SlideShare une entreprise Scribd logo

Bypassing patchguard on Windows 8.1 and Windows 10

H
Honorary_BoT

Slides from ZeroNights 2014 FastTrack section

Ingénierie
1  sur  16
Télécharger pour lire hors ligne
Bypassing patchguard on Windows 8.1 and Windows 10 Mark Ermolov, Artem Shishkin Positive Technologies
What is patchguard? ―“Please don’t patch our kernels” call from MS ―Even if your kernel patch is correct, you’ll catch a BSOD •0x109 CRITICAL_STRUCTURE_CORRUPTION ―Protected structures •System images: ntoskrnl.exe, win32k.sys, hal.dll etc. •System structures: IDT, GDT, Syscalltables etc. ―Periodic checksums validation for protected stuff ―Doesn’t work on Windows 9
What if we really need to? ―Go for it! ―But… •Patchguard developers are prepared for reverse engineers •Hyper-inlinedobfuscation © Alex Ionescu •Anti-debugging tricks •Several ways of checks invocation
Code obfuscation ―Symbol stripping
Code obfuscation ―Misleading names
Code obfuscation ―Code junk generation •Loop unrolling •Dead code insertion •Indirect calls and variable accesses
Anti-debugging ―Works only on free builds without kernel debugger!
Anti-debugging ―Randomly inserted checks for debugger presence
Anti-debugging ―If you use breakpoints, they will be included to a patchguard checksum, leading to a 0x109 bugcheck ―If you use hardware breakpoints, well…
Non-linear code flow ―Active usage of Vectored Exception Handling
Reverse-engineering ―For dynamic analysis with KD (with windbgf.e.) •Remove all kdpresence checks manually —Look them up with IDA scripting —Apply patches in KD with pykd —Do it before “Phase1InitializationDiscard“ ―For static analysis with IDA •Try not to give up waiting for patchguard initialization function decompilation ―Use something else, like hypervisor-based debugger ;)
Reverse-engineering ―Since patchguard is developed incrementally, the key functions in reversing it are •KiFilterFiberContext–chooses the way for invoking patchguard checks •Unnamed sub inside KiFilterFiberContext–creates a structure aka patchguard context and schedules it’s verification •Other functions (like context checkers) can be misleadingly named, but you can look them up around KiFilterFiberContextsince they are located in a single compilation unit
Bypassing patchguard ―There are different approaches •patch kernel image so that patchguard will just not start •hook KeBugCheckExand restore the state of a system •modify checkers so that they would be always valid •de-schedule contexts verification —This is what we’ve implemented
Contexts verification scheduling ―Context verification might be launched with •KeSetCoalescableTimer —A timer that periodically launches context verification •Prcb.AcpiReserved —A certain ACPI event (f.e. Idle transition) •Prcb.HalReserved —A haltimer clock •PsCreateSystemThread —A queued system thread that sleeps a random amount of time •KeInsertQueueApc —A queued regular kernel APC •KiBalanceSetManagerPeriodicDpc —A periodic event which happens every "KiBalanceSetManagerPeriod" ticks
Contexts verification descheduling ―So we’ve got to deschedulecontext verification once and for all •KeSetCoalescableTimer —Timer? Disable! •Prcb.AcpiReserved —Zero out this field •Prcb.HalReserved —Same here •PsCreateSystemThread —Scan sleeping worker threads and set wait time to infinite for suitable •KeInsertQueueApc —Same here •KiBalanceSetManagerPeriodicDpc —Revert to KiBalanceSetManagerDeferredRoutine
•research [at] ptsecurity[dot] com •www.ptsecurity.com •blog.ptsecurity.com Thank you!

