Add Yarden slides

2020/June/3/README.md

@@ -2,6 +2,8 @@
 [YouTube Replay](https://www.youtube.com/watch?v=aMJ_gR3OaZw)
 ## Keynote: WinDbg: time to put the @ back in the bag
 Yarden Shafir (CrowdStrike)
+- [Blogpost - Part 1](https://medium.com/@yardenshafir2/windbg-the-fun-way-part-1-2e4978791f9b)
+- [Blogpost - Part 2](https://medium.com/@yardenshafir2/windbg-the-fun-way-part-2-7a904cba5435)
 ## The Penquin is in da house
 Dr. Silvio La Porta (Leonardo)
 Dr. Antonio Villani (Leonardo)
@@ -9,3 +11,4 @@ Dr. Antonio Villani (Leonardo)
 Joseph Menn (Reuters)
 ## Decoding and interpreting Intel PT traces for vulnerability analysis
 Jeong Wook 'Matt' Oh (DarunGrim)
+- [Blogpost](https://darungrim.com/research/2020-05-07-UsingIntelPTForVulnerabilityTriagingWithIPTAnalyzer.html?refresh=1)

2020/June/3/yarden-shafir-windbg-opcde_commands

@@ -0,0 +1,26 @@
+OPCDE Keynote - commands and steps:
+
+1. Explore built-in registers - @$curthread, @$curprocess, @$cursession...
+   Print process array in decimal: dx @$cursession.Processes, d
+
+2. Find explorer.exe and its signature level:
+    dx @$cursession.Processes.Where(p => p.Name == "explorer.exe").KernelObject.SignatureLevel & 0xF
+    
+3. Print signature level for all processes:
+    dx -r2 @$cursession.Processes.Select(p => p.KernelObject.SignatureLevel)
+    
+4. Use anonymous type to print more information for each process, use -r2 to show 2 levels, use -g for grid view, order by signature level:
+    dx -r2 @$cursession.Processes.Select(p => new {Name = p.Name, PID = p.Id, SignatureLevel = p.KernelObject.SignatureLevel & 0xF}).OrderBy(p => p.SignatureLevel)
+
+5. Conditional Breakpoint - use bp /w to break on nt!NtWriteFile only when writing thread is impersonating:
+    bp /w "@$curthread.KernelObject.ClientSecurity.ImpersonationData != 0" nt!NtWriteFile
+    
+6. When breakpoint is hit, use anonymous type to print process name, thread ID, impersonation token authentication ID and name of file that's written into, and keep running:
+    bp /w "@$curthread.KernelObject.ClientSecurity.ImpersonationData != 0" nt!NtWriteFile "dx new { ProcName = @$curprocess.Name, ThreadId = @$curthread.Id, 
+      AuthId = ((nt!_TOKEN*)(@$curthread.KernelObject.ClientSecurity.ImpersonationToken & ~0xF))->AuthenticationId.LowPart, 
+      FileName = @$curprocess.Io.Handles[@rcx].Object.UnderlyingObject.FileName}; g"
+      
+Bonus - How to choose number of items printed from an array:
+    Only show first 10 items: dx @$cursession.Processes, 10
+    Show 9999 items: dx @$cursession.Processes, 9999
+    Show all items in array: dx @$cursession.Processes, [@$cursession.Processes.Count()]