System Internals of Windows; OS X; Linux; ARM
Table of Contents
- General Internals
- Windows Internals
- Kerberos / Related
- Linux Internals
- Windows Reference
- Linux Reference
- OS X Reference
- ARM Reference
To Do:
- Fix ToC so its accurate
- Split sections into reference material and writeup material(quick vs long reference)
- Further categorize sections (network vs memory vs exploit mitigations vs feature)
Windows Reference
Windows Internals
- Windows IT professional documentation
-
Windows Internals
- theForger's Win32 API Programming Tutorial
- x86 Disassembly/Windows Executable Files - WikiBooks
- WinAPIs for Hackers
- About Atom Tables
- GlobalGetAtomName function
-
windows-operating-system-archaeology
- subTee stuff
- BATTLE OF SKM AND IUM - How Windows 10 rewrites OS Architecture - Alex Ionescu
- RtlEncryptMemory function
- RtlDecryptMemory function
- Unsorted
- Access Control
-
Accounts
- AD Accounts - docs.ms
- AD Security Groups
- Microsoft Accounts - docs.ms
- Service Accounts - docs.ms
- Special Identities - docs.ms
- Group Managed Service Accounts Overview - docs.ms
- Managed Service Accounts - docs.ms
- Getting Started with Group Managed Service Accounts - docs.ms
- Managed Service Accounts - docs.ms
- Managed Service Accounts - docs.ms
- Service Accounts Step-by-Step Guide - docs.ms
-
Active Directory
- Active Directory Architecture
- AD Local Domain groups, Global groups and Universal groups.
-
Active Directory Control Paths
- Active Directory Control Paths auditing and graphing tools
-
[MS-ADTS]: Active Directory Technical Specification
- Specifies the core functionality of Active Directory. Active Directory extends and provides variations of the Lightweight Directory Access Protocol (LDAP).
- How the Data Store Works - technet.ms
-
KCC and Topology Generation - technet.ms
- The KCC is a built-in process that runs on all domain controllers. It is a dynamic-link library that modifies data in the local directory in response to systemwide changes, which are made known to the KCC by changes to the data within Active Directory. The KCC generates and maintains the replication topology for replication within sites and between sites.
- How Domain and Forest Trusts Work - docs.ms
-
Advanced Threat Protection(ATP)
- Windows Defender Advanced Threat Protection - docs.ms
-
Windows Defender ATP data storage and privacy - docs.ms
- This document explains the data storage and privacy details related to Windows Defender ATP
- Alternate Data Streams
- Anti-Malware Scan Interface
-
API
-
Windows API Index
- The following is a list of the reference content for the Windows application programming interface (API) for desktop and server applications.
-
Windows API Index
- App Containers
- Application Shims
-
Authentication
Windows Authentication
- Windows Authentication Overview - docs.ms
- Windows Authentication Architecture - docs.ms
- Windows Authentication Technical Overview - docs.ms
- Group Policy Settings Used in Windows Authentication - docs.ms
- Windows Logon and Authentication Technical Overview(Win10) - docs.ms
- Windows Logon and Authentication Technical Overview(Server08R2) - docs.ms
-
Authenticode
-
Authenticode - MSDN
- Microsoft Authenticode, which is based on industry standards, allows developers to include information about themselves and their code with their programs through the use of digital signatures.
-
Authenticode - MSDN
- AutoStart Locations
-
(Distributed) Component Object Model
- The Component Object Model
- Minimal COM object registration
-
CLSID Key - docs.ms
- A CLSID is a globally unique identifier that identifies a COM class object. If your server or container allows linking to its embedded objects, you need to register a CLSID for each supported class of objects.
- The CLSID key contains information used by the default COM handler to return information about a class when it is in the running state.
- COM Fundamentals - docs.ms
- The COM Library - docs.ms
- Security in COM - docs.ms
- Scripting(COM) - thrysoee.dk
- [MS-DCOM]: Distributed Component Object Model (DCOM) Remote Protocol - msdn.ms
- DCOM Overview - active-undelete.com
- Active Directory Service Interfaces - docs.ms
- Credential Storage
-
Credential Provider
- Credential Providers in Windows 10 - msdn
-
ICredentialProvider interface - msdn
- Exposes methods used in the setup and manipulation of a credential provider. All credential providers must implement this interface.
