Hooking Nirvana

Video thumbnail (Frame 0) Video thumbnail (Frame 7407) Video thumbnail (Frame 15583) Video thumbnail (Frame 23499) Video thumbnail (Frame 26316) Video thumbnail (Frame 27648) Video thumbnail (Frame 33730) Video thumbnail (Frame 35039) Video thumbnail (Frame 36896) Video thumbnail (Frame 39752) Video thumbnail (Frame 42118) Video thumbnail (Frame 51792) Video thumbnail (Frame 53130) Video thumbnail (Frame 56193) Video thumbnail (Frame 57860) Video thumbnail (Frame 59690) Video thumbnail (Frame 61215) Video thumbnail (Frame 64730) Video thumbnail (Frame 67390) Video thumbnail (Frame 69347) Video thumbnail (Frame 70860) Video thumbnail (Frame 72617) Video thumbnail (Frame 74000) Video thumbnail (Frame 84366) Video thumbnail (Frame 86280) Video thumbnail (Frame 88125) Video thumbnail (Frame 96272) Video thumbnail (Frame 98611)
Video in TIB AV-Portal: Hooking Nirvana

Formal Metadata

Hooking Nirvana
Stealthy Instrumentation Techniques for Windows 10
Title of Series
Part Number
Number of Parts
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date

Content Metadata

Subject Area
In this talk we will cover 5 novel instrumentation techniques that all rely on deep Windows Internals: AVRF Hooking, MinWin Hooking, Shim Hooking, Nirvana Hooking, and CFG Hooking. We will start by describing the intended use of these technologies in Windows and what their normal use cases and scenarios are, followed by explanations and demonstrations on how to abuse them to do your bidding. In turn, we will detail how to detect each of them from a defensive perspective, contrasting current hook detection methods and their inability to pick up on these techniques. These hooking techniques can be leveraged for code obfuscation, dynamic binary instrumentation, implementing stealthy hiding techniques and more.
Presentation of a group Group action Hoax Decision theory Multiplication sign Coma Berenices Mereology Medical imaging Mathematics Formal verification Information security Physical system Area Covering space Arm Block (periodic table) Sound effect Staff (military) Maxima and minima Type theory Architecture Right angle Point (geometry) Dataflow Game controller Time travel Menu (computing) Wave packet Number Twitter Revision control Latent heat Term (mathematics) Hacker (term) Touch typing Data structure User interface Addition Information Projective plane Cartesian coordinate system Symbol table Kernel (computing) Computer animation Software Blog Control flow graph Communications protocol Local ring Window
Run time (program lifecycle phase) Code Direction (geometry) Multiplication sign Sheaf (mathematics) Set (mathematics) Design by contract Water vapor Mereology Mathematics Sign (mathematics) Coefficient of determination Semiconductor memory Single-precision floating-point format Core dump Special functions Physical system Arm Mapping Maxima and minima Flow separation Membrane keyboard Message passing Arithmetic mean Process (computing) Internet service provider Order (biology) MiniDisc Summierbarkeit Quicksort Point (geometry) Flock (web browser) Implementation Functional (mathematics) Computer file Observational study Transport Layer Security Device driver Rule of inference Field (computer science) Revision control Project <Programm> Ideal (ethics) Authorization Data structure Booting Address space Computer architecture User interface Standard deviation Cellular automaton Projective plane Cartesian coordinate system System call Word Kernel (computing) Computer animation Factory (trading post) Rewriting Table (information) Window Library (computing)
Presentation of a group Code Plotter Multiplication sign Numbering scheme Set (mathematics) Design by contract Insertion loss Client (computing) Ext functor Mereology Mechanism design Mathematics Sign (mathematics) Semiconductor memory Core dump Data conversion Extension (kinesiology) Information security Physical system Decision tree learning Email Arm Mapping File format Block (periodic table) Structural load Sampling (statistics) Bit Database transaction Data management Arithmetic mean Process (computing) Hash function Normal (geometry) Arithmetic progression Asynchronous Transfer Mode Point (geometry) Slide rule Server (computing) Game controller Mobile app Functional (mathematics) Service (economics) Computer file Device driver Theory Revision control Goodness of fit Data structure Booting User interface Mobile Web Addition Stapeldatei Mathematical analysis Counting Limit (category theory) System call Kernel (computing) Computer animation Integrated development environment Window Library (computing)
Point (geometry) Aliasing Goodness of fit Word Kernel (computing) Computer file String (computer science) 1 (number) Design by contract Website Fiber (mathematics) Engineering physics
Point (geometry) Web page Functional (mathematics) Hoax System administrator Execution unit Device driver Field (computer science) Theory Mathematics Semiconductor memory Data structure Metropolitan area network Physical system User interface Mapping Demo (music) Structural load Memory management Directory service Cartesian coordinate system Pointer (computer programming) Kernel (computing) Computer animation Buffer solution Normal (geometry) Freeware Window Spacetime Library (computing)
Standard deviation Information Computer file 1 (number) Device driver System call Theory Computer animation Ideal (ethics) Software testing Booting Window Compilation album Library (computing) Physical system
Preprocessor Uniform resource locator Computer animation Mapping Observational study Design by contract Device driver Software testing System call Graph coloring Physical system
Existential quantification Group action Dynamical system Functional (mathematics) Supremum Multiplication sign Patch (Unix) Debugger Memory management Set (mathematics) Graph coloring Sign (mathematics) Arithmetic mean Hooking Query language Chain Right angle PRINCE2 Data structure Resource allocation Spacetime Physical system Library (computing)
Windows Registry Slide rule Randomization Sheaf (mathematics) Numbering scheme Coma Berenices Mereology Computer programming Twitter Medical imaging Crash (computing) Mathematics Mechanism design Hooking Single-precision floating-point format Information security Booting Address space Physical system Engineering physics User interface Addition Standard deviation Arm Touchscreen Mapping Maxima and minima Parsing Electronic signature Message passing Process (computing) Kernel (computing) Googol Computer animation Right angle Pattern language Figurate number Asynchronous Transfer Mode
Group action Building Dynamical system Just-in-Time-Compiler Ferry Corsten Code Multiplication sign Parameter (computer programming) Disk read-and-write head Computer programming Usability Mathematics Software framework Social class Physical system Exception handling Theory of relativity Bit Maxima and minima Virtualization Type theory Process (computing) Resultant Asynchronous Transfer Mode Point (geometry) Web page Functional (mathematics) Mobile app Game controller Patch (Unix) Time travel Density of states Translation (relic) Field (computer science) Revision control Crash (computing) Data structure Standard deviation Information Assembly language Weight Debugger Limit (category theory) Cartesian coordinate system System call Word Kernel (computing) Pointer (computer programming) Computer animation Formal grammar Window
Point (geometry) Functional (mathematics) Hooking Assembly language Code Multiplication sign Debugger Chain Memory management Volumenvisualisierung Right angle System call
Area Functional (mathematics) Touchscreen Code Interior (topology) Multiplication sign Debugger Symbol table Theory Goodness of fit Booting Physical system Library (computing)
Area Multiplication sign Memory management
Point (geometry) Functional (mathematics) Arm Video card Key (cryptography) Code Source code Parameter (computer programming) Stack (abstract data type) System call Computer animation Logic Term (mathematics) Physical system
Dataflow Run time (program lifecycle phase) Link (knot theory) Code Multiplication sign Binary code Control flow Water vapor Database Food energy System call Computer programming Revision control Medical imaging Uniform resource locator Googol Computer animation Data structure Object (grammar) Freeware Control flow graph
