Merken

Hooking Nirvana

Zitierlink des Filmsegments
Embed Code

Automatisierte Medienanalyse

Beta
Erkannte Entitäten
Sprachtranskript
the group that it could be that the if if if if you if you use the half half half the time for all of the there so so my talk is called looking a were still used in addition to me and for those of you who read the abstract you probably very confused about what on earth all those acronyms and names meant so brief little intro myself and mountainous going currently chief architect across strike and to secure the start up that you may have heard about have been about 4 years working on the end point of a software that we build and previously to that and more relevant to my experience I was doing research during of this kernel which is so I'm doing I have been doing since I was little and work a protocol react to us and while working on react to us I learned a lot about how the winners kernel works what makes it tick and a lot of very interesting side effects and design decisions that were made on the way there but I then worked on the Windows Internals books which some of you may have read answered in training at conferences like recon arm and others it's always a pleasure for me to come talk about some of the little parts of the OS that are not very well known from that have interesting side-effect specifically when it comes to you on the security so this talk Simula 5 different of the 5 different types of those technologies from 1st maybe time travel debugging on a Ronald the without as obstacles in the application Verifier or a b f then minimize windows or men went the application badly injured audition infrastructure from engine and from a control flow got now we're going to see with the intended use of these things on a system was and is and how their use can be misappropriated did misused are more leveraged and there's these techniques that can be used both for the fences well for often so I will talk a little about coating kind of detectors see that these things may be happening on your systems so so these research some of these techniques have been talked about before and so for example the trick that I'm going to show you that uses nirvana was discovered and by some called Nick ever docks and he wrote a landmark local project . com what happened after that is my staff probably gonna knowing that summer discovered this interface and they completely changed in when 10 so that articles no longer really relevant I mean when had some good and papers from quirks 11 AR came from but again the manually resins you structures from and their blogs for when 18 Windows 7 when 10 completely changes the structure is so the and that information is no longer on really acted for a set CFG has a really good why paper from trend micro from presentation from NJ 0 11 as well but they're really good papers on how CG works and when I was looking at CFG in terms of an untidy exploit mitigation tool going you looking at serious instrumentation tool In this paper the only cover that common ADR after I haven't seen anyone talk about that except the really old block post of Russian hacker called assessed on the smaller details there but touches little on 1 will be shown you and fish imaging hoax all I found as a Chinese article on objectively well written wanted translated on this true ICA for 1 is a so some of this stuff is has people kind of touching on the side of maybe some things have been looked at before but can the point of all this specific we take a look at how things have changed when 10 so if you do it in article about your honor try to use it on a modern version of Windows who work anymore so you'll see what's in those changes are with data structures may have been modified with version numbers Jefferson now I'm new EPI is mitigations the max of may have added because they've seen people right blogrolls about these things on and everything all talk about is on built 10 thousand 74 there are newer builds but max of refuses to really symbols for them so that symbols it's kind of hard to see what's there and I don't think they've changed that much between 1 month ago in and today terms of these types of things but keep in mind that everything years 10 thousand 74 and may yet change before on the final release of so will start menu hooks move on to nirvana Noldus CFG area of cough will have fun versions and then come in all take any questions in an wrap up so 1st all mean when this is an
actual screenshot of men when booting up his arm you've never seen before and what is meant when I was in a journal
microsoft project to basically re-architect the layers of the winners bring systems when they've coupling esteem build isn't he was a very low level microkernel-based last with a thin layer of drivers on top subsystem and then highly functionality on top of that and over time windows kind of grew into a beast and then you start having dependencies or dependencies and circular dependencies and started in really make a lot of sensing 1 and so around the winners with the time frame when this kind of bubbled up to the present you know how successful this there was half for Windows 7 this token is internal projects and min when is there something that we'll binary or you'll know what a ship sums of Pollock but parts of it and parts of the architecture behind it or making its way in Windows 7 Windows 7 some people started noticing some strange DLL names on my under disk or an import tables those a tiny little deal authority API dash M as Ashwin and these are basically problematic calls API contracts reuse applications the Windows 8 is contracts became kernel contracts as well in the blue water all the way down became aware of these EPI sets a lot people knew this was for but when the standard Mac stuff announced 1 core which basically makes you able to write a single application that works on all versions of Windows cleaning when this region of things Windows server on x-box Windows Phone and part of how they were able to do that was because of this really hearing they have to do for almost half a decade of not a whole decade itself and the whole point of this was to create the CPI sets and so the core maximum cells what EPA sets are strongly mean EPI contracts they provide a separation between the EPI contract and the associated DLL In other words if you're looking for create file you don't need to know that create files and kernel 32 he doesn't have a DLL there that gives you kernel 32 and so the that but gives a great file art and so the PSS less to do is allowed order to perform a runtime redirection of the actual API said host yellow that implements the that you want visit to decouple the EPI names from the PM providers and allows you to better factory offering system allows you to load less the allele's because now for example by having a less where create file exists in a single pendulum ideal all at all and no studies create files I can load that the yellow sort of having flowed through the whole kernel 32 The Yellow which winners 3 megabytes and so the separation between contract and actually PM plementation is what allows you for example to import an API that now when this phone may not even exist but is in a stub implementation for it's like application Castellote so how does this redirection work the in Windows 7 1 single file API sets schema dog yellow to file that contains a section inside of it called . API said kernel boots up in calls PSP EPI said map which verifies that this sign driver so it is treated like a driver and has to be signed based on the rules of kernel-mode code it looks at the section map sit and membrane and finds the offset of work API said every single time a process launches API says mapped in the process memory starring 1 of 7 we had this file mapped into any process their launches a windows the mapping is not the only but it's not mapped to special flock of Sec no change so this means that 1 also on when the 7 we can actually make this mapping rewrite and message that inside a memory the and the address of this mapping is written in a special field called EPI set mapping your pet just structure very process hats so you can know you can always find a map and I wanna 7 you can modify your map as well notes was to become a system-wide maps loader just entered yellow every single time alluvial l with call a special function of the API apply following the direction and again go look that mapping and see OK so you want API dashed M. dash wind dashed process stash create yellow you won the contract lets you create processes and then go find out in your mapping would be implements that which today might be kernel 3 kernel-based 1 they maybe Proc API that the L awesome machines you know logically processes so might be a stub that just says you can't cre all that is done by the loader through this EPI said the direction because you it's interesting because this essentially means that any time now Lauder library there's this that back door and that actually takes it real DLL instead of giving you to deal only fire getting from that's now in Winner 7 the by 35 Delos a redirected so and the actually ship the ahead focal EPI said that each which