- Windows Interactive Logon Architecture - technet
-
Winlogon and Credential Providers
- Winlogon is the Windows module that performs interactive logon for a logon session. Winlogon behavior can be customized by implementing and registering a Credential Provider.
- Registering Network Providers and Credential Managers - msdn
-
V2 Credential Provider Sample - code.msdn
- Demonstrates how to build a v2 credential provider that makes use of the new capabilities introduced to credential provider framework in Windows 8 and Windows 8.1.
- Custom Credential Provider for Password Reset - blogs.technet
-
Starting to build your own Credential Provider
- If you’re starting to work on a Credential Provider (CredProv or CP, for short) for Windows Vista, Windows Server 2008, Windows Server 2008 R2 or Windows 7, there are a few steps I would strongly recommend you take, because it will make life easier for you.
- Device Guard
- Digest Authentication
-
DLLs
- Dynamic-Link Library Security - docs.ms(2018)
- Everything You Never Wanted To Know About DLLs
-
Everything You Ever Wanted to Know about DLLs” - James McNellis(CppCon 2017)
- Slides
- If you build software for Windows, you use DLLs, and it’s likely that you may build DLLs of your own. DLLs are the primary mechanism for packaging and encapsulating code on the Windows platform. But have you ever stopped to think about how DLLs work? What goes into a DLL when you build it, what happens when you link your program with a DLL, or how do DLLs get located and loaded at runtime? Many of us build and use DLLs without fully understanding them. In this session, we’ll give an in-depth introduction to DLLs and how they work. We’ll begin by looking at what’s in a DLL—the kinds of things a DLL can contain and the basic data structures that are used—and the benefits and drawbacks of packaging code in a DLL. We’ll look at how DLLs are loaded, including the details of how the loader locates DLLs and maps them into the process; how dependencies are resolved among DLLs; and DLL lifetime and how DLLs get unloaded. We’ll also look at how DLLs get built, including what makes DLLs “special,” what goes into an import library, and how the linker uses import libraries. Finally, we’ll look at several other miscellaneous topics, including how DLLs interact with threads and thread-local storage, and mechanisms for solving or mitigating the dreaded “DLL hell.”
-
DNS
-
[MS-DNSP]: Domain Name Service (DNS) Server Management Protocol - docs.ms(2019)
- Specifies the Domain Name Service (DNS) Server Management Protocol, which defines the RPC interfaces that provide methods for remotely accessing and administering a DNS server. It is a client and server protocol based on RPC that is used in the configuration, management, and monitoring of a DNS server.
-
[MS-DNSP]: Domain Name Service (DNS) Server Management Protocol - docs.ms(2019)
-
Dynamic Data Exchange
-
Dynamic Data Exchange - msdn.ms
- This section provides guidelines for implementing dynamic data exchange for applications that cannot use the Dynamic Data Exchange Management Library (DDEML).
- About Dynamic Data Exchange - msdn.ms
-
Dynamic Data Exchange - msdn.ms
- Exchange Web Services
- Exploit Mitigations
-
File Formats
-
[MS-CFB]: Compound File Binary File Format - docs.ms
- Specifies the Compound File Binary File Format, a general-purpose file format that provides a file-system-like structure within a file for the storage of arbitrary, application-specific streams of data.
-
[MS-CFB]: Compound File Binary File Format - docs.ms
- Group Policy
- Guarded Fabric/Shielded VMs
-
HTML Applications
-
HTML Applications - msdn
- HTML Applications (HTAs) are full-fledged applications. These applications are trusted and display only the menus, icons, toolbars, and title information that the Web developer creates. In short, HTAs pack all the power of Windows Internet Explorer—its object model, performance, rendering power, protocol support, and channel–download technology—without enforcing the strict security model and user interface of the browser. HTAs can be created using the HTML and Dynamic HTML (DHTML) that you already know.