Point (geometry) Functional (mathematics) Context awareness Run time (program lifecycle phase) Computer file Function (mathematics) Graph coloring Field (computer science) Subset Medical imaging Hacker (term) Single-precision floating-point format Operating system Data structure Information security Booting Hydraulic jump God Compact space Validity (statistics) Structural load Counting Directory service Limit (category theory) System call Curvature Pointer (computer programming) Process (computing) Kernel (computing) Computer animation Hash function Buffer solution Configuration space HTTP cookie Figurate number Table (information) Control flow graph Reading (process) Local ring Window
Functional (mathematics) Digital electronics Code Multiplication sign Medical imaging Formal verification Metropolitan area network Addition Arm Assembly language Mapping Structural load Weight Physical law Bit Directory service Cartesian coordinate system System call Kernel (computing) Process (computing) Mixed reality Order (biology) Self-organization Configuration space Intercept theorem
Functional (mathematics) Arm Information overload Multiplication sign Letterpress printing Maxima and minima Directory service System call Symbol table Pointer (computer programming) Configuration space Table (information) Address space God
Voting Run time (program lifecycle phase) Pointer (computer programming) Software testing System call
Touchscreen Multiplication sign Figurate number
Voting Computer animation Information Multiplication sign System call Address space Compiler
Hoax Code Multiplication sign Range (statistics) Execution unit Set (mathematics) Stack (abstract data type) Computer font Software bug Emulator Malware Mechanism design Hooking Hypermedia Single-precision floating-point format Formal verification Special functions Flag Descriptive statistics Physical system God Exception handling Area Injektivität Arm Closed set Stress (mechanics) Bit Curvature Process (computing) Internet service provider Chain Resultant Point (geometry) Web page Slide rule Functional (mathematics) Identifiability Control flow Field (computer science) Number Crash (computing) Ideal (ethics) Data structure Proxy server Booting Address space Demo (music) Cellular automaton Projective plane Directory service Line (geometry) Cartesian coordinate system System call Word Kernel (computing) Pointer (computer programming) Network topology Table (information) Window
Point (geometry) Kernel (computing) Closed set Multiplication sign Structural load Tournament (medieval) Debugger Open set
Web page Point (geometry) Slide rule Dynamical system Functional (mathematics) Game controller Hoax Computer file Code System administrator Image resolution Multiplication sign Workstation <Musikinstrument> Control flow Number Medical imaging Hooking Computer configuration String (computer science) Single-precision floating-point format Formal verification Core dump Flag Data structure 5 (number) Plug-in (computing) Physical system Exception handling User interface Graphics tablet Spyware Structural load Electronic mailing list Shared memory Cartesian coordinate system Complete metric space System call Word Kernel (computing) Process (computing) Befehlsprozessor Pointer (computer programming) Personal digital assistant Network topology Control flow graph Window Asynchronous Transfer Mode
Functional (mathematics) Touchscreen Mapping Physical law Device driver Shape (magazine) Mass Cartesian coordinate system Mereology Number Process (computing) Kernel (computing) Computer animation Endliche Modelltheorie
Computer animation Source code
the group that it could be that the if if if if you if you use the half half half the time for all of the there so so my talk is called looking a were still used in addition to me and for those of you who read the abstract you probably very confused about what on earth all those acronyms and names meant so brief little intro myself and mountainous going currently chief architect across strike and to secure the start up that you may have heard about have been about 4 years working on the end point of a software that we build and previously to that and more relevant to my experience I was doing research during of this kernel which is so I'm doing I have been doing since I was little and work a protocol react to us and while working on react to us I learned a lot about how the winners kernel works what makes it tick and a lot of very interesting side effects and design decisions that were made on the way there but I then worked on the Windows Internals books which some of you may have read answered in training at conferences like recon arm and others it's always a pleasure for me to come talk about some of the little parts of the OS that are not very well known from that have interesting side-effect specifically when it comes to you on the security so this talk Simula 5 different of the 5 different types of those technologies from 1st maybe time travel debugging on a Ronald the without as obstacles in the application Verifier or a b f then minimize windows or men went the application badly injured audition infrastructure from engine and from a control flow got now we're going to see with the intended use of these things on a system was and is and how their use can be misappropriated did misused are more leveraged and there's these techniques that can be used both for the fences well for often so I will talk a little about coating kind of detectors see that these things may be happening on your systems so so these research some of these techniques have been talked about before and so for example the trick that I'm going to show you that uses nirvana was discovered and by some called Nick ever docks and he wrote a landmark local project . com what happened after that is my staff probably gonna knowing that summer discovered this interface and they completely changed in when 10 so that articles no longer really relevant I mean when had some good and papers from quirks 11 AR came from but again the manually resins you structures from and their blogs for when 18 Windows 7 when 10 completely changes the structure is so the and that information is no longer on really acted for a set CFG has a really good why paper from trend micro from presentation from NJ 0 11 as well but they're really good papers on how CG works and when I was looking at CFG in terms of an untidy exploit mitigation tool going you looking at serious instrumentation tool In this paper the only cover that common ADR after I haven't seen anyone talk about that except the really old block post of Russian hacker called assessed on the smaller details there but touches little on 1 will be shown you and fish imaging hoax all I found as a Chinese article on objectively well written wanted translated on this true ICA for 1 is a so some of this stuff is has people kind of touching on the side of maybe some things have been looked at before but can the point of all this specific we take a look at how things have changed when 10 so if you do it in article about your honor try to use it on a modern version of Windows who work anymore so you'll see what's in those changes are with data structures may have been modified with version numbers Jefferson now I'm new EPI is mitigations the max of may have added because they've seen people right blogrolls about these things on and everything all talk about is on built 10 thousand 74 there are newer builds but max of refuses to really symbols for them so that symbols it's kind of hard to see what's there and I don't think they've changed that much between 1 month ago in and today terms of these types of things but keep in mind that everything years 10 thousand 74 and may yet change before on the final release of so will start menu hooks move on to nirvana Noldus CFG area of cough will have fun versions and then come in all take any questions in an wrap up so 1st all mean when this is an
actual screenshot of men when booting up his arm you've never seen before and what is meant when I was in a journal
