Kernel on Matt Suichehttps://www.msuiche.com/categories/kernel/Recent content in Kernel on Matt SuicheHugoen-usMon, 14 Oct 2024 12:00:00 +0200Bob and Alice in Kernel-land - Part 3https://www.msuiche.com/posts/bob-and-alice-in-kernel-land-part-3/Mon, 14 Oct 2024 12:00:00 +0200https://www.msuiche.com/posts/bob-and-alice-in-kernel-land-part-3/<p><p class="markdown-image"> <img src="images/1728963981396.jpeg" alt="BSOD" /> </p></p> <p>This is the last part of a 3-part series on Bob and Alice in Kernel-land. You can find <a href="https://www.msuiche.com/posts/bob-and-alice-in-kernel-land/" target="_blank" rel="noopener">Part 1 here</a> and <a href="https://www.msuiche.com/posts/bob-and-alice-in-kernel-land-part-2/" target="_blank" rel="noopener">Part 2 here</a>.</p> <p>CrowdStrike podcast &ldquo;<a href="https://www.crowdstrike.com/resources/adversary-universe-podcast/" target="_blank" rel="noopener">Adversary Universe Podcast</a>&rdquo; just released a new episode entitled &ldquo;<a href="https://open.spotify.com/episode/4aeIXlyqYeAcaKIdwA0354?si=0d1060dbbcf94880" target="_blank" rel="noopener">The Kernel&rsquo;s Essential Role in Cybersecurity Defense</a>&rdquo; featuring Adam Myers w/ Alex Ionescu, who is the original architect of the CrowdStrike Falcon kernel agent and also known for being the co-author of &ldquo;Windows Internals&rdquo; book and to be among the most knowledgeable people when it comes to understanding how the Windows (or any other OS tbh) kernel works.</p>Bob and Alice in Kernel-land - Part 2https://www.msuiche.com/posts/bob-and-alice-in-kernel-land-part-2/Fri, 23 Aug 2024 12:00:00 +0200https://www.msuiche.com/posts/bob-and-alice-in-kernel-land-part-2/<p><p class="markdown-image"> <img src="./images/main.webp" alt="Hacker Man" /> </p></p> <p>It&rsquo;s been a month since I wrote <a href="https://www.msuiche.com/posts/bob-and-alice-in-kernel-land/" target="_blank" rel="noopener">Part 1 of &ldquo;Bob and Alice in Kernel-land&rdquo;</a>. As expected, we saw <a href="https://arstechnica.com/information-technology/2024/08/crowdstrike-unhappy-with-shady-commentary-from-competitors-after-outage/" target="_blank" rel="noopener">minimal</a> constructive feedback from vendors, with a few notable exceptions. Sophos <a href="https://news.sophos.com/en-us/2024/08/01/driving-lessons-the-kernel-drivers-in-sophos-intercept-x-advanced/" target="_blank" rel="noopener">provided the most detailed information about their drivers</a>, while CrowdStrike <a href="https://www.crowdstrike.com/blog/tech-analysis-kernel-access-security-architecture/" target="_blank" rel="noopener">offered valuable insights</a> into their kernel architecture, including the use of <a href="https://learn.microsoft.com/en-us/windows-hardware/drivers/network/introduction-to-winsock-kernel" target="_blank" rel="noopener">Microsoft&rsquo;s Winsock kernel file transfer</a>. This feature, introduced in Windows Vista+, was designed to replace the outdated Transport Driver Interface (TDI). It&rsquo;s reasonable to assume that the existence of this capability has significantly contributed to more operations being moved to kernel mode, as leveraging TDI posed considerable challenges without compromising stability.</p>