Recommandé

Injection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniquesInjection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniquesenSilo
 
Process injection - Malware style
Process injection - Malware styleProcess injection - Malware style
Process injection - Malware styleSander Demeester
 
Steelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with PythonSteelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with Pythoninfodox
 
Practical Windows Kernel Exploitation
Practical Windows Kernel ExploitationPractical Windows Kernel Exploitation
Practical Windows Kernel ExploitationzeroSteiner
 
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesWindows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesPeter Hlavaty
 
Security research over Windows #defcon china
Security research over Windows #defcon chinaSecurity research over Windows #defcon china
Security research over Windows #defcon chinaPeter Hlavaty
 
Is That A Penguin In My Windows?
Is That A Penguin In My Windows?Is That A Penguin In My Windows?
Is That A Penguin In My Windows?zeroSteiner
 
Practical Malware Analysis Ch12
Practical Malware Analysis Ch12Practical Malware Analysis Ch12
Practical Malware Analysis Ch12Sam Bowne
 

Recommandé

Injection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniquesInjection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniquesenSilo
 
Process injection - Malware style
Process injection - Malware styleProcess injection - Malware style
Process injection - Malware styleSander Demeester
 
Steelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with PythonSteelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with Pythoninfodox
 
Practical Windows Kernel Exploitation
Practical Windows Kernel ExploitationPractical Windows Kernel Exploitation
Practical Windows Kernel ExploitationzeroSteiner
 
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesWindows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesPeter Hlavaty
 
Security research over Windows #defcon china
Security research over Windows #defcon chinaSecurity research over Windows #defcon china
Security research over Windows #defcon chinaPeter Hlavaty
 
Is That A Penguin In My Windows?
Is That A Penguin In My Windows?Is That A Penguin In My Windows?
Is That A Penguin In My Windows?zeroSteiner
 
Practical Malware Analysis Ch12
Practical Malware Analysis Ch12Practical Malware Analysis Ch12
Practical Malware Analysis Ch12Sam Bowne
 
Packers
PackersPackers
PackersAnge Albertini
 
Fun With Dr Brown
Fun With Dr BrownFun With Dr Brown
Fun With Dr BrownzeroSteiner
 
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" Peter Hlavaty
 
[若渴計畫] Black Hat 2017之過去閱讀相關整理
[若渴計畫] Black Hat 2017之過去閱讀相關整理[若渴計畫] Black Hat 2017之過去閱讀相關整理
[若渴計畫] Black Hat 2017之過去閱讀相關整理Aj MaChInE
 
Us 16-subverting apple-graphics_practical_approaches_to_remotely_gaining_root...
Us 16-subverting apple-graphics_practical_approaches_to_remotely_gaining_root...Us 16-subverting apple-graphics_practical_approaches_to_remotely_gaining_root...
Us 16-subverting apple-graphics_practical_approaches_to_remotely_gaining_root...Liang Chen
 
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...CanSecWest
 
Vulnerability desing patterns
Vulnerability desing patternsVulnerability desing patterns
Vulnerability desing patternsPeter Hlavaty
 
Guardians of your CODE
Guardians of your CODEGuardians of your CODE
Guardians of your CODEPeter Hlavaty
 
Back to the CORE
Back to the COREBack to the CORE
Back to the COREPeter Hlavaty
 
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis SystemScalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis SystemTamas K Lengyel
 
Memory Corruption: from sandbox to SMM
Memory Corruption: from sandbox to SMMMemory Corruption: from sandbox to SMM
Memory Corruption: from sandbox to SMMPositive Hack Days
 
Rainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could ExpectRainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could ExpectPeter Hlavaty
 
CNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbgCNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbgSam Bowne
 
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013midnite_runr
 
BlueHat v18 || Memory resident implants - code injection is alive and well
BlueHat v18 || Memory resident implants - code injection is alive and wellBlueHat v18 || Memory resident implants - code injection is alive and well
BlueHat v18 || Memory resident implants - code injection is alive and wellBlueHat Security Conference
 
Racing with Droids
Racing with DroidsRacing with Droids
Racing with DroidsPeter Hlavaty
 