microsoft project to basically re-architect the layers of the winners bring systems when they've coupling esteem build isn't he was a very low level microkernel-based last with a thin layer of drivers on top subsystem and then highly functionality on top of that and over time windows kind of grew into a beast and then you start having dependencies or dependencies and circular dependencies and started in really make a lot of sensing 1 and so around the winners with the time frame when this kind of bubbled up to the present you know how successful this there was half for Windows 7 this token is internal projects and min when is there something that we'll binary or you'll know what a ship sums of Pollock but parts of it and parts of the architecture behind it or making its way in Windows 7 Windows 7 some people started noticing some strange DLL names on my under disk or an import tables those a tiny little deal authority API dash M as Ashwin and these are basically problematic calls API contracts reuse applications the Windows 8 is contracts became kernel contracts as well in the blue water all the way down became aware of these EPI sets a lot people knew this was for but when the standard Mac stuff announced 1 core which basically makes you able to write a single application that works on all versions of Windows cleaning when this region of things Windows server on x-box Windows Phone and part of how they were able to do that was because of this really hearing they have to do for almost half a decade of not a whole decade itself and the whole point of this was to create the CPI sets and so the core maximum cells what EPA sets are strongly mean EPI contracts they provide a separation between the EPI contract and the associated DLL In other words if you're looking for create file you don't need to know that create files and kernel 32 he doesn't have a DLL there that gives you kernel 32 and so the that but gives a great file art and so the PSS less to do is allowed order to perform a runtime redirection of the actual API said host yellow that implements the that you want visit to decouple the EPI names from the PM providers and allows you to better factory offering system allows you to load less the allele's because now for example by having a less where create file exists in a single pendulum ideal all at all and no studies create files I can load that the yellow sort of having flowed through the whole kernel 32 The Yellow which winners 3 megabytes and so the separation between contract and actually PM plementation is what allows you for example to import an API that now when this phone may not even exist but is in a stub implementation for it's like application Castellote so how does this redirection work the in Windows 7 1 single file API sets schema dog yellow to file that contains a section inside of it called . API said kernel boots up in calls PSP EPI said map which verifies that this sign driver so it is treated like a driver and has to be signed based on the rules of kernel-mode code it looks at the section map sit and membrane and finds the offset of work API said every single time a process launches API says mapped in the process memory starring 1 of 7 we had this file mapped into any process their launches a windows the mapping is not the only but it's not mapped to special flock of Sec no change so this means that 1 also on when the 7 we can actually make this mapping rewrite and message that inside a memory the and the address of this mapping is written in a special field called EPI set mapping your pet just structure very process hats so you can know you can always find a map and I wanna 7 you can modify your map as well notes was to become a system-wide maps loader just entered yellow every single time alluvial l with call a special function of the API apply following the direction and again go look that mapping and see OK so you want API dashed M. dash wind dashed process stash create yellow you won the contract lets you create processes and then go find out in your mapping would be implements that which today might be kernel 3 kernel-based 1 they maybe Proc API that the L awesome machines you know logically processes so might be a stub that just says you can't cre all that is done by the loader through this EPI said the direction because you it's interesting because this essentially means that any time now Lauder library there's this that back door and that actually takes it real DLL instead of giving you to deal only fire getting from that's now in Winner 7 the by 35 Delos a redirected so and the actually ship the ahead focal EPI said that each which
documented basically what that EPI set map looks like together winner 7 SDK we had these 2 structures here and basically the the EPI said array this actually the structure that's what's in memory is a version which is 2 . 0 in that OS count just of 35 their array of the structures here each of these structures and gives you the name of the DLO and the data associated with that so this basically is a conversion that goes from let's say API that I'm especially in harsh proc that street Daniel and it says on your system this is in kernel 32 of the other now these API sets Canakci have versions as well so it's possible and 1 day I might decide to have a Cree process extended function well I was going to be an API that mustache Dutch progress 3 dashed to study below which 9 seats now the 2nd version of this contract so the contracts can be versioned as well as the just just providing a redirection so when there's a you see a big change here 365 deals and I redirect and I don't have EPI also to use 2 separate contracts also were called extension sets and extensions such a were now used to basically checked using API that may or may not exist on euro us and limit check if DPI said it exists and if so I'm going to college 2 simple examples every time you load a dry run windows were going to check it is is a sign we always do that but there are going to check is the signing policy extension DLL and there is because you know when the Sloan and knock installed 1 and is a knock is also gonna get a call an OCR is going meal the say I want this app to run because it's not you signed and I trust documents servicing company now but let's say they work on your desktop You don't have that EPI set extension present so the kernel is not going to make the call so now whenever you look at the Service Control Manager kernel theory kernel so lots of other pieces of code they now checked this exist when your system and if so call the extension of their windows came with a kernel transaction manager Windows 7 and Windows Vista in Windows 8 it's optional so on desktop she have T and . since you have this API said here EXT MS when and Tarski M L 1 which on a desktop system says the analysis on a phone system there's no t and answers so that extension doesn't exist in the kernel never try making those calls the other big change here is that this is no longer loaded by the kernel slowed by the bootloader and as soon as you boot and subject to the same policies as any other good driver loader will API set they can also load additionally PI sets you actually have more than 1 schema always schemas get merged together and the final API said scheme which then gets later passed on to the cart the kernel now mapservice sec no change and so the addition of the sliding windows a means that you can no longer modify year arm schemas at least not through in easy fashion and finally on the structures of changes what Windows 8 now in Version 4 a structure that will be different but they're still shipping headers so you the winners e . 1 is the k you'll be able to new structure and what it looks like and basically they added some plots the out the size of the changes structure a little bit but he still documented by either accidentally or not but it's and it's it's freely available and this ticket In with 10 the bill that I have 2007 for the enough 602 redirected the loss and I can start seeing there be for exports for Windows Phone for when this region of things when a server Windows client that I really see how 1 core leverages this mechanism is the and the API structures are now version 6 format and version 6 is a breaking change the structures actually change significantly on what used to be an array becomes offset these entries themselves have a hash inside so any tools are in 2 parts the winners 8 scheme will no longer work on on Windows 10 is the need to redo the whole structure is and and writing new tool the other thing that happens now is that when kernel-based gets loaded the delay low descriptors apart at anything that starts EXE dash the points a kernel 32 and all of that so there's basically additional logical and and in the code to support our continued use of these men win the such so if you want to pass the moment of standard it would look something like this but I don't worry the slides the available so I don't expect those in the back to be squinting this is fairly simple army good on offset there's an array there you iterate the offset the offset has other offset theater over those and eventually a mapping of every deal and it's he corresponding API set several tool and