documented basically what that EPI set map looks like together winner 7 SDK we had these 2 structures here and basically the the EPI said array this actually the structure that's what's in memory is a version which is 2 . 0 in that OS count just of 35 their array of the structures here each of these structures and gives you the name of the DLO and the data associated with that so this basically is a conversion that goes from let's say API that I'm especially in harsh proc that street Daniel and it says on your system this is in kernel 32 of the other now these API sets Canakci have versions as well so it's possible and 1 day I might decide to have a Cree process extended function well I was going to be an API that mustache Dutch progress 3 dashed to study below which 9 seats now the 2nd version of this contract so the contracts can be versioned as well as the just just providing a redirection so when there's a you see a big change here 365 deals and I redirect and I don't have EPI also to use 2 separate contracts also were called extension sets and extensions such a were now used to basically checked using API that may or may not exist on euro us and limit check if DPI said it exists and if so I'm going to college 2 simple examples every time you load a dry run windows were going to check it is is a sign we always do that but there are going to check is the signing policy extension DLL and there is because you know when the Sloan and knock installed 1 and is a knock is also gonna get a call an OCR is going meal the say I want this app to run because it's not you signed and I trust documents servicing company now but let's say they work on your desktop You don't have that EPI set extension present so the kernel is not going to make the call so now whenever you look at the Service Control Manager kernel theory kernel so lots of other pieces of code they now checked this exist when your system and if so call the extension of their windows came with a kernel transaction manager Windows 7 and Windows Vista in Windows 8 it's optional so on desktop she have T and . since you have this API said here EXT MS when and Tarski M L 1 which on a desktop system says the analysis on a phone system there's no t and answers so that extension doesn't exist in the kernel never try making those calls the other big change here is that this is no longer loaded by the kernel slowed by the bootloader and as soon as you boot and subject to the same policies as any other good driver loader will API set they can also load additionally PI sets you actually have more than 1 schema always schemas get merged together and the final API said scheme which then gets later passed on to the cart the kernel now mapservice sec no change and so the addition of the sliding windows a means that you can no longer modify year arm schemas at least not through in easy fashion and finally on the structures of changes what Windows 8 now in Version 4 a structure that will be different but they're still shipping headers so you the winners e . 1 is the k you'll be able to new structure and what it looks like and basically they added some plots the out the size of the changes structure a little bit but he still documented by either accidentally or not but it's and it's it's freely available and this ticket In with 10 the bill that I have 2007 for the enough 602 redirected the loss and I can start seeing there be for exports for Windows Phone for when this region of things when a server Windows client that I really see how 1 core leverages this mechanism is the and the API structures are now version 6 format and version 6 is a breaking change the structures actually change significantly on what used to be an array becomes offset these entries themselves have a hash inside so any tools are in 2 parts the winners 8 scheme will no longer work on on Windows 10 is the need to redo the whole structure is and and writing new tool the other thing that happens now is that when kernel-based gets loaded the delay low descriptors apart at anything that starts EXE dash the points a kernel 32 and all of that so there's basically additional logical and and in the code to support our continued use of these men win the such so if you want to pass the moment of standard it would look something like this but I don't worry the slides the available so I don't expect those in the back to be squinting this is fairly simple army good on offset there's an array there you iterate the offset the offset has other offset theater over those and eventually a mapping of every deal and it's he corresponding API set several tool and
here's just a brief low sample what that looks like so for example there's a DL here API N wind-based would con con thing well that's actually have about B 32 or you're trying to get to API MS win composition batch window manager or that's actually UDW and and if you trying to get to win core Adams that's actually kernel 3 so the whole point here is no longer importing the deal names here importing these contracts in this file tells you where to find them and it's not just mode it's kernel-mode as well so here's another example where there is a modern core Ashwin they based nt GDI and on modern core that Poisson when thirtyfold offsets but there's is also a MS Windows Mobile core dashing boot you can see that is an empty set that's because on a desktop system your have a more block core libraries not you not a mobile phone so some of these things are going to be empty because this they're simply not provided under your environment I have no idea what MRM is but an norm res manager is present but MRM environment is not present and vise versa a phone things may look different some of these may be only on phone and non desktop and so on and so forth the here's another example of this and the kernel so kernel security kernel signing policy are empty on desktop but the file to the microcode updates microcode is actually pointing to and prospects or isolated mode not present on the current belts
so let's the 1 a modify its because you can modify this that means you can now a redirect execution words other deal else so 1st all you have to decide what are you going to modify let's say you want to modify the PPP eyes we chose contracts has he beat so Marx abuse and as a website on him as the and with the document every single API that when this happens including on document ones and which API said the present to you identify the EPA wanna look good at what they do to EPS it's n and that gives you the EPI contract you can iterate over the EPI said now find the contract means replace the string kernel 32 with you know my kernel died you know and now redirection ability of everything have to be careful with is that earlier in the tools out that
here the solid for example and fibers and file were all point in kernel base that string is actually alias and so anything that's basically saying kernel-based this can have the same offset the kernel-based so if I replace this with you know my base that everything else is going become my base so instead of basically all
the pointer what you have to do if we go back and look at the structures is there's an offset field to change the offset to another offset and then your entry has a different offset than all the other entries now that means you have to allocate all the
more space in the structure you
