We're sorry but this page doesn't work properly without JavaScript enabled. Please enable it to continue.
Feedback

Process Injection Techniques Gotta Catch Them All

00:00

Formal Metadata

Title
Process Injection Techniques Gotta Catch Them All
Title of Series
Number of Parts
335
Author
License
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Identifiers
Publisher
Release Date
Language

Content Metadata

Subject Area
Genre
Abstract
When it comes to process injection in Windows, there are only 6-7 fundamental techniques, right? Wrong. In this talk, we provide the most comprehensive to-date “Windows process injection” collection of techniques. We focus on Windows 10 x64, and on injections from running 64-bit medium integrity process to another running 64-bit medium integrity process, without privilege elevation. We pay special attention to the new Windows protection technologies, e.g. CFG and CIG. We differentiate between memory write primitives and execution techniques, and discuss memory allocation strategies. Our collection is curated, analyzed, tabulated, with straight-forward, research-grade PoCs. We tested each technique against Windows 10 x64 with and without protections, and we report on the requirements, limitations, and quirks of each technique. And of course – no decent DEF CON presentation is complete without new attacks. We describe a new memory writing primitive which is CFG-agnostic. We describe a new “stack bombing” execution method (based on the memory write primitive above) that is inherently safe (even though overwriting the stack is a-priori a dangerous and destabilizing action). Finally, we release a library of all write primitives and execution methods, so users can generate “tailor-made” process injections. Itzik Kotler Itzik Kotler is CTO and Co-Founder of SafeBreach. Itzik has more than a decade of experience researching and working in the computer security space. He is a recognized industry speaker, having spoken at DEF CON, Black Hat USA, Hack In The Box, RSA, CCC and H2HC. Prior to founding SafeBreach, Itzik served as CTO at Security-Art, an information security consulting firm, and before that he was SOC Team Leader at Radware. (NASDQ: RDWR). Amit Klein Amit Klein is a world renowned information security expert, with 28 years in information security and over 30 published technical and academic papers on this topic. Amit is the VP Security Research at SafeBreach, responsible for researching various infiltration, exfiltration and lateral movement attacks. Before SafeBreach, Amit was the CTO for Trusteer (acquired by IBM) for 8.5 years. Prior to Trusteer, Amit was chief scientist for Cyota (acquired by RSA) for 2 years, and prior to that, director of Security and Research for Sanctum (acquired by Watchfire, now part of IBM security division) for 7 years. Amit has a B.Sc. from the Hebrew University in Mathematics and Physics (magna cum laude, Talpiot program), recognized by InfoWorld as a CTO of the year 2010 , and has presented at BlackHat USA, DEF CON, NDSS, OWASP Global (keynote), InfoCom, DSN, HITB, RSA, OWASP EU, CertConf, BlueHat, CyberTech, APWG and AusCERT (keynote).
Thermodynamischer ProzessInjektivitätSequenceRevision controlData integrityPerformance appraisalRule of inferenceChainControl flow graphMemory managementRead-only memoryPivot elementSimilarity (geometry)Standard deviationStrategy gameParameter (computer programming)Function (mathematics)Semiconductor memoryControl flowStack (abstract data type)Web pageAddress spaceValidity (statistics)Atomic numberBlock (periodic table)BuildingDemon
Web pageMemory managementRead-only memoryComputer wormThermodynamischer ProzessElement (mathematics)Control flow graphControl flowInjektivitätBlock (periodic table)BootingMiniDiscMessage passingPiThread (computing)Slide ruleState of matterWrapper (data mining)Function (mathematics)System callRippingRepetitionLimit (category theory)Recursive descent parser
Control flow graphControl flowRepetitionRead-only memoryThermodynamischer ProzessRippingThread (computing)InfinityLoop (music)Equivalence relationStack (abstract data type)Pivot elementSemiconductor memoryDirected graphWriting
Equivalence relationWritingThread (computing)Loop (music)InfinityRead-only memoryPivot elementStack (abstract data type)Semiconductor memoryWeb pageFunction (mathematics)Control flow graphLimit (category theory)Control flowVirtual realitySheaf (mathematics)Computer wormAddress spaceStructural loadComputer fileLogicThermodynamischer Prozess
Read-only memoryThread (computing)CodeComputer wormInformationSet (mathematics)Thermodynamischer ProzessControl flow graphWeb pageMetropolitan area networkAddress spaceMemory management
Metropolitan area networkConvex hullWeb pageSheaf (mathematics)Address spaceControl flow graphThermodynamischer ProzessControl flowVariable (mathematics)Fluid staticsTable (information)WordSinguläres IntegralImage warpingService (economics)
Standard deviationCodeWritingRead-only memoryFunction (mathematics)Address spaceIRIS-TSanitary sewerControl flow graphCubeOvalCrash (computing)Context awarenessFlagSystem callSinguläres IntegralService (economics)Thread (computing)Mathematical analysisChainInjektivitätRevision controlMemory managementEvent horizonShared memoryControl flowSemiconductor memoryProcess (computing)Structural loadMiniDiscFamilyOpen setTable (information)Video game consoleThermodynamischer ProzessSystem programmingData structureASCIITerm (mathematics)Uniform resource locatorFormal languageLattice (order)Visual systemSoftware testingComputer programDemo (music)
Stack (abstract data type)
Interface (computing)Maxima and minimaEmailOnline helpView (database)Momentum
Code
Email
Maxima and minimaRule of inference
Thermodynamischer ProzessInjektivitätPairwise comparisonMathematical analysisLibrary (computing)Control flow graphRead-only memory