here's just a brief low sample what that looks like so for example there's a DL here API N wind-based would con con thing well that's actually have about B 32 or you're trying to get to API MS win composition batch window manager or that's actually UDW and and if you trying to get to win core Adams that's actually kernel 3 so the whole point here is no longer importing the deal names here importing these contracts in this file tells you where to find them and it's not just mode it's kernel-mode as well so here's another example where there is a modern core Ashwin they based nt GDI and on modern core that Poisson when thirtyfold offsets but there's is also a MS Windows Mobile core dashing boot you can see that is an empty set that's because on a desktop system your have a more block core libraries not you not a mobile phone so some of these things are going to be empty because this they're simply not provided under your environment I have no idea what MRM is but an norm res manager is present but MRM environment is not present and vise versa a phone things may look different some of these may be only on phone and non desktop and so on and so forth the here's another example of this and the kernel so kernel security kernel signing policy are empty on desktop but the file to the microcode updates microcode is actually pointing to and prospects or isolated mode not present on the current belts
so let's the 1 a modify its because you can modify this that means you can now a redirect execution words other deal else so 1st all you have to decide what are you going to modify let's say you want to modify the PPP eyes we chose contracts has he beat so Marx abuse and as a website on him as the and with the document every single API that when this happens including on document ones and which API said the present to you identify the EPA wanna look good at what they do to EPS it's n and that gives you the EPI contract you can iterate over the EPI said now find the contract means replace the string kernel 32 with you know my kernel died you know and now redirection ability of everything have to be careful with is that earlier in the tools out that
here the solid for example and fibers and file were all point in kernel base that string is actually alias and so anything that's basically saying kernel-based this can have the same offset the kernel-based so if I replace this with you know my base that everything else is going become my base so instead of basically all
the pointer what you have to do if we go back and look at the structures is there's an offset field to change the offset to another offset and then your entry has a different offset than all the other entries now that means you have to allocate all the
more space in the structure you
basically allocate your own buffer and you point out said to Danube off this if you capture sculptures a habits Richard do them the 1st lesson mention is that EPA said map is mapped matters read only and winners in high you cannot remap it is read right because of the special 2nd change so much easier modification to make is added the pet because the pet points to the API maps so you read existing map allocate an identical 1 plus a page copy of the old copy on top of a new copy make the changes that you wanna make and then overwrite API said map to point you copy because the pet is writable so that point can be changed to memory that you control the other thing to be careful about is that the redirected yellow man if you notice there there was no full path in the screenshot spread just said kernel-based and that's because the assumption is that all the target deals on C windows and 32 nasty witnesses 32 is an admin directory and severe trying redirector hijack an application in you one-half the admin Becker started from dropping deals their but you can just mania DLL slash pool flashy driver slash callers you may be wondering why on earth would you name in this way will because this is an actual subdirectory in system 32 if you go to see Windows systems theory to spool drivers scholar it's a read-write directory for users she can drop UDL in there and then the name of the DLL actually the direct you the DLL and then all of the DL there even if you not the last thing to worry about is that if you yourself are then hooking any API that's in kernel 32 a kernel based on API dash whatever when you actually try to call the real API you're all look up of baby will itself be redirected back into yourself and so what you need to do is build your own import library where he imported directly from the host for you know exactly that he Belloc isn't he died the import from he died ELL otherwise if use a normal Windows libraries you import from yourself and then you just spend forever and ever and ever so and show you a demo of basically how to in woman that with a simple library that is great our hoax all of the and he the eyes FIL library and load notepad with that 1 would that change and hope that it works so snowplows command of the unit comes to so just to show overdone here we basically have but all the hooks for he powerlog for heap free and he pelican heap free for example they're doing d but trained and then the calling the original function Amen and this looks
at all the year he PVIs the have to so keep acquire information keeps information invalidate hope he he create etc. and then there is the simple
definition file that says you know here's all the originally the eyes and here's my hooks for those if you US discursive call them the same way and I can't I could call them the same way but then I'd have to dynamically and for the other ones as well certified builders library it's going to
go and see Windows system theory to schools slash drivers slash callers slash test ideal and users can right here in from not running the compilers admin to its is able to write it in their the and I have a simple loader that's basically going to load notepad Standard
preprocess call I'm and we're going to look for EPI dash men dashed he bashed alleged food as 0 that's the contract for the he PPI and when the person EPI map of notepad and going to be looking for that contract and when we find Evigan overwrite it with school slashed drivers slash colors slash test so basically were saying and this is
the name of the DLL which matches the location a system for so what
channel put a brief on a resume chart occurring and then I can open up a debugger and try to see what happens had go and they notice there's a mother lode caller study a little bit and
if it go and then resumed on my hands here and there's no proud and
there's the debugger and for example you get to learn the retirement of character there is to allocations and 1 for and every time you park space 2 allocations and 1 free the and if you just backspacing there's nothing just 1 out of so clearly you know that there and I may not be able to see it but is basically those are our new by Prince confirming that the user queries and what he pelican he priest and gone to us and we haven't had to you know we haven't done any of the