basically allocate your own buffer and you point out said to Danube off this if you capture sculptures a habits Richard do them the 1st lesson mention is that EPA said map is mapped matters read only and winners in high you cannot remap it is read right because of the special 2nd change so much easier modification to make is added the pet because the pet points to the API maps so you read existing map allocate an identical 1 plus a page copy of the old copy on top of a new copy make the changes that you wanna make and then overwrite API said map to point you copy because the pet is writable so that point can be changed to memory that you control the other thing to be careful about is that the redirected yellow man if you notice there there was no full path in the screenshot spread just said kernel-based and that's because the assumption is that all the target deals on C windows and 32 nasty witnesses 32 is an admin directory and severe trying redirector hijack an application in you one-half the admin Becker started from dropping deals their but you can just mania DLL slash pool flashy driver slash callers you may be wondering why on earth would you name in this way will because this is an actual subdirectory in system 32 if you go to see Windows systems theory to spool drivers scholar it's a read-write directory for users she can drop UDL in there and then the name of the DLL actually the direct you the DLL and then all of the DL there even if you not the last thing to worry about is that if you yourself are then hooking any API that's in kernel 32 a kernel based on API dash whatever when you actually try to call the real API you're all look up of baby will itself be redirected back into yourself and so what you need to do is build your own import library where he imported directly from the host for you know exactly that he Belloc isn't he died the import from he died ELL otherwise if use a normal Windows libraries you import from yourself and then you just spend forever and ever and ever so and show you a demo of basically how to in woman that with a simple library that is great our hoax all of the and he the eyes FIL library and load notepad with that 1 would that change and hope that it works so snowplows command of the unit comes to so just to show overdone here we basically have but all the hooks for he powerlog for heap free and he pelican heap free for example they're doing d but trained and then the calling the original function Amen and this looks
at all the year he PVIs the have to so keep acquire information keeps information invalidate hope he he create etc. and then there is the simple
definition file that says you know here's all the originally the eyes and here's my hooks for those if you US discursive call them the same way and I can't I could call them the same way but then I'd have to dynamically and for the other ones as well certified builders library it's going to
go and see Windows system theory to schools slash drivers slash callers slash test ideal and users can right here in from not running the compilers admin to its is able to write it in their the and I have a simple loader that's basically going to load notepad Standard
preprocess call I'm and we're going to look for EPI dash men dashed he bashed alleged food as 0 that's the contract for the he PPI and when the person EPI map of notepad and going to be looking for that contract and when we find Evigan overwrite it with school slashed drivers slash colors slash test so basically were saying and this is
the name of the DLL which matches the location a system for so what
channel put a brief on a resume chart occurring and then I can open up a debugger and try to see what happens had go and they notice there's a mother lode caller study a little bit and
if it go and then resumed on my hands here and there's no proud and
there's the debugger and for example you get to learn the retirement of character there is to allocations and 1 for and every time you park space 2 allocations and 1 free the and if you just backspacing there's nothing just 1 out of so clearly you know that there and I may not be able to see it but is basically those are our new by Prince confirming that the user queries and what he pelican he priest and gone to us and we haven't had to you know we haven't done any of the
traditional cooking things here all Dennis chain structure member of the PI sup and so the Navy company looking for books right he he'd free are not hope there's no and 1 Coke could hook there the IAT has been passed by some of malicious this is just using the exact same mean when functionality there a system so how do you differentiate this from something legitimate saw something illegitimate well 1 clear sign user DLL main right schools last Prince slash color probably not remarks of his but the DLs onsets obviously telltale sign a something's off there are fight it out and right so I could write a system to right and I could call this the added the yellow and you would necessarily know that it's not supposed to be but not as funny sets aside the such a pretty cool thing you can do because now I have a heap instrumentation library like instrument all he baby eyes and I did need to do any kind of weird D. towards the patching were playing with known Hillel's or any of the weird things national may have to do so that's an example on 1 of these what group called dynamic instrumentation techniques but thank you
now welding as research on the specific 1 arm EPA said schema doesn't have to be summer Microsoft has be Simon of a Microsoft enters the registry key that lets you could say put additional custom EPS of schemas on this and in some parts of the kernel of for example check is the CPI said present and if so I'm going to make all my system calls go through it or the CPI says present I'm in a coma process duration go through it so if you create the right EPI said that the right API name you have to sign it but doesn't have to be some much softer sees economics of signature these days on you can basically hook every single kernel API the parser normally mess with you and again I so sexy persistence mechanism all you have is a deal on this which is a fake additional scheme of a registry key to point it out Schema which none of the company's know look for and you basically go well turns other well work and the slide my program crashed soft Security got dumped and just by random chance pattern windows 10 now protects against this exact trick so when the standard future change EPI said mapping kernel-mode possible actually crash you can still do what I do that no understand no problem in user mode but incur a monthly trend message address this way arm of the figure out so that's a seascape and scowling being ahead and them figure in these things out right so this
is an orgasm on monologues and but I try to do for every single section the 1 on google image search and the 1st image that I could find for each of the things doesn't talk about so for many when it was that bootloader screen for run that does what came up and the like searching more so what is nirvana then a max of some
words run as a light weight dynamic translation framework that can be used to monitor and control the use of motor execution of a running process without needing to recompile rebuild any code in the process this is referred to as program shepherding sandboxing in relation virtualization and translation love global so basically Max internal translation at the end and the transition from now using this framework the to like ID any time travel tracing true can you've been at conferences a red marks of research papers you probably seen these amazing credible technologies being referenced time after time after time again and never ever got the chance to use and because max of his not of them publicly but have as a runner the internal tool that they have a new job without hiring PageGarden it's from the dynamic instrumentation crossing terror less you need to pull can patch things in a kernel as well if you do that page's in the patch in crash a machine and so Windows 7 as the K. turns out there's a dynamic instrumentation call back that got leaked out on the as k and basically the showed by calling NT set information process past and the processes tradition callback class and it takes a pointer to a function what a point that function any single time that the kernel exits the user because of a system call because of an exception because of an PC because of that of and to continue or collar usable call back or because the process start up a fresh start up basically any single point through which the kernel ever returns into user mode that call gets called 1st and so you get to basically whole can intercept every system call return every PC every callback anything you could ever want to which makes sense if you're looking building something around you can any DOS provide something like that for you and so when 70 this have a 1 liner In the set information process you pass in prices from tradition callback as a type the passing you call back and now it calls a function at time 1 of those things happen now this only works on for Windows doesn't work so well on 32 bit applications and you need to have debugging turned off and it doesn't catch everything and he privilege as well so it was a super useful because of these limitations in Windows 10 however now registers in a different way we have to pass in a structure the structure has a version reserved and a callback so useful pitcher call back here but reserve has to be 0 and I always love it when