CONFidence 2010 is over

One of the biggest (best ;)) IT security-oriented conferences in Poland finished three days ago, in the wednesday evening. In the very first place, I would like to congratulate all the organisers, for their decision on where the event should be held, as well as how it should look like – during these two days, I had plenty of real fun!

CONFidence 2010 took place in Poland, on 25th and 26th of May, in the Kij√≥w Cinema. The lectures were presented on two, independent tracks (thus everyone was able to find something for himself in any given moment), and regarded numerous, important security fields. In my opinion (and because of my specific interests), the best speeches were given by Sebastian Fernandez – “General notes about exploiting Windows x64“, Mario Heidreich – “The Presence and Future of Web Attacks Multi-Layer Attacks and XSSQLI” and Alexey Tikhonow – “De-blackboxing of digital camera”. I am really looking forward to see the slides being published as soon as possible. Meanwhile, you can find the complete conference schedule at

Read moreCONFidence 2010 is over

Windows CSRSS cross-version API Table

It seems like half a year has passed since I published the Win32k.SYS system call table list on the net. During this time (well, it didn’t take so long ;)) I managed to gather enough information to release yet another API list – this time, concerning an user-mode application – CSRSS (Client/Server Runtime SubSystem). As a relatively common research subject, I think a table of this kind can make things easier for lots of people.

Before presenting the table itself, I would like to gently introduce the mechanism in consideration to the reader. As the name itself states, CSRSS is a part of the Windows Environment Subsystem, running in user-mode. It is a single process (having the highest possible – SYSTEM – privileges), which mostly takes advantage of three dynamic libraries – basesrv.dll, csrsrv.dll and winsrv.dll. These files provide support for certain parts of the subsystem functionality, such as:

  • Updating the list of processes / threads running on the system
  • Handling the Console Window (i.e. special text-mode window) events
  • Implementing parts of the Virtual DOS Machine support
  • Supplying miscellaneous functions, such as ExitWindowsEx

Read moreWindows CSRSS cross-version API Table