traditional cooking things here all Dennis chain structure member of the PI sup and so the Navy company looking for books right he he'd free are not hope there's no and 1 Coke could hook there the IAT has been passed by some of malicious this is just using the exact same mean when functionality there a system so how do you differentiate this from something legitimate saw something illegitimate well 1 clear sign user DLL main right schools last Prince slash color probably not remarks of his but the DLs onsets obviously telltale sign a something's off there are fight it out and right so I could write a system to right and I could call this the added the yellow and you would necessarily know that it's not supposed to be but not as funny sets aside the such a pretty cool thing you can do because now I have a heap instrumentation library like instrument all he baby eyes and I did need to do any kind of weird D. towards the patching were playing with known Hillel's or any of the weird things national may have to do so that's an example on 1 of these what group called dynamic instrumentation techniques but thank you
now welding as research on the specific 1 arm EPA said schema doesn't have to be summer Microsoft has be Simon of a Microsoft enters the registry key that lets you could say put additional custom EPS of schemas on this and in some parts of the kernel of for example check is the CPI said present and if so I'm going to make all my system calls go through it or the CPI says present I'm in a coma process duration go through it so if you create the right EPI said that the right API name you have to sign it but doesn't have to be some much softer sees economics of signature these days on you can basically hook every single kernel API the parser normally mess with you and again I so sexy persistence mechanism all you have is a deal on this which is a fake additional scheme of a registry key to point it out Schema which none of the company's know look for and you basically go well turns other well work and the slide my program crashed soft Security got dumped and just by random chance pattern windows 10 now protects against this exact trick so when the standard future change EPI said mapping kernel-mode possible actually crash you can still do what I do that no understand no problem in user mode but incur a monthly trend message address this way arm of the figure out so that's a seascape and scowling being ahead and them figure in these things out right so this
is an orgasm on monologues and but I try to do for every single section the 1 on google image search and the 1st image that I could find for each of the things doesn't talk about so for many when it was that bootloader screen for run that does what came up and the like searching more so what is nirvana then a max of some
words run as a light weight dynamic translation framework that can be used to monitor and control the use of motor execution of a running process without needing to recompile rebuild any code in the process this is referred to as program shepherding sandboxing in relation virtualization and translation love global so basically Max internal translation at the end and the transition from now using this framework the to like ID any time travel tracing true can you've been at conferences a red marks of research papers you probably seen these amazing credible technologies being referenced time after time after time again and never ever got the chance to use and because max of his not of them publicly but have as a runner the internal tool that they have a new job without hiring PageGarden it's from the dynamic instrumentation crossing terror less you need to pull can patch things in a kernel as well if you do that page's in the patch in crash a machine and so Windows 7 as the K. turns out there's a dynamic instrumentation call back that got leaked out on the as k and basically the showed by calling NT set information process past and the processes tradition callback class and it takes a pointer to a function what a point that function any single time that the kernel exits the user because of a system call because of an exception because of an PC because of that of and to continue or collar usable call back or because the process start up a fresh start up basically any single point through which the kernel ever returns into user mode that call gets called 1st and so you get to basically whole can intercept every system call return every PC every callback anything you could ever want to which makes sense if you're looking building something around you can any DOS provide something like that for you and so when 70 this have a 1 liner In the set information process you pass in prices from tradition callback as a type the passing you call back and now it calls a function at time 1 of those things happen now this only works on for Windows doesn't work so well on 32 bit applications and you need to have debugging turned off and it doesn't catch everything and he privilege as well so it was a super useful because of these limitations in Windows 10 however now registers in a different way we have to pass in a structure the structure has a version reserved and a callback so useful pitcher call back here but reserve has to be 0 and I always love it when someone as the feel that always has to be 0 it's like let's just add more data and the Virgin depends now if you're running a city 6 or 64 on x 64 you pass 0 but city 6 you pass 1 and yes now on 6 this call back is supported and it also supports while 6 for application and it doesn't need your 7 to be selling more pseudoknot the actively debugging the application and also now catches and to continue although apparently only X. a 6 and so no a standard this now becomes a much more kind of widespread harm thing you can do because it'll get all applications 66 apps exceeds for apps exodus examples running on x 64 the only Gavin debugger attach to basically instruments what the kernel is still that were nodes for a sex they also had a few changes are so for example synodic 6 stack controls all the heart 64 because among other things grammars get have pushed on the stack and so in the tab you'll notice the more fields Instrumentation callback sp previous PC in previous would be easier to stack the P. stack in the previous instruction pointer because if you're the function and it's called now instead of what the user expects to have been called you have to know how to eventually get back to where the user expects and if we're not running with you corrupting a stack you have to know how to bring the stack back to word what's and we also run the risk that instrumentation callback may itself make an API then calls back and use traditional backwards and calls back into this tradition call back and so on the head you can flip a feel that says instrumentation is able to and while that field is true then you can not represent yourself out on x 64 normally needles fields because parameters of Posterous CXO dx are online so I want to touch the stack you don't have to worry about a 16 bit that were 32 bits that and so so that all you have 1 x 64 is are 10 contains the previous instruction point to call that routine it's called with our 10 containing the previous instruction pointer and then when you're done instrument you just jump back into work on everything resumes back to post so if you want to write such a callback obvious you have in the assembly code for these 2 have to begin being assembly mode because 3 . 10 you need assembly code and you also have to realize the fact that at this point the kernel has returned back to user-mode restoring all of the nonvolatile registers to what they were and so now if you do things in a non volatile registers without preserving them you're going to crash the use of an application that's expecting the call on top of that you have to worry about whether or not as a system call because of this is a system called what has a kernel also returned the return value REX it if you now use REX you're going to destroy the original result value that should be return back to the user and so you have to I see run of that of intelligent code the Chairman of this is a system call this is an exception what to preserve a 1 not preserved from and not just write some assembly code and and hope you get it right which is what I did so let's look at our little of them of how that would look like and the hope that 1 works so