someone as the feel that always has to be 0 it's like let's just add more data and the Virgin depends now if you're running a city 6 or 64 on x 64 you pass 0 but city 6 you pass 1 and yes now on 6 this call back is supported and it also supports while 6 for application and it doesn't need your 7 to be selling more pseudoknot the actively debugging the application and also now catches and to continue although apparently only X. a 6 and so no a standard this now becomes a much more kind of widespread harm thing you can do because it'll get all applications 66 apps exceeds for apps exodus examples running on x 64 the only Gavin debugger attach to basically instruments what the kernel is still that were nodes for a sex they also had a few changes are so for example synodic 6 stack controls all the heart 64 because among other things grammars get have pushed on the stack and so in the tab you'll notice the more fields Instrumentation callback sp previous PC in previous would be easier to stack the P. stack in the previous instruction pointer because if you're the function and it's called now instead of what the user expects to have been called you have to know how to eventually get back to where the user expects and if we're not running with you corrupting a stack you have to know how to bring the stack back to word what's and we also run the risk that instrumentation callback may itself make an API then calls back and use traditional backwards and calls back into this tradition call back and so on the head you can flip a feel that says instrumentation is able to and while that field is true then you can not represent yourself out on x 64 normally needles fields because parameters of Posterous CXO dx are online so I want to touch the stack you don't have to worry about a 16 bit that were 32 bits that and so so that all you have 1 x 64 is are 10 contains the previous instruction point to call that routine it's called with our 10 containing the previous instruction pointer and then when you're done instrument you just jump back into work on everything resumes back to post so if you want to write such a callback obvious you have in the assembly code for these 2 have to begin being assembly mode because 3 . 10 you need assembly code and you also have to realize the fact that at this point the kernel has returned back to user-mode restoring all of the nonvolatile registers to what they were and so now if you do things in a non volatile registers without preserving them you're going to crash the use of an application that's expecting the call on top of that you have to worry about whether or not as a system call because of this is a system called what has a kernel also returned the return value REX it if you now use REX you're going to destroy the original result value that should be return back to the user and so you have to I see run of that of intelligent code the Chairman of this is a system call this is an exception what to preserve a 1 not preserved from and not just write some assembly code and and hope you get it right which is what I did so let's look at our little of them of how that would look like and the hope that 1 works so
some basic renders the nite much again use the same technique to basically load that same DLL them and the cook there he be have yellow touching chain techniques but this time the heap API hook instead of D. by printing he API as we make a call a dummy function and that demi functions going to be in another they allow and what is the other was going to do an open up a consul so when notepad subunits CIA hopefully this year a Council prompt and I should went initialize a debugger engine I will see why do you have and then I'm standing up the nirvana OK and then nirvana hook points to instrumentation hook which is a little bit of
assembly code so I'm going to set up the some code right here and this is a really dirty know that's barely going to work a lot note that will not be able to initialize with where written here this so busy you just get us far enough
into a piece of C code and then in that piece of
C code on what is the area the In IPCC crombies the calling sin from outer and imprinted on the screen basically the symbolic names in use a symbol engine to print out are the pockets of that
API yet that that works um so it's the everything here looks good just as a the theory so we build instrumentation library you here FIL and the work and and is able to see a chief Hoke which I'll show you later things get screwed OK that's good so the instrumentation hoped um not this 1 a copy this system 30 to because I was lazy give a relative name so instrument of the little something the same thing ministered no out the low loader and this time the dummy function should be called and you should see some things so again all attached to the debugger to see what that looks like don't kill the old 1 but I would think this spend on that
and now I should not be seen those heap PPPs the immediately was still in use talked about what do rebuild
no custody in triple overtime on no thank you the area this fungus tiny communicate last time so basically this is the of consul that no bad is numbering it because the deal is injected and instrumentation OK is revealing on every
1 of the calls that I made and by using the some Erlangen I able to see basically what system calls are being made and since for hooking the attorney here when I hope the system go in return we're seeing you know for example that
whatever key was queried here on the x returned from logic not found and this is without again any online hooks are any system called looks and we are getting the return not to call that you know there are other ways of call arm and this again can be extremely useful in terms of looking and also understanding what's been going on
system I'm not because of the way I've written and if I had
go here it'll it'll eventually crashing into it actually hits on crashes because of stack
exhaustion and that is good happen the Polish of
pumps eventually dies and 4 had go unfulfilled was died but having done this
better if they could kept on going going going we're seeing all the use more callbacks they're done by the graphics engine from as well the course and you can start doing things like arm you know figuring out based on what the CPIs are what the parameters where and I could be the decode every single parameter and all the function source of but point just to show you know here's another tool that's to do that and not build not be
built-in free I'm that's that so the
next thing which I talk about a CFG hooks and searching for control flow got cook this was the 1st thing that came on google images search this time guesses for water flow so what is the energy
I see it is basically our new mitigation the marks of his Adam Wyner 10 and again the explanation is with the does when you compile link your code that analyzes in this covers every location at any indirect cost version can reach In bills that knowledge into the binaries in extra data structures and injects the check before every indirect calling your code that assures a target is when these expected safe locations in that chick fills a runtime the OS closes the program so some check is being injected here and basically when you compile a binary with COG an indirect call were basically have a C database object
and and and hash function now the hash function gets copied into temporary there is a God checked I call F pointer and then of that has an exploded then we call your functions and God checked I call a pointer is normally when you build the library and while a pointer to another function except the valley jumble of and accept valid jump buffer is just a rat and so this means you run binary on a non CABG aware operating system you just basically take an extra called red called red call red call red called ready for every single runtime function so the loader must therefore be doing something to make this more useful than the red color and so enable the PE file house called image look configuration directory and this was used back in NT 4 days for Apr compact hacks for setting limits on you he for debugging and a bunch of other old deprecated thinks and more recently when they start adding secret mitigations this structure became more interesting so for example the point you security cookie settle can update it is an initial starting directory the trusted SEAT readings on the low coughing director and in Windows 10 and a final update when they introduce CFG they added 4 more fields got CF check function pointer got a function table Garcia function count and got flats and we distend there's a few more interesting things in there that you may wanna look at so that God cf check function pointer is basically something that L the opti configure load configure process local figures gonna it's gonna take that pointer which is a pointer to that the yellow on guard function make it re right an override it with L the Europe's validate user called target and does is it for images linked with of G and if you've enabled CF instrumentation With CFG so there's good as only for binary the CFG aware and so what used to be here statically except Valerie jump buffer becomes LDAP valid called target and with a look at the directory has is a to
