Show filters Hide filters

Refine your search

Publication Year
Organisation found in the video
1-15 out of 15 results
Change view
  • Sort by:
28:09 REcon English 2016

Monitoring & controlling kernel-mode events by HyperPlatform

We will present a HyperPlatform, which is an advanced system monitoring platform for Windows Operating System (OS). Using Intel VT-x and Extended Page Table (EPT) technologies, this platform provides speedy monitoring of various events. HyperPlatform is hidden and resilient to modern anti-forensics techniques and can be easily extended for day-to-day reverse engineering work. Even nowadays, there are no suitable tools to analyze a kernel-mode code for many of researchers. Steady growth of ring0 rootkits requires a fast, undetectable and resilient tool to monitor OS events for all protection rings. Such a tool will significantly contribute to reverse-engineering. While existing virtualization infrastructures such as VirtualBox and VMware are handy for analysis by themselves, VT-x technology has much more potential for aiding reverse engineering. McAfee Deep Defender, for example, detects modification of system critical memory regions and registers. These tools are, however, proprietary and not available for everyone, or too complicated to extend for most of the engineers. HyperPlatform is a thin hypervisor, which has a potential to monitor the following: access to physical and virtual memory; functions calls from user- and kernel-modes; code execution in instruction granularity. The hypervisor can be used to monitor memory for two typical use cases. The first one is monitoring access to specified memory regions to protect system critical data such as the service descriptor table. The second case is recording any types of memory access from a specified memory region such as a potentially malicious driver to analyze its activities. Also, HyperPlatform is capable of monitoring a broad range of events such as interruptions, various registers and instructions. Tools based on HyperPlatform will be able to trace each instruction and provide dynamic analysis of executable code if necessary. We will demonstrate two examples of adaptation of HyperPlatform: MemoryMon and EopMon. The MemoryMon is able to monitor virtual memory accesses and detect dodgy kernel memory execution using EPT. It can help rootkit analysis by identifying dynamically allocated code. The EopMon is an elevation of privilege (EoP) detector. It can spot and terminate a process with a stolen system token by utilizing hypervisor’s ability to monitor process context-switching. Implementing those functions used to be challenging, but now, it can be achieved easier than ever using HyperPlatform.
  • Published: 2016
  • Publisher: REcon
  • Language: English
57:47 REcon English 2016

Visiting The Bear Den

During the last two years, three cheerful chaps tracked one of the most prolific espionage group out there. The group in question created a complex software ecosystem–composed of tens of different components–and also regularly pulls out 0-day exploits. This talk presents the results of the hunt.
  • Published: 2016
  • Publisher: REcon
  • Language: English
1:00:19 REcon English 2016

Google: Process Failure Modes

Creating processes on Windows is fraught with danger. There are many things that could go wrong. This is even more true when dealing with creating processes in system services under the behest of the user. At best making a mistake could result in creating processes from files the user can’t access, at worst they get system privileges. This presentation will go into detail on how processes are created in Windows and the many ways that it can go horribly wrong. I’ll discuss some of the shortcomings of the Windows process and Session models and how that can be abused to elevate privileges. Throughout I’ll provide examples of vulnerabilities and exploitation techniques I’ve discovered (some of which won’t be fixed any time soon) with clear anti-pattern examples to aid in discovering similar vulnerabilities. One of the issues I’ll discuss is the complexities around one of my most recent project zero blog posts (specifically raising dead) which dealt with session creation and stuck processes. Some of the other topics I’ll include are: Process creation internals Process creation w.r.t. impersonation Session Hopping Dangerous creation patterns
  • Published: 2016
  • Publisher: REcon
  • Language: English
57:38 REcon English 2016

Hardware-Assisted Rootkits and Instrumentation: ARM Edition

Security researchers have limited options when it comes to debuggers and dynamic binary instrumentation tools for ARM-based devices. Hardware-based solutions can be expensive or destructive, while software tools are often restricted to user mode. In this talk, we explore a common but often ignored feature of the ARM debug architecture in search of other options. Digging deeper into this hardware component reveals many interesting use-cases for researchers ranging from debugging and instrumentation to building a novel rootkit. First, we will shine a spotlight on a debug interface that dates back to ARMv6, and demonstrate how to control it from software in order to instrument code in normal world. We will introduce a prototype toolkit with IDA plugin that can perform real-time tracing, code coverage analysis, and more, of the Android kernel on COTS smartphones without requiring virtualization extensions or special hardware. Next, we will compare implementations of this hardware unit across multiple chipset vendors, and discuss applicability to other ARM CPUs found in your phone like WiFi and cellular basebands. The second half of our talk will add new meaning to the phrase “hardware-assisted rootkit”. Abusing this same debug interface we will have some fun with the Krait architecture in order to demonstrate a kernel-level rootkit for Android that can bypass the current state of the art in rootkit detection. We’ll discuss hijacking exceptions, interacting with TrustZone, and methods for detecting this unconventional rootkit. Finally, we will wrap up highlighting a use-case for exploit mitigations on embedded systems.
  • Published: 2016
  • Publisher: REcon
  • Language: English
55:51 REcon English 2016