-
HTML Applications - msdn
- Isolated User Mode
- Kerberos
- Kernel
- Lightweight Directory Access Protocol
- Linux Subsystem
-
Local Security Authority
-
LSA Authentication
- LSA Authentication describes the parts of the Local Security Authority (LSA) that applications can use to authenticate and log users on to the local system. It also describes how to create and call authentication packages and security packages.
-
LSA Authentication
- Logon
- Memory
- MS Office
-
Named Pipes
- Named Pipes
- CreateNamedPipe function
- CreateFile function
- ReadFile function](https://msdn.microsoft.com/en-us/library/windows/desktop/aa365467(v=vs.85).aspx)
- WriteFile function
- How to create an anonymous pipe that gives access to everyone
- Netlogon
- Networking
- NTLM
- PE File Structure
- Powershell
-
Printing
-
[MS-SAMR]: Security Account Manager (SAM) Remote Protocol (Client-to-Server)
- Specifies the Security Account Manager (SAM) Remote Protocol (Client-to-Server), which supports printing and spooling operations that are synchronous between client and server.
- [MS-RPRN]: Print System Remote Protocol - docs.ms
-
[MS-SAMR]: Security Account Manager (SAM) Remote Protocol (Client-to-Server)
-
Processes/Threads
- About Processes and Threads
- TechNet Library: About Processes and Threads
- Processes, Threads, and Jobs in the Windows Operating System
-
Know your Windows Processes or Die Trying
- Excellent quick reference on Windows proccesses with a focus on Win7. Good resource.
-
DLL
-
What is a DLL?
- This article describes what a dynamic link library (DLL) is and the various issues that may occur when you use DLLs. Then, this article describes some advanced issues that you should consider when you develop your own DLLs. In describing what a DLL is, this article describes dynamic linking methods, DLL dependencies, DLL entry points, exporting DLL functions, and DLL troubleshooting tools.
-
What is a DLL?
- Fibers
-
Protected Processes
- Unkillable Processes
- The Evolution of Protected Processes Part 1: Pass-the-Hash Mitigations in Windows 8.1 - Alex Ionescu
- The Evolution of Protected Processes Part 2: Exploit/Jailbreak Mitigations, Unkillable Processes and Protected Services - Alex Ionescu
- Protected Processes Part 3 : Windows PKI Internals (Signing Levels, Scenarios, Root Keys, EKUs & Runtime Signers) - Alex Ionescu
- Thread Local Storage
- Exception Handling
- Run-Time Dynamic Linking
- Windows 8 Boot
- VirtualAlloc function
-
SetProcessMitigationPolicy function - docs.ms
- Sets a mitigation policy for the calling process. Mitigation policies enable a process to harden itself against various types of attacks.
-
GetProcessMitigationPolicy function - docs.ms
- Retrieves mitigation policy settings for the calling process.
-
PE-Runtime-Data-Structures
- Originally posted by me in 2013: http://uncomputable.blogspot.com/2013/08/pe-runtime-data-structures-v1.html, just migrating it to a better home. This is a diagram of PE runtime data structures created using WinDbg and OmniGraffle. I have included jpg and PDF versions in the repository. I was inspired by Ero Carrera's 1 diagrams and Corkami 2. I made this diagram because I was teaching myself Windows data structures and was unsatisfied with what was out there. The information for these structures was obtained from WinDbg and Windows Internals 6 by Russinovich, Solomon, and Ionescu [Windows Internals].
-
Prefetch
-
WinPrefetchView v1.25
- Each time that you run an application in your system, a Prefetch file which contains information about the files loaded by the application is created by Windows operating system. The information in the Prefetch file is used for optimizing the loading time of the application in the next time that you run it. WinPrefetchView is a small utility that reads the Prefetch files stored in your system and display the information stored in them. By looking in these files, you can learn which files every application is using, and which files are loaded on Windows boot.
-
WinPrefetchView v1.25
-
Registry
- What registry entries are needed to register a COM object.