this and so the kernel of the loader overwrites this with that and so this function gets overwritten and now that
function as a warning it's called all the time and then it verifies basically what you does is verifies in a bit map is this call are allowed or not but again I talk about the kind of implantation of SUSY others others of them they're ready wages waitressing will hold on if there is a sea of got chicken function why can't I put my own function in the and so we can basically replicate the exact same thing that the law does for man in our image load config directory or any initial config directory of another application right that stuff function which with their own function and again we have for it some assembly code because organ and the basically right before the real call happens and again we have to be careful about preserving nonvolatile registers and what riches you mess up with and again we have Fred some assembly code which can then call C now in that C code order some decoded you'll then be able to intercept every single indirect call that any application where the addition of folk mix so we now have a way to intercept all indirect calls we have a weight and accept all API calls and we have now we have just weight intercept from all kernel to user calls as well and so I got functions these give a simple and you get the call that's about to be made in our C X 1 X C 6 circuits pushed on a stack you will validate that the you can print it out instead arm and then you can see what all the indirect calls that by animate work the so basically and go back to the
victim process here and re-enable some assembly code which contains a CFG cook n is an example of how 1 would implement this and basically getting the
overload config directory just like lower would were making it read write just like a loaded does and then we overriding the God cf check function pointer with our own pointer and having done this we then restored back to regret that 2 well whatever it wants to the old 1 so now CFG folk is going to be called every single time there's an indirect call and what the
COG hooked as is pretty much the same thing and that the other work was
doing call from matter try you the symbolic address but this is not going to be as useful because most the time indirect calls are not actually to symbolic addresses I accept new calling late and he'll function pointers most these indirect calls again to the internal armed note that function calls internal notepad C + + tables are more internal IT tables so that minimizes you have a symbols for all those but which is still see some print that's a pretty
much from all the all the miracles so we'll do that and then all disabled instrumentation callbacks that we don't have you don't have both of those kind of fighting runtime possible the voters there and compiled
we compiled test compiled instrument and the copied instrument something in so then can load notepad common now this deal which is being ejected from England so we're still using min when to inject the yellow and then that injected the allele's overriding the CFG pointer of notepad and we should start seeing some of indirect calls so attached to note
that and and resumed
notepad beautiful black screen here
not so good negative 2nd quickly figure out
what I forgot do presence here you see Hoechst include scrolling and middle name to that's timing is doing that of culture 1 last time if not for the interest of time on a breakpoints may be 1 right there well nothing went wrong had breakpoint and look at it of the breakpoint should show that yes indeed it did work until I
killed it from the an notes act of this reduced so as I was working in a 1st step voting right now the
the clear breakpoints in it
had to go go again
the so the the the common COG who detection so this is basically these are all indirect calls that note has making including you appeared in recall his UW Greece's information on the compiler is actually smart enough to add these checks reading get precarious as well so many other things this year who calls sees any time someone is again Proc addresses come and then any other the will call back or anything like that so those received
units now while I was kind of looking at this poses doing lot reversing arm and just want to point out there's a lot of the things you will have an early talked about yet for example the nirvana that is mentioned I thought about hey can you make a bypass were basically says nirvana hoaxer called by the kernel you could bypass the of Jesus the kernel wouldn't know to verify the CG bit bit-mapped actually does so ?epin Ivano hook to something that's COG doesn't know about it will let you do that you may also know that no extra protection has func emulation which emulates a instructions and look like the teal Fox while they actually make sure that when emulating the stance the not calling into fate found that could bypass UG so this actors and CG bypasses jealousy won't talk about humble looks a has basically mitigating as there's also an are killed God is valid stack pointer and turn on C of G turns terazosin stack checks as wall future do like an anti continue or separate contacts eater raise an exception with the status on the valid range even the that's not really related to control flow by turning control flow got on anomalies his those tabs attacks as well on the witness stand as a new set protected policy inquiry protected policy arm and according them as the and this lets you set up to do its with data in a special protective keep that if you have control flow got turned on no 1 can touch or modified arm after the projected data has been put in there so what 6 COG actually covers a number of other technologies not just um calling indirect functions and you know the greater far more research was put in that I don't I don't have time for that looks like is there for a lot more to it than when people have been something so the next thing to talk about 1 is a a d or f or application verified in application verifiers basically tool on used by Microsoft and what it does is dynamically identify bugs in applications but basically subject the application stress this subject the application to API books and using those hooks a verify the application is behaving properly so fine so programming errors that might be difficult to detect so how does the how do they do that temptation verified well when you have application if I turn on and see how that can happen is a special their local verify that the yellow which the loader knows how to load a special function called the the arrest me low DLL it's a special artillery fire helper table and then you can interact with application verify providers the that help a table contains RTL verify keep table which lets you override every cell he PPI and the reason they implemented as was for what's called a page sheet which is basically a the bagging technique to see if you are and have or in a single pointer in the heat to turn off by 1 with this you actually able to arm have a whole page of the and you do not buy 1 crash but basically if you call yourself the hard of the yellow the economical he beat the eyes let us super interesting is calling yourself in a DLL named we all know how to do that on the heavily turned out to be what happens in eternal so for verified allowed to be loaded you have to have 1 of these 2 flats global flags FLG Application Verifier or FOG he page Alex the when those flags are turned on and then verify will look and how are they turned on you have to write global flying and set it to 100 which is basically the equal of Application Verifier end or if G he page Alex and that 1 verify will be turned off but then there's another field in the called verified deal else anything you put in there will be loaded as navigation verifier provider the this lecture malware called trust fire that uses that so what do providers to what providers are loaded based on that verified DLL sky or another key called application verify global settings and for example if you provided that's called year of word of the yellow and it doesn't matter what directory is