Shooting the OS X El Capitan Kernel Like a Sniper

OS X El Capitan has introduced new exploit mitigations to the kernel. Such mitigations include “vm map copy” mitigation, System Integrity Protection/Rootless, SMAP (enforced on new model of Macbook Pro), etc. Combining with the existing modern OS exploit mitigations like kASLR, DEP, exploiting OS X El Capitan kernel became harder. Approaches to defeat those new mitigations have been discovered by security researchers in late 2015, but most of them have additional prerequisite to either the bug or the environment. For example, the technology to overwrite the size of vm map copy requires a perfect zone overflow (overflowed length controllable + content controllable), also some of the technology requires creating specific user client which is prohibited by sandboxed processes (Safari WebContent, Chrome sandbox, etc.) In this talk, we will introduce a new approach to exploit the El Capitan kernel from the most restrictive sandboxed process (Safari WebContent). The new approach is universal to all OS X kernel and doesn’t require too much on bug quality. Only a single write (not necessarily arbitrary value) is needed to pwn everything (including info leak, kASLR, DEP, SIP, SMAP bypass). The new technology will be illustrated by a live remote root demo during the talk.
  • Published: 2016
  • Publisher: REcon
  • Language: English
34:17 REcon English 2016

Black box reverse engineering for unknown/custom instruction sets

Have you ever come across a firmware image for which you couldn’t find a disassembler? This talk will cover reverse-engineering techniques for extracting an instruction encoding from a raw binary with an unknown/custom instruction set. The main focus is on static techniques and features of firmware images that you can use to your advantage–but some dynamic techniques will be covered as well.
  • Published: 2016
  • Publisher: REcon
  • Language: English
58:43 REcon English 2016

Go Speed Tracer

The past few years have seen a leap in fuzzing technology. The original paradigm established a decade ago resulted in two widely deployed approaches to fuzzing: sample based mutation and model based generation. Thanks to ever-increasing computational performance and better engineering, newer guided fuzzing approaches have proven to be supremely effective with a low cost of deployment. This talk will explore a few different approaches to guided fuzzing through dynamic analysis including code coverage analysis, constraint solving, and sampling/profiling based feedback mechanisms. Novel contributions in this talk include: - Opensource Windows Driver enabling Intel “Processor Trace” - DBI based tracing engine for Windows/Linux/OSX binaries - American Fuzzy Lop with full support for Windows binary targets
  • Published: 2016
  • Publisher: REcon
  • Language: English
59:48 REcon English 2016

Abusing the NT Kernel Shim Engine

The Kernel Shim Engine is the kernel’s analogue to the user-mode shim engine (ShimEng). Although the latter now has had some pretty good research done on it, the KSE remains a mystery. First introduced in Windows XP as merely a Plug-and-Play compatibility layer for custom registry flags, it morphed into a nearly-full blown Shim Engine implementation, with the ability to misuse it for both persistence and stealth hooks in the kernel. In this talk, you’ll learn how to use the KSE for hooking drivers (dispatch tables, IRPs, and entrypoints) as well as kernel APIs both legitimatelly and illegitimately. You’ll also see some WinDBG scripts & techniques for detecting and enumerating installed kernel shims for forensic purposes. Finally, a tool called DriverMon is planned for release at the conference, which uses the KSE to provide ProcMon for Drivers.
  • Published: 2016
  • Publisher: REcon
  • Language: English
59:38 REcon English 2016

Reverse Engineering ISC controllers

  • Published: 2016
  • Publisher: REcon
  • Language: English
46:44 REcon English 2016

When Governments Attack

Targeted malware campaigns against Activists, Lawyers and journalists are becoming extremely commonplace. These attacks range in sophistication from simple spear-phishing campaigns using off the shelf malware, to APT-level attacks employing exploits, large budgets, and increasingly sophisticated techniques. Activists, lawyers and journalists are, for the most part, completely unprepared to deal with cyber-attacks; most of them don’t even have a single security professional on staff. In this session Eva Galperin and Cooper Quintin of the Electronic Frontier Foundation will discuss the technical and operational details of malware campaigns against activists, journalists, and lawyers around the world, including EFF. They will also present brand new research about a threat actor targeting lawyers and activists in Europe and the Post-Soviet States. With targeted malware campaigns, governments have a powerful tool to suppress and silence dissent. As security professionals we are in a unique position to help in this fight.
  • Published: 2016
  • Publisher: REcon
  • Language: English
47:41 REcon English 2016

More Flash, More Fun!