-
Authentication Registry Keys - msdn
- When it installs a network provider, your application should create the registry keys and values described in this topic. These keys and values provide information to the MPR about the network providers installed on the system. The MPR checks these keys when it starts and loads the network provider DLLs that it finds.
-
Remote Desktop
- Remote Desktop Services virtual channels - docs.ms
-
UniversalDVC
- Universal Dynamic Virtual Channel connector for Remote Desktop Services
- User Rights
-
RPC
- Remote Procedure Call - IBM Knowledgebase
- Remote Procedure Calls (RPC) - users.cs.cf.ac.uk
- Remote Procedure Call (RPC) - cio-wiki.org
- Remote Procedure Call - Wikipedia
- Remote Procedure Calls - Paul Krzyzanowski
- What is RPC and why is it so important?(windows) - StackOverflow
- How RPC Works - docs.ms
- RPC Components - docs.ms
- Sandboxing
-
Scripting Host
-
wscript - docs.ms
- Windows Script Host provides an environment in which users can execute scripts in a variety of languages that use a variety of object models to perform tasks.
-
wscript - docs.ms
- Security Descriptor Definition Language
- SECURITY_DESCRIPTOR_CONTROL - docs.ms * The SECURITY_DESCRIPTOR_CONTROL data type is a set of bit flags that qualify the meaning of a security descriptor or its components. Each security descriptor has a Control member that stores the SECURITY_DESCRIPTOR_CONTROL bits.
-
Security Support Providers
- Security Support Provider Interface Architecture - docs.ms
- SSP Packages Provided by Microsoft - docs.ms
-
Secure Channel - docs.ms
- Secure Channel, also known as Schannel, is a security support provider (SSP) that contains a set of security protocols that provide identity authentication and secure, private communication through encryption. Schannel is primarily used for Internet applications that require secure Hypertext Transfer Protocol (HTTP) communications.
- The NTLM Authentication Protocol and Security Support Provider - davenport.sourceforge.net
-
Microsoft Digest SSP - docs.ms
- Microsoft Digest is a security support provider (SSP) that implements the Digest Access protocol, a lightweight authentication protocol for parties involved in Hypertext Transfer Protocol (HTTP) or Simple Authentication Security Layer (SASL) based communications. Microsoft Digest provides a simple challenge response mechanism for authenticating clients. This SSP is intended for use by client/server applications using HTTP or SASL based communications.
-
Services
- Creating a service using sc.exe
-
Services: Windows 10 Services(ss64)
- A list of the default services in Windows 10 (build 1903).
-
Service Accounts
-
Service Account best practices Part 1: Choosing a Service Account
- In this article you will learn the fundamentals of Windows service accounts. Specifically, we discover the options and best practices concerning the selection of a service account for a particular service application.
-
Service Account best practices Part 1: Choosing a Service Account
- Server Message Block(SMB)
- Subsystems
-
Symbol Files
- Process Security and Access Rights - msdn
- OpenProcessToken function - msdn
- Symbols and Symbol Files - docs ms
- Symbol Files - docs ms
-
microsoft-pdb
- This repo contains information from Microsoft about the PDB (Program Database) Symbol File format.
- Public and Private Symbols - docs ms
- How to Inspect the Content of a Program Database (PDB) File
-
microsoft-pdb
- This repo contains information from Microsoft about the PDB (Program Database) Symbol File format.
-
Symbol Files
- Normally, debugging information is stored in a symbol file separate from the executable. The implementation of this debugging information has changed over the years, and the following documentation will provide guidance regarding these various implementations .
-
Syscalls
-
windows-syscall-table
- windows syscall table from xp ~ 10 rs2
- How Do Windows NT System Calls REALLY Work?
- Debugging Functions - msdn
- Intercepting System Calls on x86_64 Windows
-
windows-syscall-table
-
Tokens
-
DuplicateTokenEx function - docs.ms
- The DuplicateTokenEx function creates a new access token that duplicates an existing token. This function can create either a primary token or an impersonation token.