so this is just checking the name not the full path and you have a function inside called the EPI lookup call back the that every single get Proc address that anyone does goes to you 1st and you get the caller who did that give Proc address in you can change the result of the get Proc projects just reading but not as that verify providers can hold any single export function of a media Lilly please and have the system do the cooking for you and have this system D duplicate multiple hooks so those multiple hooks to the same function as the verifier package of basically build a chain of coking functions without having to worry about that and he said he the debug the true you can basically see after fire doing all this stuff so how care and verify provided so we can be loaded so here is the red and yellow now we write a Windows DLL the shave heard about these 4 different of reasons prices attached prosody catch through attached to attach although the 4th 1 called processes verifier which tree probably did not hear about and when you get that when you have a special structure called verifier provide a description in that structure you put a number of fonts and a number of the PI names a number of function names and hook small for you in points your code instead so I won't bore you the structures but the and that's what they look like you on slide and this is very simple hook for example for close handle and I wanna cook close handle at but in a area of descriptor that says here my hope Delos in my DLL is kernel 32 and Mike kernel have some fonts there 1 hook and define that I wanna hook close handle close handle is close handle and cosine of hookers my little function over here which then calls Thanks . uncle that race which got automatically put in for me and then I can be about from the result so busy have an automatic hooking injection mechanisms to address fire where i'd and implement any code all except these 8 lines of code in a system that everything for me and looks like it's done by something major the other thing it's crazy but ever fire is an actor gets loaded before kernel 32 so obviously here importing from ground 3 to some forcing up happened but my ideal in will run before anyone else is the yellow jack shit execution on before anyone else is gonna chance to run in so last little demo will
be the verifier demo I'm so
stop this close the debugger
and then go and registered turn on verify and I've got a deal called various . The Yellow now in a launch Notepad
verify that the yellow should it's not going to special
launcher open executable notepad that exceed so knows about about prints all of those from the verifier engine because if tournament 10 years notepad and anti DLL and very far down the below after verified ideologue of loaded it says an initialize a provider that if that the 11 and here it is before kernel 32 before kernel days before anything else might deal about load my ideal then said hello hacky verified on and at this point already notepad all notepad run in every single time not that closes a handle there's mind about press because I'm looking close handle so that is the actor fire cooking the
thank you feel so B 1 thing to note is that the turn this on I had to go in the image file execution options and Andrej and then Richie Key is system access point while turns out that there's a flagon shared user data called image fives station options and is like is set to true and gonna read image finds ecution options from a per-user hide in other words allowing any unprivileged user to turn on very folic edges did for an admin and then when an admin apologia load your deal on your behalf now that is disabled by default but if you do you tread on of someone turns and on a machine with this very little no flag such a document on upstream as the in page on the new extremely available to anyone biscuit turning under fire without in the act because at least I have to be mostly at instrumentation they need not a malicious in because you have some examining into things as well but you may wanna make sure that our flag is in kind of such and the last thing I'll quickly go over why my 2 minutes remaining is a sham hoax so the shipment inferring as the AP
combatant in which allows myself suffered basically expulsions that essentially again EPI hijacks the redirect execution and basically this should mention is loaded by function called L the API in its share engine and this 1 gets called whatever the pads Shin data has something inside of it this then calls Elliot the kitchen engine interface which is about of function pointers in and called entry point and then for every other tioned plugin it calls some function decided and is essentially a whole list of come to be there's a whole list of EPI that if you export them with this name you're going to be called at process start up you're going to be called before initialization after tialization lenition gets loaded when look loaded any of these things that happened including whenever someone calls get Proc addressed as I could have verifier you get a call back so how do you get that activate what all you have to do is make sure that peace Chindia is not set to know when you create a process in which a dissertation there to a unique a string to a DLL named the basically greater process suspended set septation data to see slash foo bar slashed you will not be alone that you allodial gets loaded estion engine as long as you provide the correct exports ution engine will be called and I can monitor all those things including all DLL name resolutions including all get Proc axis and this is yet another way instrumenting looking pretty much everything their process system he also style is dynamically this is the only 1 that can install dynamic everything of every single thing we saw had to be done at start up i the register with your own motor this when he called LDR the it should engine dynamic on something as nourish and you can then basically cocaine with everything we saw on the previous slide so this from those require you being there at start up I'm in Windows 8 or later many colonial deals that you want that so in conclusion Microsoft has built on a number of shimmying hooking wrapping verification techniques in the in the kernel in user mode most of those are undocumented they require structures are now well known that have changed on the core API is there kind of secretive and all these not only allowed a hijacker navigation instrumented but in some cases also have persistence and in some cases emulate of defeat and leaders as well right someone's trying to understand your control flow using all these OS provided ways to jump from 1 place another to hook things are it's a lot harder for summer tourist towns going on you can imagine someone using Abba fire and Isham engine and on a hook and a CFG hooking using everything we've talked about today and basically have complete control over process without having a single in-line code hook or any of this traditional things you would try to do on when you monitoring a process and the last piece all leaders please take a closer look at CFG there's a lot of stuff there people haven't talked about so that's it thank you for listening 2000 or what but then for questions the the so the those for cooking engines right right 5 between them do they cover the functionality of the trees the 1 thing that you won't be able to see which I think the trace covers a CPU register modifications like control registers I think the trace catches them as well you some but other than that it's because you can hook any API an indirect call and any returned from any system call you can be Sky-Hook anything at all assuming the miners have COG enable not compiled with CFG for example and you won't get indirect costs the synergies she all of those engines converging into 1 in Chile always no it's Microsoft they like emission mediate things are the same thing so you can think of a more more engines as time goes on to say that was that that that that was my thinking well I was in that it happens a lot not invented here I think if thanks hi I have a question about the happy said the hippie I said to not because of you have said that we can coca the API said that and the rejected each PPI inside the new DLL that you right but they have look not on the solution seems the 1st 1 is that that did not to buy the book UXi imported directly from the EP set them up the allelic and not directly from our for example of for a standard yet and that is this kind of full books of uh use a full of only for those obligation or for all the glottal all obligation that people didn't even stand of the a having sex useful for both so what's gonna happen is if you look at a Mac South application and Amie except that we