some basic renders the nite much again use the same technique to basically load that same DLL them and the cook there he be have yellow touching chain techniques but this time the heap API hook instead of D. by printing he API as we make a call a dummy function and that demi functions going to be in another they allow and what is the other was going to do an open up a consul so when notepad subunits CIA hopefully this year a Council prompt and I should went initialize a debugger engine I will see why do you have and then I'm standing up the nirvana OK and then nirvana hook points to instrumentation hook which is a little bit of
assembly code so I'm going to set up the some code right here and this is a really dirty know that's barely going to work a lot note that will not be able to initialize with where written here this so busy you just get us far enough
into a piece of C code and then in that piece of
C code on what is the area the In IPCC crombies the calling sin from outer and imprinted on the screen basically the symbolic names in use a symbol engine to print out are the pockets of that
API yet that that works um so it's the everything here looks good just as a the theory so we build instrumentation library you here FIL and the work and and is able to see a chief Hoke which I'll show you later things get screwed OK that's good so the instrumentation hoped um not this 1 a copy this system 30 to because I was lazy give a relative name so instrument of the little something the same thing ministered no out the low loader and this time the dummy function should be called and you should see some things so again all attached to the debugger to see what that looks like don't kill the old 1 but I would think this spend on that
and now I should not be seen those heap PPPs the immediately was still in use talked about what do rebuild
no custody in triple overtime on no thank you the area this fungus tiny communicate last time so basically this is the of consul that no bad is numbering it because the deal is injected and instrumentation OK is revealing on every
1 of the calls that I made and by using the some Erlangen I able to see basically what system calls are being made and since for hooking the attorney here when I hope the system go in return we're seeing you know for example that
whatever key was queried here on the x returned from logic not found and this is without again any online hooks are any system called looks and we are getting the return not to call that you know there are other ways of call arm and this again can be extremely useful in terms of looking and also understanding what's been going on
system I'm not because of the way I've written and if I had
go here it'll it'll eventually crashing into it actually hits on crashes because of stack
exhaustion and that is good happen the Polish of
pumps eventually dies and 4 had go unfulfilled was died but having done this
better if they could kept on going going going we're seeing all the use more callbacks they're done by the graphics engine from as well the course and you can start doing things like arm you know figuring out based on what the CPIs are what the parameters where and I could be the decode every single parameter and all the function source of but point just to show you know here's another tool that's to do that and not build not be
built-in free I'm that's that so the
next thing which I talk about a CFG hooks and searching for control flow got cook this was the 1st thing that came on google images search this time guesses for water flow so what is the energy
I see it is basically our new mitigation the marks of his Adam Wyner 10 and again the explanation is with the does when you compile link your code that analyzes in this covers every location at any indirect cost version can reach In bills that knowledge into the binaries in extra data structures and injects the check before every indirect calling your code that assures a target is when these expected safe locations in that chick fills a runtime the OS closes the program so some check is being injected here and basically when you compile a binary with COG an indirect call were basically have a C database object
and and and hash function now the hash function gets copied into temporary there is a God checked I call F pointer and then of that has an exploded then we call your functions and God checked I call a pointer is normally when you build the library and while a pointer to another function except the valley jumble of and accept valid jump buffer is just a rat and so this means you run binary on a non CABG aware operating system you just basically take an extra called red called red call red call red called ready for every single runtime function so the loader must therefore be doing something to make this more useful than the red color and so enable the PE file house called image look configuration directory and this was used back in NT 4 days for Apr compact hacks for setting limits on you he for debugging and a bunch of other old deprecated thinks and more recently when they start adding secret mitigations this structure became more interesting so for example the point you security cookie settle can update it is an initial starting directory the trusted SEAT readings on the low coughing director and in Windows 10 and a final update when they introduce CFG they added 4 more fields got CF check function pointer got a function table Garcia function count and got flats and we distend there's a few more interesting things in there that you may wanna look at so that God cf check function pointer is basically something that L the opti configure load configure process local figures gonna it's gonna take that pointer which is a pointer to that the yellow on guard function make it re right an override it with L the Europe's validate user called target and does is it for images linked with of G and if you've enabled CF instrumentation With CFG so there's good as only for binary the CFG aware and so what used to be here statically except Valerie jump buffer becomes LDAP valid called target and with a look at the directory has is a to
this and so the kernel of the loader overwrites this with that and so this function gets overwritten and now that
function as a warning it's called all the time and then it verifies basically what you does is verifies in a bit map is this call are allowed or not but again I talk about the kind of implantation of SUSY others others of them they're ready wages waitressing will hold on if there is a sea of got chicken function why can't I put my own function in the and so we can basically replicate the exact same thing that the law does for man in our image load config directory or any initial config directory of another application right that stuff function which with their own function and again we have for it some assembly code because organ and the basically right before the real call happens and again we have to be careful about preserving nonvolatile registers and what riches you mess up with and again we have Fred some assembly code which can then call C now in that C code order some decoded you'll then be able to intercept every single indirect call that any application where the addition of folk mix so we now have a way to intercept all indirect calls we have a weight and accept all API calls and we have now we have just weight intercept from all kernel to user calls as well and so I got functions these give a simple and you get the call that's about to be made in our C X 1 X C 6 circuits pushed on a stack you will validate that the you can print it out instead arm and then you can see what all the indirect calls that by animate work the so basically and go back to the
victim process here and re-enable some assembly code which contains a CFG cook n is an example of how 1 would implement this and basically getting the
overload config directory just like lower would were making it read write just like a loaded does and then we overriding the God cf check function pointer with our own pointer and having done this we then restored back to regret that 2 well whatever it wants to the old 1 so now CFG folk is going to be called every single time there's an indirect call and what the
