Alex Ionescu's Avatar

Alex Ionescu

@ionescu.bsky.social

Windows Internals Author, Developer, Reverse Engineer, Security Researcher, Speaker, Trainer, and most recently Nation State Hacker. Core OS Platform Developer at Apple, Hyper-V Vendor at Microsoft, Chief Architect at CrowdStrike and now Director at CSE.

6,591 Followers  |  186 Following  |  20 Posts  |  Joined: 30.04.2023  |  1.8725

Latest posts by ionescu.bsky.social on Bluesky

Why North Korea Is Planning a Second Korean War and How to Stop It
YouTube video by Dmitri Alperovitch Why North Korea Is Planning a Second Korean War and How to Stop It

Why North Korea Is Planning a Second Korean War and How to Stop It

My deep-dive with @andreilankov and @DrRadchenko into North Korean regime, foreign policy, daily life, surveillance state, hackers and much more!

youtu.be/hqTbLkdysBo

29.01.2025 15:37 โ€” ๐Ÿ‘ 62    ๐Ÿ” 14    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 3
Preview
Donate to Support Marc Rogers' Road to Recovery, organized by Katie Vogel cjunkie (Marc Rogers) is an invaluable and beloved member of our hacker community: aโ€ฆ Katie Vogel needs your support for Support Marc Rogers' Road to Recovery

www.gofundme.com/f/support-ma...

CJ is an old friend and a longtime cDc NSF member. He suffered a fall and broke his neck -- his insurance refused to pay for an MRI, which led to the break going undiagnosed for a couple of weeks, until his vertebrae had degraded to the point of quadriplegia.

06.01.2025 18:47 โ€” ๐Ÿ‘ 40    ๐Ÿ” 33    ๐Ÿ’ฌ 2    ๐Ÿ“Œ 1
The One Factor That Could Crash the Russian Economy
YouTube video by Dmitri Alperovitch The One Factor That Could Crash the Russian Economy

The One Factor That Could Crash the Russian Economy

A new Geopolitics Decanted episode with a deep-dive into the Russian economy and how it's faring in 2025 and what leverage Ukraine might get to negotiate an acceptable peace deal with Putin
www.youtube.com/watch?v=VOYl...

03.01.2025 01:59 โ€” ๐Ÿ‘ 105    ๐Ÿ” 24    ๐Ÿ’ฌ 6    ๐Ÿ“Œ 5
Preview
Declawing PUMAKIT โ€” Elastic Security Labs PUMAKIT is a sophisticated loadable kernel module (LKM) rootkit that employs advanced stealth mechanisms to hide its presence and maintain communication with command-and-control servers.

This was a phenomenal breakdown of some novel Linux malware techniques.

www.elastic.co/secur...

17.12.2024 04:34 โ€” ๐Ÿ‘ 27    ๐Ÿ” 12    ๐Ÿ’ฌ 3    ๐Ÿ“Œ 1
Post image

Positive Technologies has developed a new attack that exploits the SD Express standard to gain access to a device's memory through its SD card reader

The DaMAgeCard attack exploits the fact that the new SD Express standard can operate in both SDIO and NVMe

swarm.ptsecurity.com/new-dog-old-...

08.12.2024 11:11 โ€” ๐Ÿ‘ 59    ๐Ÿ” 24    ๐Ÿ’ฌ 4    ๐Ÿ“Œ 4

ost2.fyi/Sponsorship....
Gold Sponsors & Windows Security Track sponsor Winsider Seminars & Solutions (@yardenshafir.bsky.social & @ionescu.bsky.social)

๐Ÿ‘‡

06.12.2024 12:53 โ€” ๐Ÿ‘ 2    ๐Ÿ” 2    ๐Ÿ’ฌ 1    ๐Ÿ“Œ 0

Long time coming and a cast of hundreds (and a very deep tech stack) but CONGRATS to the team - it's the FIRST ARM64 for Windows build of Git!

25.11.2024 22:25 โ€” ๐Ÿ‘ 235    ๐Ÿ” 36    ๐Ÿ’ฌ 5    ๐Ÿ“Œ 3

There is glory in the unexpressed thought.

22.11.2024 22:00 โ€” ๐Ÿ‘ 13611    ๐Ÿ” 835    ๐Ÿ’ฌ 628    ๐Ÿ“Œ 75

www.whitehouse.gov/briefing-roo...

23.11.2024 17:15 โ€” ๐Ÿ‘ 1    ๐Ÿ” 1    ๐Ÿ’ฌ 1    ๐Ÿ“Œ 0

Now I kind of want to write an mIRC plugin

22.11.2024 20:30 โ€” ๐Ÿ‘ 1    ๐Ÿ” 0    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 0

I have a legitimate question โ€” given the incredible progress made by Windows on ARM64, it baffles the mind that this is running on an Intel SoC. Especially if itโ€™s meant to be cheap and sustainable. Seriously โ€” why?

19.11.2024 21:39 โ€” ๐Ÿ‘ 12    ๐Ÿ” 1    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 0

As far as intelligence scandals come, and whatโ€™s comingโ€ฆ Iโ€™d take this scandal over any other, any time.

15.11.2024 15:56 โ€” ๐Ÿ‘ 4    ๐Ÿ” 0    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 0

I think itโ€™s ยซย Mahalo, ั‚ะพะฒะฐั€ะธั‰ย ยป

14.11.2024 12:00 โ€” ๐Ÿ‘ 3    ๐Ÿ” 0    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 0
Pishi: Coverage guided macOS KEXT fuzzing. This blog post is the result of some weekend research, where I delved into Pishi, a static macOS kernel binary rewriting tool. During the weekdays, I focus on Linux kernel security at my job and would...