will for example from
all trust something on the screen here you
all day looks like and all I want Robert M. such application will import directly from those men when and like you're
suggesting is the summers inferring from API you can hope that the question is what if I just import from kernel-based of the law can I look that kernel bees itself will now actually has imports for all those functions like that so even kernel-based imports the process CPIs by looking them from EPI Bassianus when Nash whatever not all of them but a big number of deals are actually then looked up the kernel Bayes itself because you may be importing kernel-based because your legacy application in you think that kernel this has a he pp eyes but not there so he bps of how has defined where they really are so it is much more generic and just for applications that use mainly it's OK that's and build the stuff that it's only the data that you have said that that these um Wilkie middle but if you do that the parts that can catch the that but I have not understood the uh how parts got can catch he on the end user model who could it'll be kernel not only so pleasure looks at understand is if you do because the kernel use API set map this mapping kernel memory for 1 of those drivers for example if you modify the kernel's mass then patches and crashed shape so doesn't protect against using that someone can scroll OK thank you check
In all source at the what what you imagine an improvement in the
field and
Webforum
Kernel <Informatik>
Punkt
Web log
Extrempunkt
Kontextfreie Grammatik
Gruppenkeim
Versionsverwaltung
Kartesische Koordinaten
Information
Computeranimation
Kernel <Informatik>
Typentheorie
Bildschirmfenster
Speicherabzug
Computersicherheit
Kontrollstruktur
Kontrollfluss
Hacker
Hacker
Schnittstelle
Umwandlungsenthalpie
Addition
Softwareentwickler
Extremwert
Reverse Engineering
Computersicherheit
Stellenring
Web Site
p-Block
Hoax
Entscheidungstheorie
Datenstruktur
Twitter <Softwareplattform>
Rechter Winkel
Zahlenbereich
Projektive Ebene
Information
Versionsverwaltung
Maschinenschreiben
Wellenpaket
Stab
Mathematisierung
Zahlenbereich
Gebäude <Mathematik>
Kombinatorische Gruppentheorie
Architektur <Informatik>
Term
Überlagerung <Mathematik>
Physikalisches System
Software
Datentyp
COM
Datenstruktur
Bildgebendes Verfahren
Quarkmodell
Binärdaten
Soundverarbeitung
Protokoll <Datenverarbeitungssystem>
Programmverifikation
Systemplattform
Symboltabelle
Physikalisches System
Objektklasse
Zeitreise
Flächeninhalt
Mereologie
Kernel <Informatik>
Gewichtete Summe
Prozess <Physik>
Punkt
Extrempunkt
Adressraum
Versionsverwaltung
Kartesische Koordinaten
Service provider
Computeranimation
Richtung
Kernel <Informatik>
Spezialrechner
Spezielle Funktion
Vorzeichen <Mathematik>
Bildschirmfenster
Speicherabzug
Druckertreiber
Lineares Funktional
Prozess <Informatik>
Termersetzungssystem
Systemaufruf
Ideal <Mathematik>
Mechanismus-Design-Theorie
Arithmetisches Mittel
Project <Programm>
Datenfeld
Garbentheorie
Funktion <Mathematik>
Menge
Festspeicher
ATM
Garbentheorie
Projektive Ebene
Ordnung <Mathematik>
Message-Passing
Standardabweichung
Tabelle <Informatik>
Sichtbarkeitsverfahren
Schnittstelle
Rahmenproblem
Wasserdampftafel
Mathematisierung
Zellularer Automat
Implementierung
Schar <Mathematik>
Dienst <Informatik>
Code
Physikalisches System
Virtuelle Maschine
Adressraum
Design by Contract
Mini-Disc
Mikrokernel
Programmbibliothek
Gruppoid
Booten
Datenstruktur
Tabelle <Informatik>
Autorisierung
Trennungsaxiom
Beobachtungsstudie
Booten
Folientastatur
Rechenzeit
Einfache Genauigkeit
Schlussregel
Physikalisches System
Project <Programm>
Elektronische Publikation
Menge
TLS
Quick-Sort
Design by Contract
Mapping <Computergraphik>
Druckertreiber
Mereologie
Faktor <Algebra>
Speicherabzug
Wort <Informatik>
Computerarchitektur
Kernel <Informatik>
Umsetzung <Informatik>
Einfügungsdämpfung
Bit
Punkt
Prozess <Physik>
Versionsverwaltung
Dicke
Zählen
Computeranimation
Kernel <Informatik>
Last
Client
Datenmanagement
Fahne <Mathematik>
Vorzeichen <Mathematik>
Bildschirmfenster
Speicherabzug
Strebe
E-Mail
ATM
App <Programm>
Lineares Funktional
Kraftfahrzeugmechatroniker
Addition
Computersicherheit
Mobiles Internet
Güte der Anpassung
Systemaufruf
Nummerung
Plot <Graphische Darstellung>
p-Block
Zeiger <Informatik>
Dateiformat
Web log
Windows Phone
Rechenschieber
Arithmetisches Mittel
Quader
Dienst <Informatik>
Transaktionsverwaltung
Datenstruktur
Funktion <Mathematik>
Menge
Festspeicher
Client
Server
Dateiformat
Programmbibliothek
Versionsverwaltung
Programmierumgebung
Hash-Algorithmus
Mathematisierung
Entscheidungsmodell
Windows Server
Maßerweiterung
Kombinatorische Gruppentheorie
Physikalische Theorie
Code
Systemprogrammierung
Arithmetische Folge
Stichprobenumfang
Hash-Algorithmus
Zählen
Programmbibliothek
Inverser Limes
Booten
Datenstruktur
Maßerweiterung
Transaktionsverwaltung
Analysis
Booten
Raum-Zeit
Physikalisches System
Elektronische Publikation
Menge
Design by Contract
Zeichenkette
Mapping <Computergraphik>
Druckertreiber
Mereologie
Gamecontroller
Speicherabzug
Stapelverarbeitung
Normalvektor
Kernel <Informatik>
Aliasing
Web Site
Punkt
Güte der Anpassung
Parser
Firmware
Elektronische Publikation
ROM <Informatik>
Menge
Computeranimation
Kernel <Informatik>
Design by Contract
Eins
Zeichenkette
Pufferspeicher
Angewandte Physik
Faser <Mathematik>
Speicherabzug
Wort <Informatik>
Urbild <Mathematik>
Betriebsmittelverwaltung
Zeichenkette
Demo <Programm>
Punkt
Freeware
Gewichtete Summe
Kartesische Koordinaten
Oval
Dicke
Raum-Zeit
Computeranimation
Kernel <Informatik>
Homepage
Hook <Programmierung>
Einheit <Mathematik>
Fahne <Mathematik>
Bildschirmfenster
Speicherabzug
Strebe
Punkt
Betriebsmittelverwaltung
Metropolitan area network
Lineares Funktional
Dateiformat
Hoax
Windows Phone
Web log
Datenfeld
Datenstruktur
Festspeicher
Client
Verzeichnisdienst
Versionsverwaltung
Speicherverwaltung
Hash-Algorithmus
Mathematisierung
Windows Server
Gebäude <Mathematik>
Physikalische Theorie
Homepage
Puffer <Netzplantechnik>
Pufferspeicher
Adressraum
Virtuelle Realität
Programmbibliothek
Zählen
Zeiger <Informatik>
Datenstruktur
Demo <Programm>
Systemverwaltung
Physikalisches System
Menge
Mapping <Computergraphik>
Druckertreiber
Last
Trigonometrie
Speicherverwaltung
Nichtunterscheidbarkeit
Normalvektor
Inklusion <Mathematik>
Softwaretest
Retrievalsprache
Elektronische Publikation
Prozess <Informatik>
Booten
Compiler
Systemaufruf
Gebäude <Mathematik>
Ideal <Mathematik>
Physikalisches System
Elektronische Publikation
Physikalische Theorie
Computeranimation
Eins
Task
Druckertreiber
Bildschirmfenster
Programmbibliothek
Reelle Zahl
Information
Programmbibliothek
Speicherverwaltung
Standardabweichung
Softwaretest
Beobachtungsstudie
Präprozessor
Prozess <Informatik>
Machsches Prinzip
Systemaufruf
Physikalisches System
Dicke
Information
Computeranimation
Design by Contract
Zeichenkette
Mapping <Computergraphik>
Druckertreiber
Zählen
Speicherabzug
Bildschirmsymbol
Kantenfärbung
URL
Speicherverwaltung
Betriebsmittelverwaltung
Existenzaussage
Gruppenkeim
Impuls
Raum-Zeit
Fluss <Mathematik>
Unendlichkeit
Bewegungsunschärfe
Fahne <Mathematik>
Vorzeichen <Mathematik>
Adressraum
Hook <Programmierung>
Programmbibliothek
Datenstruktur
Gravitationsgesetz
Inklusion <Mathematik>
Lineares Funktional
Dean-Zahl
Obere Schranke
Diskretes System
Abfrage
Physikalisches System
Arithmetisches Mittel
Patch <Software>
Verkettung <Informatik>
Menge
Einheit <Mathematik>
Rechter Winkel
Debugging
Kantenfärbung
Speicherverwaltung
PRINCE2
Speicherverwaltung
Retrievalsprache
Kernel <Informatik>
Prozess <Physik>
Mereologie
Extrempunkt
Adressraum
Computeranimation
Kernel <Informatik>
Konfigurationsdatenbank
Hook <Programmierung>
Mustersprache
Bildschirmfenster
Randomisierung
Speicherabzug
Rechenschieber
Figurierte Zahl
Konfigurationsdatenbank
Addition
ATM
Kraftfahrzeugmechatroniker
Prozess <Informatik>
Computersicherheit
Nummerung
Elektronische Unterschrift
Mechanismus-Design-Theorie
Rechenschieber
Angewandte Physik
Twitter <Softwareplattform>
Funktion <Mathematik>
Rechter Winkel
ATM
Garbentheorie
Message-Passing
Standardabweichung
Mathematisierung
Systemzusammenbruch
Patch <Software>
PowerPoint
Physikalisches System
COM
Optimierung
Bildgebendes Verfahren
Touchscreen
Booten
Einfache Genauigkeit
Physikalisches System
Parser
Mapping <Computergraphik>
Thread
Mereologie
Resultante
Bit
Windows SDK
Punkt
Prozess <Physik>
Virtualisierung
Extrempunkt
Versionsverwaltung
Formale Grammatik
Rekursivität
Kartesische Koordinaten
Extrempunkt
Information
Computeranimation
Kernel <Informatik>
Homepage
Intel
Prozess <Informatik>
Bildschirmfenster
Translation <Mathematik>
Strebe
Parametersystem