COG hooked as is pretty much the same thing and that the other work was
doing call from matter try you the symbolic address but this is not going to be as useful because most the time indirect calls are not actually to symbolic addresses I accept new calling late and he'll function pointers most these indirect calls again to the internal armed note that function calls internal notepad C + + tables are more internal IT tables so that minimizes you have a symbols for all those but which is still see some print that's a pretty
much from all the all the miracles so we'll do that and then all disabled instrumentation callbacks that we don't have you don't have both of those kind of fighting runtime possible the voters there and compiled
we compiled test compiled instrument and the copied instrument something in so then can load notepad common now this deal which is being ejected from England so we're still using min when to inject the yellow and then that injected the allele's overriding the CFG pointer of notepad and we should start seeing some of indirect calls so attached to note
that and and resumed
notepad beautiful black screen here
not so good negative 2nd quickly figure out
what I forgot do presence here you see Hoechst include scrolling and middle name to that's timing is doing that of culture 1 last time if not for the interest of time on a breakpoints may be 1 right there well nothing went wrong had breakpoint and look at it of the breakpoint should show that yes indeed it did work until I
killed it from the an notes act of this reduced so as I was working in a 1st step voting right now the
the clear breakpoints in it
had to go go again
the so the the the common COG who detection so this is basically these are all indirect calls that note has making including you appeared in recall his UW Greece's information on the compiler is actually smart enough to add these checks reading get precarious as well so many other things this year who calls sees any time someone is again Proc addresses come and then any other the will call back or anything like that so those received
units now while I was kind of looking at this poses doing lot reversing arm and just want to point out there's a lot of the things you will have an early talked about yet for example the nirvana that is mentioned I thought about hey can you make a bypass were basically says nirvana hoaxer called by the kernel you could bypass the of Jesus the kernel wouldn't know to verify the CG bit bit-mapped actually does so ?epin Ivano hook to something that's COG doesn't know about it will let you do that you may also know that no extra protection has func emulation which emulates a instructions and look like the teal Fox while they actually make sure that when emulating the stance the not calling into fate found that could bypass UG so this actors and CG bypasses jealousy won't talk about humble looks a has basically mitigating as there's also an are killed God is valid stack pointer and turn on C of G turns terazosin stack checks as wall future do like an anti continue or separate contacts eater raise an exception with the status on the valid range even the that's not really related to control flow by turning control flow got on anomalies his those tabs attacks as well on the witness stand as a new set protected policy inquiry protected policy arm and according them as the and this lets you set up to do its with data in a special protective keep that if you have control flow got turned on no 1 can touch or modified arm after the projected data has been put in there so what 6 COG actually covers a number of other technologies not just um calling indirect functions and you know the greater far more research was put in that I don't I don't have time for that looks like is there for a lot more to it than when people have been something so the next thing to talk about 1 is a a d or f or application verified in application verifiers basically tool on used by Microsoft and what it does is dynamically identify bugs in applications but basically subject the application stress this subject the application to API books and using those hooks a verify the application is behaving properly so fine so programming errors that might be difficult to detect so how does the how do they do that temptation verified well when you have application if I turn on and see how that can happen is a special their local verify that the yellow which the loader knows how to load a special function called the the arrest me low DLL it's a special artillery fire helper table and then you can interact with application verify providers the that help a table contains RTL verify keep table which lets you override every cell he PPI and the reason they implemented as was for what's called a page sheet which is basically a the bagging technique to see if you are and have or in a single pointer in the heat to turn off by 1 with this you actually able to arm have a whole page of the and you do not buy 1 crash but basically if you call yourself the hard of the yellow the economical he beat the eyes let us super interesting is calling yourself in a DLL named we all know how to do that on the heavily turned out to be what happens in eternal so for verified allowed to be loaded you have to have 1 of these 2 flats global flags FLG Application Verifier or FOG he page Alex the when those flags are turned on and then verify will look and how are they turned on you have to write global flying and set it to 100 which is basically the equal of Application Verifier end or if G he page Alex and that 1 verify will be turned off but then there's another field in the called verified deal else anything you put in there will be loaded as navigation verifier provider the this lecture malware called trust fire that uses that so what do providers to what providers are loaded based on that verified DLL sky or another key called application verify global settings and for example if you provided that's called year of word of the yellow and it doesn't matter what directory is so this is just checking the name not the full path and you have a function inside called the EPI lookup call back the that every single get Proc address that anyone does goes to you 1st and you get the caller who did that give Proc address in you can change the result of the get Proc projects just reading but not as that verify providers can hold any single export function of a media Lilly please and have the system do the cooking for you and have this system D duplicate multiple hooks so those multiple hooks to the same function as the verifier package of basically build a chain of coking functions without having to worry about that and he said he the debug the true you can basically see after fire doing all this stuff so how care and verify provided so we can be loaded so here is the red and yellow now we write a Windows DLL the shave heard about these 4 different of reasons prices attached prosody catch through attached to attach although the 4th 1 called processes verifier which tree probably did not hear about and when you get that when you have a special structure called verifier provide a description in that structure you put a number of fonts and a number of the PI names a number of function names and hook small for you in points your code instead so I won't bore you the structures but the and that's what they look like you on slide and this is very simple hook for example for close handle and I wanna cook close handle at but in a area of descriptor that says here my hope Delos in my DLL is kernel 32 and Mike kernel have some fonts there 1 hook and define that I wanna hook close handle close handle is close handle and cosine of hookers my little function over here which then calls Thanks . uncle that race which got automatically put in for me and then I can be about from the result so busy have an automatic hooking injection mechanisms to address fire where i'd and implement any code all except these 8 lines of code in a system that everything for me and looks like it's done by something major the other thing it's crazy but ever fire is an actor gets loaded before kernel 32 so obviously here importing from ground 3 to some forcing up happened but my ideal in will run before anyone else is the yellow jack shit execution on before anyone else is gonna chance to run in so last little demo will