Adobe Flash is a popular target for attackers in the wild. This presentation describes my research into Adobe Flash, which discovered over a hundred vulnerabilities in the software. It details some strategies for finding bugs through code review, fuzzing and reverse engineering and provides examples of bugs discovered using these methods. It also examines recent exploits, and how they bypass new Flash mitigations.
  • Published: 2016
  • Publisher: REcon
  • Language: English
34:25 REcon English 2016

Sol[IDA]rity

Reverse engineering is an exercise of exploration and digital cartography. Researchers slowly unearth bits and pieces of a puzzle, putting them together to better understand the bigger picture. Binaries, like puzzles, can be put together much faster in collaboration with others. And with services such as Google Docs, Office 365, or Etherpad, it is easy to recognize the power and effectiveness of real-time collaboration in the digital space. Unfortunately, reverse engineering as many know it today is almost exclusively an individual experience. Our present reversing tools offer little in the way of collaboration among multiple users. This can make reverse engineering tedious and wasteful in a fast-paced team setting. In this talk we’ll be publicly unveiling Sol[IDA]rity, the newest collaborative solution for the popular disassembler IDA Pro. What started as a simple plugin to sync IDA databases between users in real-time, soon evolved into an interconnectivity platform for IDA with endless potential. Join us for a glimpse at the latest generation of collaborative reverse engineering.
  • Published: 2016
  • Publisher: REcon
  • Language: English
32:25 REcon English 2016

Keystone: the last missing framework of Reverse Engineering

Assembler framework is a final missing piece of the reverse engineering (RE) community. This talk introduces a new framework named Keystone, which fills this gap and offers unrivalled features: Multi-architecture: Arm, Arm64, Hexagon, Mips, PowerPC, Sparc, SystemZ & X86 (16/32/64 bits) Multi-platform with native compiled for Windows, Linux, Mac OS X, *BSD, Solars, etc Clean/simple/lightweight/intuitive architecture-neutral API. Implemented in C/C++ languages, with bindings for Python available. Thread-safe by design. Open source. We are going to present the motivation, design & implementation of Keystone. The focus will be on technical decisions we made, and the challenges we had to overcome to realise the ideas behind our engine. We expect Keystone will turn a new page and open ways for many next generation RE tools in the future. Some cool tools built on top of Keystone will be shown to demonstrate its power.
  • Published: 2016
  • Publisher: REcon
  • Language: English
29:20 REcon English 2016

BBS-Era Exploitation for Fun and Anachronism

The bulletin board era was a golden age for those of us who were into computers (and in existence) at the time. Yet, think of how much better it could have been if we’d had today’s exploitation tradecraft to bring to bear back then. In this presentation, we’re taking modern technology back with us a couple decades and aiming it at BBS-era software, possibly to see what we can learn from attacking these scrutable-yet-unusual systems but mostly just because we can. We’ll use tools and techniques that didn’t publicly exist at the time to run, reverse engineer, attack, debug, and exploit old code. Finally, we’ll demonstrate some of the fun we could’ve had, if only we knew then what we know now… Source code and proofs-of-concept will be released.
  • Published: 2016
  • Publisher: REcon
  • Language: English
21:44 REcon English 2016

JavaJournal

Despite the multitude of Java decompilers available, we often have the need to debug or trace malicious or obfuscated Java bytecode. Existing Java debuggers and tracers are mostly targeted towards Java developers, are closed-source, and are not meant to handle malicious or obfuscated targets. We present a new open-source cross-platform framework for debugging Java, written completely in Python, designed specifically for reverse engineering. We also present a Java method call tracer as a sample Python application that utilizes this framework.
  • Published: 2016
  • Publisher: REcon
  • Language: English
out of 1 pages
Loading...
Feedback

Timings

   91 ms - page object
   76 ms - search
    4 ms - highlighting
    1 ms - highlighting/32750
    3 ms - highlighting/32738
    1 ms - highlighting/32740
    2 ms - highlighting/32752
    4 ms - highlighting/32751
    2 ms - highlighting/32745
    2 ms - highlighting/32746
    3 ms - highlighting/32754
    3 ms - highlighting/32736
    4 ms - highlighting/32737
    2 ms - highlighting/32743
    2 ms - highlighting/32735
    2 ms - highlighting/32739
    2 ms - highlighting/32748
    1 ms - highlighting/32749

Version

AV-Portal 3.8.0 (dec2fe8b0ce2e718d55d6f23ab68f0b2424a1f3f)