BH Arsenal '14 TurboTalk: The Veil-framework
BH Arsenal '14 TurboTalk: The Veil-frameworkBH Arsenal '14 TurboTalk: The Veil-framework
BH Arsenal '14 TurboTalk: The Veil-frameworkVeilFramework
 
Metasploit - The Exploit Learning Tree
Metasploit - The Exploit Learning TreeMetasploit - The Exploit Learning Tree
Metasploit - The Exploit Learning TreeE Hacking
 
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)Shota Shinogi
 
Practical Malware Analysis Ch13
Practical Malware Analysis Ch13Practical Malware Analysis Ch13
Practical Malware Analysis Ch13Sam Bowne
 
Designing and Attacking DRM (RSA 2008)
Designing and Attacking DRM (RSA 2008)Designing and Attacking DRM (RSA 2008)
Designing and Attacking DRM (RSA 2008)Nate Lawson
 
Rootkit internales
Rootkit internales Rootkit internales
Rootkit internales n|u - The Open Security Community
 

Contenu connexe

Tendances

Fun With Dr Brown
Fun With Dr BrownFun With Dr Brown
Fun With Dr BrownzeroSteiner
 
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" Peter Hlavaty
 
[若渴計畫] Black Hat 2017之過去閱讀相關整理
[若渴計畫] Black Hat 2017之過去閱讀相關整理[若渴計畫] Black Hat 2017之過去閱讀相關整理
[若渴計畫] Black Hat 2017之過去閱讀相關整理Aj MaChInE
 
Us 16-subverting apple-graphics_practical_approaches_to_remotely_gaining_root...
Us 16-subverting apple-graphics_practical_approaches_to_remotely_gaining_root...Us 16-subverting apple-graphics_practical_approaches_to_remotely_gaining_root...
Us 16-subverting apple-graphics_practical_approaches_to_remotely_gaining_root...Liang Chen
 
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...CanSecWest
 
Vulnerability desing patterns
Vulnerability desing patternsVulnerability desing patterns
Vulnerability desing patternsPeter Hlavaty
 
Guardians of your CODE
Guardians of your CODEGuardians of your CODE
Guardians of your CODEPeter Hlavaty
 
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis SystemScalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis SystemTamas K Lengyel
 
Memory Corruption: from sandbox to SMM
Memory Corruption: from sandbox to SMMMemory Corruption: from sandbox to SMM
Memory Corruption: from sandbox to SMMPositive Hack Days
 
Rainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could ExpectRainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could ExpectPeter Hlavaty
 
CNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbgCNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbgSam Bowne
 
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013midnite_runr
 
BlueHat v18 || Memory resident implants - code injection is alive and well
BlueHat v18 || Memory resident implants - code injection is alive and wellBlueHat v18 || Memory resident implants - code injection is alive and well
BlueHat v18 || Memory resident implants - code injection is alive and wellBlueHat Security Conference
 
BH Arsenal '14 TurboTalk: The Veil-framework
BH Arsenal '14 TurboTalk: The Veil-frameworkBH Arsenal '14 TurboTalk: The Veil-framework
BH Arsenal '14 TurboTalk: The Veil-frameworkVeilFramework
 
Metasploit - The Exploit Learning Tree
Metasploit - The Exploit Learning TreeMetasploit - The Exploit Learning Tree
Metasploit - The Exploit Learning TreeE Hacking
 
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)Shota Shinogi
 
Practical Malware Analysis Ch13
Practical Malware Analysis Ch13Practical Malware Analysis Ch13
Practical Malware Analysis Ch13Sam Bowne
 

Tendances (20)

Packers
PackersPackers
Packers
 
Fun With Dr Brown
Fun With Dr BrownFun With Dr Brown
Fun With Dr Brown
 
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
 
[若渴計畫] Black Hat 2017之過去閱讀相關整理
[若渴計畫] Black Hat 2017之過去閱讀相關整理[若渴計畫] Black Hat 2017之過去閱讀相關整理
[若渴計畫] Black Hat 2017之過去閱讀相關整理
 
Us 16-subverting apple-graphics_practical_approaches_to_remotely_gaining_root...
Us 16-subverting apple-graphics_practical_approaches_to_remotely_gaining_root...Us 16-subverting apple-graphics_practical_approaches_to_remotely_gaining_root...
Us 16-subverting apple-graphics_practical_approaches_to_remotely_gaining_root...
 