be the verifier demo I'm so
stop this close the debugger
and then go and registered turn on verify and I've got a deal called various . The Yellow now in a launch Notepad
verify that the yellow should it's not going to special
launcher open executable notepad that exceed so knows about about prints all of those from the verifier engine because if tournament 10 years notepad and anti DLL and very far down the below after verified ideologue of loaded it says an initialize a provider that if that the 11 and here it is before kernel 32 before kernel days before anything else might deal about load my ideal then said hello hacky verified on and at this point already notepad all notepad run in every single time not that closes a handle there's mind about press because I'm looking close handle so that is the actor fire cooking the
thank you feel so B 1 thing to note is that the turn this on I had to go in the image file execution options and Andrej and then Richie Key is system access point while turns out that there's a flagon shared user data called image fives station options and is like is set to true and gonna read image finds ecution options from a per-user hide in other words allowing any unprivileged user to turn on very folic edges did for an admin and then when an admin apologia load your deal on your behalf now that is disabled by default but if you do you tread on of someone turns and on a machine with this very little no flag such a document on upstream as the in page on the new extremely available to anyone biscuit turning under fire without in the act because at least I have to be mostly at instrumentation they need not a malicious in because you have some examining into things as well but you may wanna make sure that our flag is in kind of such and the last thing I'll quickly go over why my 2 minutes remaining is a sham hoax so the shipment inferring as the AP
combatant in which allows myself suffered basically expulsions that essentially again EPI hijacks the redirect execution and basically this should mention is loaded by function called L the API in its share engine and this 1 gets called whatever the pads Shin data has something inside of it this then calls Elliot the kitchen engine interface which is about of function pointers in and called entry point and then for every other tioned plugin it calls some function decided and is essentially a whole list of come to be there's a whole list of EPI that if you export them with this name you're going to be called at process start up you're going to be called before initialization after tialization lenition gets loaded when look loaded any of these things that happened including whenever someone calls get Proc addressed as I could have verifier you get a call back so how do you get that activate what all you have to do is make sure that peace Chindia is not set to know when you create a process in which a dissertation there to a unique a string to a DLL named the basically greater process suspended set septation data to see slash foo bar slashed you will not be alone that you allodial gets loaded estion engine as long as you provide the correct exports ution engine will be called and I can monitor all those things including all DLL name resolutions including all get Proc axis and this is yet another way instrumenting looking pretty much everything their process system he also style is dynamically this is the only 1 that can install dynamic everything of every single thing we saw had to be done at start up i the register with your own motor this when he called LDR the it should engine dynamic on something as nourish and you can then basically cocaine with everything we saw on the previous slide so this from those require you being there at start up I'm in Windows 8 or later many colonial deals that you want that so in conclusion Microsoft has built on a number of shimmying hooking wrapping verification techniques in the in the kernel in user mode most of those are undocumented they require structures are now well known that have changed on the core API is there kind of secretive and all these not only allowed a hijacker navigation instrumented but in some cases also have persistence and in some cases emulate of defeat and leaders as well right someone's trying to understand your control flow using all these OS provided ways to jump from 1 place another to hook things are it's a lot harder for summer tourist towns going on you can imagine someone using Abba fire and Isham engine and on a hook and a CFG hooking using everything we've talked about today and basically have complete control over process without having a single in-line code hook or any of this traditional things you would try to do on when you monitoring a process and the last piece all leaders please take a closer look at CFG there's a lot of stuff there people haven't talked about so that's it thank you for listening 2000 or what but then for questions the the so the those for cooking engines right right 5 between them do they cover the functionality of the trees the 1 thing that you won't be able to see which I think the trace covers a CPU register modifications like control registers I think the trace catches them as well you some but other than that it's because you can hook any API an indirect call and any returned from any system call you can be Sky-Hook anything at all assuming the miners have COG enable not compiled with CFG for example and you won't get indirect costs the synergies she all of those engines converging into 1 in Chile always no it's Microsoft they like emission mediate things are the same thing so you can think of a more more engines as time goes on to say that was that that that that was my thinking well I was in that it happens a lot not invented here I think if thanks hi I have a question about the happy said the hippie I said to not because of you have said that we can coca the API said that and the rejected each PPI inside the new DLL that you right but they have look not on the solution seems the 1st 1 is that that did not to buy the book UXi imported directly from the EP set them up the allelic and not directly from our for example of for a standard yet and that is this kind of full books of uh use a full of only for those obligation or for all the glottal all obligation that people didn't even stand of the a having sex useful for both so what's gonna happen is if you look at a Mac South application and Amie except that we
will for example from
all trust something on the screen here you
all day looks like and all I want Robert M. such application will import directly from those men when and like you're
suggesting is the summers inferring from API you can hope that the question is what if I just import from kernel-based of the law can I look that kernel bees itself will now actually has imports for all those functions like that so even kernel-based imports the process CPIs by looking them from EPI Bassianus when Nash whatever not all of them but a big number of deals are actually then looked up the kernel Bayes itself because you may be importing kernel-based because your legacy application in you think that kernel this has a he pp eyes but not there so he bps of how has defined where they really are so it is much more generic and just for applications that use mainly it's OK that's and build the stuff that it's only the data that you have said that that these um Wilkie middle but if you do that the parts that can catch the that but I have not understood the uh how parts got can catch he on the end user model who could it'll be kernel not only so pleasure looks at understand is if you do because the kernel use API set map this mapping kernel memory for 1 of those drivers for example if you modify the kernel's mass then patches and crashed shape so doesn't protect against using that someone can scroll OK thank you check
In all source at the what what you imagine an improvement in the
field and