About Me

In this blog I'm writing some articles about exploitation and reverse engineering of various low level stuff including operating systems, bootloaders, hypervisors and, of course, platform firmware. Also, here you can find many of my old materials written in Russian moved from other places. I've been around for the last two decades or so, currently I'm mostly active on Twitter and GitHub and writing more code instead of long and boring texts.

I was first independent researcher ever who get paid by Intel (see announcement part) for reporting a few industry-wide high severity platform firmware vulnerabilities.

Once I broke Apple FileVault at hardware level with my fancy DMA attack setup for PCI Express and did accidental full disclosure.

One time, using the same DMA attack setup, I found really cool way to gain arbitrary System Management Mode (SMM) code execution from malicious PCI Express endpoint connected to the system, this vulnerability was recognised by Intel as high severity but still remains unfixed in many computers with Intel chips.

Another time I bought some new hardware for my home server and found remotely exploitable vulnerabilities in Baseboard Management Controller (BMC) firmware from AMI that can lead to the compromise of the host operating system on good half of all servers and server motherboards made by Intel.

However, most (if not all) of the work you can find in this blog and my GitHub account was done for hobby on non-commercial basis. I don't like people who reposting my texts on other places or making translations but I can't prohibit you to do that.

Contact information

E-mail: cr4sh0@gmail.com [see PGP key below]
Twitter and GitHub
d_olex at Keybase

Other links

Here you can find an information about some of my public projects and activities for the long period of time. All this information is provided with no warranties: I'm not your tech support and not responsible for your bricked hardware:

  • PCI Express DIY Hacking Toolkit − Started as FPGA design and tools for DMA attacks for Xilinx SP605 development board, now this repository is also home of Hyper-V Backdoor and Boot Backdoor. Probably, one of my largest and most interesting public projects, check readme for links and detailed info [GitHub]
  • Xilinx Zynq DMA Attack Tools − FPGA design and tools for DMA attacks for development boards based on Xilinx Zynq chips. This design is compatible with all of the host software that was made for PCI Express DIY Hacking Toolkit project [GitHub]
  • ThinkPwn − Started as arbitrary System Management Mode code execution exploit for Lenovo ThinkPad model line, ended as exploit for industry-wide 0day vulnerability in machines of many vendors [GitHub]
  • Aptiocalysis − Another cool arbitrary System Management Mode code execution exploit for industry-wide 0day vulnerability in AMI Aptio based firmwares that I found [GitHub]
  • Firmware Exploitation Tool and Library − Library and tools for development of System Management Mode exploits for Windows targets. Project includes examples of exploits for 0day and 1day vulnerabilities in firmware of various Lenovo machines. Also, this project provides DSE bypass techniques that allows to exploit this vulnerabilities even on Hypervisor-Protected Code Integrity (HVCI) enabled machines [GitHub]
  • SMM Backdoor − First open source and publicly available System Management Mode backdoor for UEFI based platforms. Good as general purpose playground for various SMM experiments [GitHub]
  • PEI Backdoor − First open source and publicly available Pre-EFI Initialization (PEI) phase backdoor for UEFI based platforms. Good as general purpose playground for various experiments at earliest possible boot stages when most part of the platform components and features was not initialized yet [GitHub]
  • Micro Backdoor − C2 tool for Windows targets with easy customizeable code base and small footprint. It wasn't designed as replacement for your favourite post-exploitation tools but rather as really minimalistic thing with all of the basic features in less than 5000 lines of code [GitHub]
  • Kernel Forge − A library to develop kernel level Windows payloads for post HVCI era when Hyper-V security features of modern platforms prevents you from executing of any unsigned kernel code at all [GitHub]
  • OpenREIL − Open source library that implements translator and tools for REIL: reverse engineering intermediate language [GitHub, archived]
  • IOCTL Fuzzer − Windows tool for reverse engineering and hunting vulnerabilities in Windows kernel drivers, it also can monitor & log IOCTL requests you're interested in [GitHub, archived]
  • Windows Registry Rootkit − My old rootkit that stores its body in registry values and gaining kernel mode code execution at early boot by exploiting 0day vulnerability in win32k.sys function that parses malicious data read from registry [GitHub, archived]
  • Once with my colleague Andrey Rassokhin we gained control over the largest botnet in the world of that time: TDSS. We wrote detailed article about this operation (EN, RU, internet archive)
  • I also was co-founder and long time member of the first ever hackerspace of post-soviet country: Neuron. It was located in the center of Moscow from 2011 to 2020 but unfortunately it was closed at the beginning of the pandemics.
  • Some of my old articles are also available at nobunkum.ru (EN, internet archive) / nobunkum.ru/ru (RU, internet archive): technical e-zine on guns, germs, and steel of the digital age. There's also some of my even older technical articles that can be found over the internet, for example the one about finding Windows kernel drivers vulnerabilities, but most of them are quite lame and don't worth to be mentioned
  • Long time ago I was a member of Hell Knights Crew: Russian hacking team of early 00's with strong interest in reverse engineering, malware and vulnerabilities. It's all been gone, but most likely you will able to find proper archives
  • Really long time ago I had... well, a typical cool hax0r kid homepage of mid 2000's with some of my code archives and sort of a blog. Looks good enough for cemetery monument of post-soviet underground hacking culture that days

My PGP key

Version: GnuPG v1.4.13