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...
 
Vulnerability desing patterns
Vulnerability desing patternsVulnerability desing patterns
Vulnerability desing patterns
 
Guardians of your CODE
Guardians of your CODEGuardians of your CODE
Guardians of your CODE
 
Back to the CORE
Back to the COREBack to the CORE
Back to the CORE
 
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis SystemScalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
 
Memory Corruption: from sandbox to SMM
Memory Corruption: from sandbox to SMMMemory Corruption: from sandbox to SMM
Memory Corruption: from sandbox to SMM
 
Rainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could ExpectRainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could Expect
 
CNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbgCNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbg
 
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
 
BlueHat v18 || Memory resident implants - code injection is alive and well
BlueHat v18 || Memory resident implants - code injection is alive and wellBlueHat v18 || Memory resident implants - code injection is alive and well
BlueHat v18 || Memory resident implants - code injection is alive and well
 
Racing with Droids
Racing with DroidsRacing with Droids
Racing with Droids
 
BH Arsenal '14 TurboTalk: The Veil-framework
BH Arsenal '14 TurboTalk: The Veil-frameworkBH Arsenal '14 TurboTalk: The Veil-framework
BH Arsenal '14 TurboTalk: The Veil-framework
 
Metasploit - The Exploit Learning Tree
Metasploit - The Exploit Learning TreeMetasploit - The Exploit Learning Tree
Metasploit - The Exploit Learning Tree
 
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
 
Practical Malware Analysis Ch13
Practical Malware Analysis Ch13Practical Malware Analysis Ch13
Practical Malware Analysis Ch13
 

En vedette

Designing and Attacking DRM (RSA 2008)
Designing and Attacking DRM (RSA 2008)Designing and Attacking DRM (RSA 2008)
Designing and Attacking DRM (RSA 2008)Nate Lawson
 
Alexander Matrosov, Eugene Rodionov - Modern technologies in malware programs...
Alexander Matrosov, Eugene Rodionov - Modern technologies in malware programs...Alexander Matrosov, Eugene Rodionov - Modern technologies in malware programs...
Alexander Matrosov, Eugene Rodionov - Modern technologies in malware programs...DefconRussia
 
Deobfuscation and beyond (ZeroNights, 2014)
Deobfuscation and beyond (ZeroNights, 2014)Deobfuscation and beyond (ZeroNights, 2014)
Deobfuscation and beyond (ZeroNights, 2014)ReCrypt
 
Linkmeup v23-compass-eos
Linkmeup v23-compass-eosLinkmeup v23-compass-eos
Linkmeup v23-compass-eoseucariot
 
Why is linkedIn vital for B2B marketing
Why is linkedIn vital for B2B marketingWhy is linkedIn vital for B2B marketing
Why is linkedIn vital for B2B marketingLets learn Digital
 
6460 oc public forum 12 nov 14
6460 oc public forum 12 nov 146460 oc public forum 12 nov 14
6460 oc public forum 12 nov 14cozmotrouble
 
business finance
business financebusiness finance
business financeezraken
 

En vedette (12)

Designing and Attacking DRM (RSA 2008)
Designing and Attacking DRM (RSA 2008)Designing and Attacking DRM (RSA 2008)
Designing and Attacking DRM (RSA 2008)
 
Rootkit internales
Rootkit internales Rootkit internales
Rootkit internales
 
Alexander Matrosov, Eugene Rodionov - Modern technologies in malware programs...
Alexander Matrosov, Eugene Rodionov - Modern technologies in malware programs...Alexander Matrosov, Eugene Rodionov - Modern technologies in malware programs...
Alexander Matrosov, Eugene Rodionov - Modern technologies in malware programs...
 