-
ImpersonateLoggedOnUser function - docs.ms
- The ImpersonateLoggedOnUser function lets the calling thread impersonate the security context of a logged-on user. The user is represented by a token handle.
-
SetThreadToken function - docs.ms
- The SetThreadToken function assigns an impersonation token to a thread. The function can also cause a thread to stop using an impersonation token.
-
CreateProcessWithTokenW function - docs.ms
- Creates a new process and its primary thread. The new process runs in the security context of the specified token. It can optionally load the user profile for the specified user.
-
OpenProcess function - docs.ms
- Opens an existing local process object.
-
OpenProcessToken function - docs.ms
- The OpenProcessToken function opens the access token associated with a process.
-
OpenThread function - docs.ms
- Opens an existing thread object.
-
OpenThreadToken function - docs.ms
- The OpenThreadToken function opens the access token associated with a thread.
-
GetTokenInformation function - docs.ms
- The GetTokenInformation function retrieves a specified type of information about an access token. The calling process must have appropriate access rights to obtain the information.
-
DuplicateTokenEx function - docs.ms
-
User Account Control(UAC)
- Protecting Windows Networks – UAC - dfirblog.wordpress.com
- User Account Control - Steven Sinofsky(blogs.msdn)](https://blogs.msdn.microsoft.com/e7/2008/10/08/user-account-control/)
- Inside Windows Vista User Account Control - docs.ms
- Inside Windows 7 User Account Control - docs.ms
- User Account Control - docs.ms
- User Account Control Step-by-Step Guide - docs.ms
- User Account Control: Inside Windows 7 User Account Control - Mark Russinovich
- Volume Shadow Copy Service
- Windows Filtering Platform
-
Windows Communication Foundation
- [Windows Communication Foundation - Guide to the Documentation - docs.ms]
-
What Is Windows Communication Foundation
- Windows Communication Foundation (WCF) is a framework for building service-oriented applications. Using WCF, you can send data as asynchronous messages from one service endpoint to another. A service endpoint can be part of a continuously available service hosted by IIS, or it can be a service hosted in an application. An endpoint can be a client of a service that requests data from a service endpoint. The messages can be as simple as a single character or word sent as XML, or as complex as a stream of binary data.
-
Fundamental Windows Communication Foundation Concepts
- WCF is a runtime and a set of APIs for creating systems that send messages between services and clients. The same infrastructure and APIs are used to create applications that communicate with other applications on the same computer system or on a system that resides in another company and is accessed over the Internet.
- Windows Communication Foundation Architecture Architecture Graphic
Writeups
-
Exploit Prevention/Mitigation/Hardening
- Preventing the Exploitation of Structured Exception Handler (SEH) Overwrites with SEHOP
- Windows 8 ASLR Explained
- Introduction to Windows Kernel Security
- How Control Flow Guard Drastically Caused Windows 8.1 Address Space and Behavior Changes
- Technical Overview of Windows UEFI Startup Process
- Detecting stealthier cross-process injection techniques with Windows Defender ATP: Process hollowing and atom bombing
Linux General
-
Introduction to Linux - Machtelt Garrels
- Excellent doc covering every aspect of linux. Deserves at least 1 skim through.
-
Linux Documentation Project
- The Linux Documentation Project is working towards developing free, high quality documentation for the Linux operating system. The overall goal of the LDP is to collaborate in all of the issues of Linux documentation.
- Bash Guide for Beginners
- pagexec - GRSEC
Linux Internals
-
Linux Internals
-
linux-insides
- A series of posts about the linux kernel. The goal is simple - to share my modest knowledge about the internals of the linux kernel and help people who are interested in the linux kernel, and other low-level subject matter.
-
Introduction to Linux - Machtelt Garrels
- Excellent doc covering every aspect of linux. Deserves at least 1 skim through.
-
Linux Kernel Security Subsystem Wiki
- This is the Linux kernel security subsystem wiki, a resource for developers and users.