This awesome fuzzing blog post by @r00tkitsmm.bsky.social covers a super reliable macOS kernel binary rewriting to instrument any KEXT or XNU at BB or edge level. Mandatory reading for anyone interested in fuzzing whether you use MacOS or not. So many good system internals and fuzzing references!

10.11.2024 02:21 โ€” ๐Ÿ‘ 37    ๐Ÿ” 15    ๐Ÿ’ฌ 2    ๐Ÿ“Œ 0

Brought back memories ๐Ÿฅฒ

09.11.2024 16:04 โ€” ๐Ÿ‘ 1    ๐Ÿ” 0    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 0
Preview
LSA and UEFI file signing - Windows drivers Local Security Authority (LSA) plug-in and Unified Extensible Firmware Interface (UEFI) firmware signing.

LSASS now runs as PPL by default, and that DLL doesnโ€™t have the appropriate signature. Unless youโ€™re relying on Bonjour for AD auth youโ€™re probably fine. Microsoft launched LSA PPL signing for 3rd parties back in Windows 8.1 in 2013: learn.microsoft.com/en-us/window...
Itโ€™s only been 11 years ;-)

09.11.2024 11:40 โ€” ๐Ÿ‘ 4    ๐Ÿ” 0    ๐Ÿ’ฌ 1    ๐Ÿ“Œ 0

Very excited to finally see this live! An incredible shift in cloud computing.

08.11.2024 19:28 โ€” ๐Ÿ‘ 4    ๐Ÿ” 0    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 0

alright folks, the app code is now public

https://github.com/bluesky-social/social-app

15.05.2023 20:44 โ€” ๐Ÿ‘ 1098    ๐Ÿ” 399    ๐Ÿ’ฌ 100    ๐Ÿ“Œ 100

I own tools.zip and am trying to figure out what I should serve

16.05.2023 07:23 โ€” ๐Ÿ‘ 0    ๐Ÿ” 0    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 0

Normally I would use a kernel debugger to look at the wait block and see what object itโ€™s attached to. Is there an ETW event that might log that?

10.05.2023 10:31 โ€” ๐Ÿ‘ 0    ๐Ÿ” 0    ๐Ÿ’ฌ 1    ๐Ÿ“Œ 0

User Mode โ€” into some sort of Ring 3 (non-kernel) service

09.05.2023 20:04 โ€” ๐Ÿ‘ 0    ๐Ÿ” 0    ๐Ÿ’ฌ 1    ๐Ÿ“Œ 0

Iโ€™m guessing this is an EDR or similar product thatโ€™s calling into UM for a responseโ€ฆ

09.05.2023 00:29 โ€” ๐Ÿ‘ 1    ๐Ÿ” 0    ๐Ÿ’ฌ 1    ๐Ÿ“Œ 0

So first MSI has been found to ship their Secure Boot policy in โ€œAlwaysExecuteโ€ mode on 300+ motherboards, and now they had their BootGuard private key leaked from their source repo (WHY is in their repo? ๐Ÿคฆ๐Ÿปโ€โ™‚๏ธ๐Ÿคฆ๐Ÿปโ€โ™‚๏ธ๐Ÿคฆ๐Ÿปโ€โ™‚๏ธ).

Between this and the DBX running out of space, UEFI firmware security needs a reboot.

08.05.2023 11:01 โ€” ๐Ÿ‘ 6    ๐Ÿ” 0    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 0

Windows now has VBS/TPM protected token binding and you can finally now store private keys in hardware and make them truly non-exportable even by a privileged kernel attacker.

Great stuff from Dwizzzle: https://gist.github.com/dwizzzle/a1c4cf4b669053dbeda4a4b24a9aca0f

04.05.2023 18:27 โ€” ๐Ÿ‘ 5    ๐Ÿ” 0    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 0

@ washingtonpost dot com you read that right

03.05.2023 16:23 โ€” ๐Ÿ‘ 631    ๐Ÿ” 81    ๐Ÿ’ฌ 69    ๐Ÿ“Œ 34
SolarWinds: The Untold Story of the Boldest Supply-Chain Hack | WIRED

Probably one of the best pieces of reporting on the Solarwinds supply-chain attack. Excellent piece by Kim Zetter.

Highly recommended reading.

03.05.2023 01:48 โ€” ๐Ÿ‘ 12    ๐Ÿ” 6    ๐Ÿ’ฌ 1    ๐Ÿ“Œ 0

Thereโ€™s still a UI bug, when writing a draft the blue button to save the draft still says โ€œReplyโ€ ๐Ÿ™„

02.05.2023 11:27 โ€” ๐Ÿ‘ 1    ๐Ÿ” 0    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 0

Shitposting about other peopleโ€™s security products/detection logic is the natural evolution/side trip of this.

02.05.2023 11:22 โ€” ๐Ÿ‘ 0    ๐Ÿ” 0    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 0

Binge-watched BEEF last night on Netflix and everything from the soundtrack to the experience of being a first generation millennial immigrant from a similar cultural background was cathartic. I cried for hours. I can only imagine how much more this speaks to Asian Americans/Canadians.

02.05.2023 11:19 โ€” ๐Ÿ‘ 3    ๐Ÿ” 0    ๐Ÿ’ฌ 0    ๐Ÿ“Œ 0

0%

01.05.2023 07:29 โ€” ๐Ÿ‘ 13    ๐Ÿ” 1    ๐Ÿ’ฌ 2    ๐Ÿ“Œ 0

@ionescu is following 20 prominent accounts