrospect, since a lot of the fields I had documented aren’t used anymore or the information was wrong, but I still think it’s a good reference (especially the later sections). Again, done when I was younger and writing Visual Basic code.

Visual Basic File Format - One of the articles I’m most proud of, this one was the result of several weeks of independent study into the Visual Basic file format for compiled executables. It explains every field, structure, relationship, etc, that the compiler inserts into the file that is then read by the runtime. Allowed me to write a simple runtime library that was only 20KB (for basic MsgBoxes). Highly graphical and easy to read.

Native API Compression and Introduction to NT Design - An older article of mine again, gave a short primer on Native APIs, then presented a set of useful compression APIs burried into NT, and gave some interesting study on their performance and compressibility.

NTFS Alternate Data Streams - Back when alternate data streams weren’t very popular (I think I participated into making them popular, I was approached several times for inclusion of this article into books, magazines and other websites), I wrote code and an article exposing them and the dangers they presented, as well as a scanner that could find them. Again, Visual Basic code, and done when I was younger.

Subverting Windows 2003 Service Pack 1 Kernel Integrity Protection - My latest large presentation/project, this one was presented at REcon 2006. Shows a way to defeat the new protection mechanisms added in 2003 to disable access to kernel-mode from user-mode administrative applications, and how to access physical memory again. Exposed a flaw in VDM present in all released (at the time) versions of Windows NT.

Windows XP/2003 User-Mode Debugging Internals, Part 1 - Part of a series about the User-Mode Debugging framework in kernel32, ntdll and ntoskrnl. This part deals with Win32.

Windows XP/2003 User-Mode Debugging Internals, Part 2 - Part of a series about the User-Mode Debugging framework in kernel32, ntdll and ntoskrnl. This part deals with Native.