-
Compilers/Exploit Mitigations
-
Linkers and Loaders - Book
- These are the manuscript chapters for my Linkers and Loaders, published by Morgan-Kaufman. See the book's web site for ordering information.
- All chapters are online for free at the above site.
-
Linkers and Loaders - Book
- Linker and Libraries
-
linux-insides
- Drivers
- ELF
- FileSystems
-
Kernel
- Linux Kernel Explanation/Walk through
-
Kernel booting process
- This chapter describes linux kernel booting process.
- How the Kernel manages Memory - Linux
-
Linux Kernel Map
- Interactive map of the Linux Kernel
-
Memory
- Understanding glibc malloc
- Memory Management: Paging
-
Anatomy of a program in memory
- Writeup on the structure of program memory in Linux.
- Understanding !PTE - Non-PAE and X64
- Linux GLibC Stack Canary Values
- Stack Smashing Protector
- Memory Translation and Segmentation
-
Out-of-Memory(OOM) Killer
- Taming the OOM killer - Goldwyn Rodrigues
- OOM_Killer - linux-mm.org
- How does the OOM killer decide which process to kill first? - stackexchange
- OOM - Linux kernel user's and administrator's guide
-
Linux Kernel limits - eloquence.marxmeier
- This document provides an overview of the default Linux Kernel limits (kernel parameter) and where they are defined.
- The OOM killer may be called even when there is still plenty of memory available - bl0g.krunch.be
- How to Configure the Linux Out-of-Memory Killer - Robert Chase
- Process Structure/Syscalls
-
X
- X Window System Explained
-
Foreign LINUX
- Foreign LINUX is a dynamic binary translator and a Linux system call interface emulator for the Windows platform. It is capable of running unmodified Linux binaries on Windows without any drivers or modifications to the system. This provides another way of running Linux applications under Windows in constrast to Cygwin and other tools.
ARM References
-
A Detailed Analysis of Contemporary ARM and x86 Architectures
- RISC vs. CISC wars raged in the 1980s when chip area andprocessor design complexity were the primary constraints anddesktops and servers exclusively dominated the computing land-scape. Today, energy and power are the primary design con-straints and the computing landscape is significantly different:growth in tablets and smartphones running ARM (a RISC ISA)is surpassing that of desktops and laptops running x86 (a CISCISA). Further, the traditionally low-power ARM ISA is enter-ing the high-performance server market, while the traditionallyhigh-performance x86 ISA is entering the mobile low-power de-vice market. Thus, the question of whether ISA plays an intrinsicrole in performance or energy efficiency is becoming important,and we seek to answer this question through a detailed mea-surement based study on real hardware running real applica-tions. We analyze measurements on the ARM Cortex-A8 andCortex-A9 and Intel Atom and Sandybridge i7 microprocessorsover workloads spanning mobile, desktop, and server comput-ing. Our methodical investigation demonstrates the role of ISAin modern microprocessors’ performance and energy efficiency.We find that ARM and x86 processors are simply engineeringdesign points optimized for different levels of performance, andthere is nothing fundamentally more energy efficient in one ISAclass or the other. The ISA being RISC or CISC seems irrelevant.
- ARM Documentation
- Windows 8 Security and ARM
OS X Internals
- Kernel Extensions
-
Tools
-
Instruments - OS X system analysis
- Instruments is a performance-analysis and testing tool for dynamically tracing and profiling OS X and iOS code. It is a flexible and powerful tool that lets you track a process, collect data, and examine the collected data. In this way, Instruments helps you understand the behavior of both user apps and the operating system.
-
Instruments - OS X system analysis
Other
-
Intel SGX Explained
- This paper analyzes Intel SGX, based on the 3 papers that introduced it, on the Intel Software Developer’s Manual(which supersedes the SGX manuals ), on an ISCA 2015 tutorial, and on two patents. We use the papers, reference manuals, and tutorial as primary data sources, and only draw on the patents to fill in missing information. This paper’s contributions are a summary of the Intel-specific architectural and micro-architectural details needed to understand SGX, a detailed and structured pre- sentation of the publicly available information on SGX, a series of intelligent guesses about some important but undocumented aspects of SGX, and an analysis of SGX’s security properties.