App <Programm>
Lineares Funktional
ATM
Prozess <Informatik>
Assembler
Benutzerfreundlichkeit
Gebäude <Mathematik>
Systemaufruf
Debugging
Ausnahmebehandlung
Zeiger <Informatik>
Magnetkarte
Datenfeld
Datenstruktur
Funktion <Mathematik>
Information
Versionsverwaltung
Standardabweichung
Gewicht <Mathematik>
Gruppenoperation
Mathematisierung
Klasse <Mathematik>
Systemzusammenbruch
Ablaufverfolgung
Patch <Software>
Framework <Informatik>
Code
Zustandsdichte
Virtuelle Maschine
Knotenmenge
Datentyp
Inverser Limes
Datenstruktur
Zeiger <Informatik>
Optimierung
Schreib-Lese-Kopf
Diskretes System
Just-in-Time-Compiler
Relativitätstheorie
Gasströmung
Physikalisches System
Zeitreise
Keller <Informatik>
Patch <Software>
System F
Körper <Physik>
Debugging
Gamecontroller
Wort <Informatik>
Hill-Differentialgleichung
CMM <Software Engineering>
Lineares Funktional
Punkt
Assembler
Kreisring
Systemaufruf
Code
Verkettung <Informatik>
Rechter Winkel
Hook <Programmierung>
Debugging
Volumenvisualisierung
Speicherverwaltung
Versionsverwaltung
Lineares Funktional
Booten
Güte der Anpassung
Symboltabelle
Symboltabelle
Physikalisches System
Extrempunkt
Code
Physikalische Theorie
Funktion <Mathematik>
Flächeninhalt
Zellularer Automat
Debugging
Programmbibliothek
Innerer Punkt
Displacement Mapping
Touchscreen
Flächeninhalt
Fahne <Mathematik>
Speicherverwaltung
Gravitationsgesetz
Extrempunkt
Parametersystem
Lineares Funktional
Punkt
Ausnahmebehandlung
Fächer <Mathematik>
Systemaufruf
Keller <Informatik>
Physikalisches System
Quellcode
Graphikkarte
Mathematische Logik
Term
Code
Computeranimation
Rahmenproblem
Code
Abstrakte Zustandsmaschine
Schlüsselverwaltung
Gammafunktion
Kontextfreie Grammatik
Freeware
Kontextfreie Grammatik
Wasserdampftafel
Datenhaltung
Versionsverwaltung
Systemaufruf
Rechenzeit
Binder <Informatik>
Datenfluss
Binärcode
Code
Computeranimation
Objekt <Kategorie>
Energiedichte
Funktion <Mathematik>
Konsistenz <Informatik>
Kontrollstruktur
Punkt
Booten
URL
Compiler
Optimierung
Datenstruktur
Bildgebendes Verfahren
Prozess <Physik>
Punkt
Kontextfreie Grammatik
Zählen
Computeranimation
Kernel <Informatik>
Spezialrechner
Last
Wechselsprung
Fahne <Mathematik>
Konsistenz <Informatik>
Bildschirmfenster
Computersicherheit
Punkt
Hacker
Figurierte Zahl
Funktion <Mathematik>
Kontextfreie Grammatik
Koroutine
Lineares Funktional
Krümmung
Computersicherheit
Stellenring
Systemaufruf
Zeiger <Informatik>
Kontextbezogenes System
Teilmenge
Datenfeld
Datenstruktur
Funktion <Mathematik>
Kompakter Raum
Grundsätze ordnungsmäßiger Datenverarbeitung
Verzeichnisdienst
Tabelle <Informatik>
Lesen <Datenverarbeitung>
Hash-Algorithmus
Ausnahmebehandlung
Datenhaltung
Puffer <Netzplantechnik>
Verzeichnisdienst
Adressraum
Netzbetriebssystem
Hash-Algorithmus
Inverser Limes
Booten
Zeiger <Informatik>
Datenstruktur
Konfigurationsraum
Bildgebendes Verfahren
Fehlermeldung
Booten
Cookie <Internet>
Konfigurationsraum
Validität
Einfache Genauigkeit
Rechenzeit
Indexberechnung
Elektronische Publikation
Körper <Physik>
Last
Binder <Informatik>
Cookie <Internet>
Kantenfärbung
Compiler
Bit
Gewicht <Mathematik>
Prozess <Physik>
Ausnahmebehandlung
Selbst organisierendes System
Kartesische Koordinaten
Extrempunkt
Systemzusammenbruch
Gesetz <Physik>
Code
Kernel <Informatik>
Spezialrechner
Fahne <Mathematik>
Adressraum
Mixed Reality
Konfigurationsraum
Bildgebendes Verfahren
Metropolitan area network
Kontextfreie Grammatik
Addition
Lineares Funktional
Fehlermeldung
Assembler
Programmverifikation
Systemaufruf
Zeiger <Informatik>
Mapping <Computergraphik>
Strahlensätze
Funktion <Mathematik>
Rechter Winkel
Last
Digitaltechnik
Ordnung <Mathematik>
Verzeichnisdienst
Lineares Funktional
Overloading <Informatik>
Extremwert
Hochdruck
Adressraum
Systemaufruf
Symboltabelle
Symboltabelle
Oval
Extrempunkt
Computeranimation
Funktion <Mathematik>
Grundsätze ordnungsmäßiger Datenverarbeitung
Punkt
Zeiger <Informatik>
Verzeichnisdienst
Konfigurationsraum
Tabelle <Informatik>
Softwaretest
Abstimmung <Frequenz>
Extrempunkt
Systemaufruf
Rechenzeit
Zeiger <Informatik>
E-Mail
Extrempunkt
Figurierte Zahl
Modallogik
Touchscreen
Abstimmung <Frequenz>
Compiler
Adressraum
Systemaufruf
Information
Extrempunkt
Computeranimation
ENUM
Wechselsprung
Einheit <Mathematik>
Information
Normalvektor
Gammafunktion
Demo <Programm>
Resultante
Hydrostatik
Demo <Programm>
Bit
Konfiguration <Informatik>
Punkt
Prozess <Physik>
Adressraum
Programmverifikation
Kartesische Koordinaten
Extrempunkt
Service provider
Computeranimation
Kernel <Informatik>
Homepage
Netzwerktopologie
Spezialrechner
Deskriptive Statistik
Spezielle Funktion
Einheit <Mathematik>
Font
Fahne <Mathematik>
Hook <Programmierung>
Fahne <Mathematik>
Bildschirmfenster
Kontrollstruktur
Emulator
Gerade
Kontextfreie Grammatik
Koroutine
Kraftfahrzeugmechatroniker
Lineares Funktional
Prozess <Informatik>
Krümmung
Systemaufruf
Malware
Ideal <Mathematik>
Ausnahmebehandlung
Malware
Zeiger <Informatik>
Optimierung
Variable
Hoax
Rechenschieber
Verkettung <Informatik>
Datenfeld
Funktion <Mathematik>
Datenstruktur
Garbentheorie
Menge
Wurzel <Mathematik>
Ein-Ausgabe
ATM
Grundsätze ordnungsmäßiger Datenverarbeitung
Projektive Ebene
Identifizierbarkeit
Normalspannung
Verzeichnisdienst
Speicherverwaltung
Tabelle <Informatik>
Proxy Server
Content <Internet>
Zahlenbereich
Systemzusammenbruch
Abgeschlossene Menge
Zellularer Automat
Keller <Informatik>
Code
Homepage
Service provider
Spannweite <Stochastik>
Adressraum
Proxy Server
Datenstruktur
Zeiger <Informatik>
Elektronische Publikation
Booten
Konvexe Hülle
Programmverifikation
Einfache Genauigkeit
Physikalisches System
Keller <Informatik>
Programmfehler
Flächeninhalt
Hypermedia
Injektivität
Wort <Informatik>
Emulator
Turnier <Mathematik>
Transinformation
Punkt
Programmverifikation
Abgeschlossene Menge
Extrempunkt
Kernel <Informatik>
Service provider
Offene Menge
Last
Fahne <Mathematik>
Debugging
Weitverkehrsnetz
Kernel <Informatik>
Punkt
Prozess <Physik>
Gemeinsamer Speicher
Kontextfreie Grammatik
Kartesische Koordinaten
Extrempunkt
Dicke
Bildschirmfenster
Computeranimation
Kernel <Informatik>
Homepage
Netzwerktopologie
Konfigurationsdatenbank
Fahne <Mathematik>
Hook <Programmierung>
Fahne <Mathematik>
Bildschirmfenster
Kontrollstruktur
Emulator
Bildauflösung
Schnittstelle
Kontextfreie Grammatik
Lineares Funktional
ATM
Vervollständigung <Mathematik>
Prozess <Informatik>
Installation <Informatik>
Plug in
Systemaufruf
Ausnahmebehandlung
Varietät <Mathematik>
Zeiger <Informatik>
Mechanismus-Design-Theorie
Hoax
Konfiguration <Informatik>
Rechenschieber
Software
Funktion <Mathematik>
Datenstruktur
Zeichenkette
Systemverwaltung
Ablöseblase
Virtuelle Maschine
Zahlenbereich
Zentraleinheit
Code
Datenhaltung
Virtuelle Maschine
Adressraum
Arbeitsplatzcomputer
Booten
Spyware
Fünf
Datenstruktur
Zeiger <Informatik>
Bildgebendes Verfahren
Graphiktablett
Diskretes System
Unicode
Programmverifikation
Systemverwaltung
Einfache Genauigkeit
Plug in
Mailing-Liste
Physikalisches System
Elektronische Publikation
Zeichenkette
Last
Parametersystem
Randverteilung
Gamecontroller
System Dynamics
Wort <Informatik>
Speicherabzug
Lineares Funktional
Shape <Informatik>
Prozess <Physik>
Zahlenbereich
Ruhmasse
Kartesische Koordinaten
Gesetz <Physik>
Computeranimation
Kernel <Informatik>
Mapping <Computergraphik>
Informationsmodellierung
Druckertreiber
Mereologie
Touchscreen
Zustand
Quellcode
Computeranimation

Metadaten

Formale Metadaten

Titel Hooking Nirvana
Untertitel Stealthy Instrumentation Techniques for Windows 10
Serientitel REcon 2015
Teil 12
Anzahl der Teile 18
Autor Ionescu, Alex
Lizenz CC-Namensnennung 3.0 Unported:
Sie dürfen das Werk bzw. den Inhalt zu jedem legalen Zweck nutzen, verändern und in unveränderter oder veränderter Form vervielfältigen, verbreiten und öffentlich zugänglich machen, sofern Sie den Namen des Autors/Rechteinhabers in der von ihm festgelegten Weise nennen.
DOI 10.5446/32812
Herausgeber REcon
Erscheinungsjahr 2015
Sprache Englisch

Inhaltliche Metadaten

Fachgebiet Informatik
Abstract In this talk we will cover 5 novel instrumentation techniques that all rely on deep Windows Internals: AVRF Hooking, MinWin Hooking, Shim Hooking, Nirvana Hooking, and CFG Hooking. We will start by describing the intended use of these technologies in Windows and what their normal use cases and scenarios are, followed by explanations and demonstrations on how to abuse them to do your bidding. In turn, we will detail how to detect each of them from a defensive perspective, contrasting current hook detection methods and their inability to pick up on these techniques. These hooking techniques can be leveraged for code obfuscation, dynamic binary instrumentation, implementing stealthy hiding techniques and more.

Ähnliche Filme

Loading...