Emojis/Fonts/Encoding
- Introducing Character Sets and Encodings - W3C
- An Introduction to Writing Systems & Unicode
- Tifinagh - Wikipedia
- Core Text - apple
- Full Emoji List - Unicode.org
- List of XML and HTML character entity references - Wikipedia
- Ambiguous ampersands
- Everything You Need To Know About Emoji 🍭
- Emoji and Pictographs - FAQ - unicode.org
-
Unicode® Emoji
- This page provides information about Unicode emoji and their development.
-
Emojipedia
- Emoji Meanings
To be Sorted
- Windows 8 Security and ARM
-
BCDEdit /dbgsettings - msdn
- AppInit_DLLs in Windows 7 and Windows Server 2008 R2
- Windows Data Protection
- Application Compatibility in Windows
- Hard Links and Junctions - msdn
-
Security Configuration Wizard
- The Security Configuration Wizard (SCW) guides you through the process of creating, editing, applying, or rolling back a security policy. A security policy that you create with SCW is an .xml file that, when applied, configures services, network security, specific registry values, and audit policy. SCW is a role-based tool: you can use it to create a policy that enables services, firewall rules, and settings that are required for a selected server to perform specific roles, such as a file server, a print server, or a domain controller.
- Executing Macros From a DOCX With Remote Template Injection - redxorblue.com
- LM, NTLM, Net-NTLMv2, oh my! - Peter Gombos
- Microsoft Office – NTLM Hashes via Frameset - netbiosX
- SMB/HTTP Auth Capture via SCF File - mubix
- Places of Interest in Stealing NetNTLM Hashes - Osanda Malith
- Microsoft Word – UNC Path Injection with Image Linking - Thomas Elling
https://googleprojectzero.blogspot.com/2019/08/down-rabbit-hole.html https://web.archive.org/web/20060904080018/http://security.tombom.co.uk/shatter.html
-
The 68 things the CLR does before executing a single line of your code - Matt Warren
-
CLR Configuration Knobs - dotnet/coreclr
- There are two primary ways to configure runtime behavior: CoreCLR hosts can pass in key-value string pairs during runtime initialization, or users can set special variables in the environment or registry. Today, the set of configuration options that can be set via the former method is relatively small, but moving forward, we expect to add more options there. Each set of options is described below.
-
The Windows Research Kernel AKA WRK
- Is a part of the source code of the actual windows NT Kernel. WRK is designed for academic uses and research, by no means it can be used for commercial purposes.
-
- Changes the active console code page. If used without parameters, chcp displays the number of the active console code page.
-
Standard ECMA-335 Common Language Infrastructure (CLI) 6th ed- ECMA
-
What are the undocumented features and limitations of the Windows FINDSTR command? - StackOverflow
-
Kerberos.NET https://xinu.cs.purdue.edu/ https://github.com/mit-pdos/xv6-public http://pages.cs.wisc.edu/~remzi/OSTEP/ http://man7.org/tlpi/ https://wiki.osdev.org/Expanded_Main_Page https://www.haiku-os.org/ https://devblogs.microsoft.com/commandline/learn-about-windows-console-and-windows-subsystem-for-linux-wsl/ https://j00ru.vexillium.org/syscalls/nt/64/ http://arno.org/arnotify/2006/10/on-the-origins-of-ds_store/ https://0day.work/parsing-the-ds_store-file-format/ https://en.internetwache.org/scanning-the-alexa-top-1m-for-ds-store-files-12-03-2018/ https://www.vergiliusproject.com/
https://docs.microsoft.com/en-us/virtualization/windowscontainers/about/ https://stackoverflow.com/questions/17935873/malloc-fails-when-there-is-still-plenty-of-swap-left http://www.adrc.com/ckr/windows_bootup_process.html https://social.technet.microsoft.com/wiki/contents/articles/11341.windows-7-the-boot-process-explained.aspx http://www.codemachine.com/article_kernelstruct.html