Deobfuscation and beyond (ZeroNights, 2014)
Deobfuscation and beyond (ZeroNights, 2014)Deobfuscation and beyond (ZeroNights, 2014)
Deobfuscation and beyond (ZeroNights, 2014)
 
Linkmeup v23-compass-eos
Linkmeup v23-compass-eosLinkmeup v23-compass-eos
Linkmeup v23-compass-eos
 
Chuyên
ChuyênChuyên
Chuyên
 
Resume 2014 x3
Resume 2014 x3Resume 2014 x3
Resume 2014 x3
 
βολος
βολος βολος
βολος
 
Why is linkedIn vital for B2B marketing
Why is linkedIn vital for B2B marketingWhy is linkedIn vital for B2B marketing
Why is linkedIn vital for B2B marketing
 
6460 oc public forum 12 nov 14
6460 oc public forum 12 nov 146460 oc public forum 12 nov 14
6460 oc public forum 12 nov 14
 
Chuyên
ChuyênChuyên
Chuyên
 
business finance
business financebusiness finance
business finance
 

Similaire à Bypassing patchguard on Windows 8.1 and Windows 10

Typhoon Managed Execution Toolkit
Typhoon Managed Execution ToolkitTyphoon Managed Execution Toolkit
Typhoon Managed Execution ToolkitDimitry Snezhkov
 
Owning computers without shell access 2
Owning computers without shell access 2Owning computers without shell access 2
Owning computers without shell access 2Royce Davis
 
Static Code Analysis for Projects, Built on Unreal Engine
Static Code Analysis for Projects, Built on Unreal EngineStatic Code Analysis for Projects, Built on Unreal Engine
Static Code Analysis for Projects, Built on Unreal EngineAndrey Karpov
 
Keeping your Kubernetes Cluster Secure
Keeping your Kubernetes Cluster SecureKeeping your Kubernetes Cluster Secure
Keeping your Kubernetes Cluster SecureGene Gotimer
 
MFF UK - Advanced iOS Topics
MFF UK - Advanced iOS TopicsMFF UK - Advanced iOS Topics
MFF UK - Advanced iOS TopicsPetr Dvorak
 
Евгений Напрягло ".NET Framework Hosting API Overview"
Евгений Напрягло ".NET Framework Hosting API Overview"Евгений Напрягло ".NET Framework Hosting API Overview"
Евгений Напрягло ".NET Framework Hosting API Overview"Fwdays
 
NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NSC #2 - D3 02 - Peter Hlavaty - Attack on the CoreNSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NSC #2 - D3 02 - Peter Hlavaty - Attack on the CoreNoSuchCon
 
how-to-bypass-AM-PPL
how-to-bypass-AM-PPLhow-to-bypass-AM-PPL
how-to-bypass-AM-PPLnitinscribd
 
Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE
Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE
Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE Dragos, Inc.
 
Code quality
Code qualityCode quality
Code qualityProvectus
 
Securing the continuous integration
Securing the continuous integrationSecuring the continuous integration
Securing the continuous integrationIrene Michlin
 
Part of the DLM Story: Automated database build and test with TeamCity
Part of the DLM Story: Automated database build and test with TeamCityPart of the DLM Story: Automated database build and test with TeamCity
Part of the DLM Story: Automated database build and test with TeamCityRed Gate Software
 
Efficient Bytecode Analysis: Linespeed Shellcode Detection
Efficient Bytecode Analysis: Linespeed Shellcode DetectionEfficient Bytecode Analysis: Linespeed Shellcode Detection
Efficient Bytecode Analysis: Linespeed Shellcode DetectionGeorg Wicherski
 
Continuous Delivery the hard way with Kubernetes
Continuous Delivery the hard way with KubernetesContinuous Delivery the hard way with Kubernetes
Continuous Delivery the hard way with KubernetesLuke Marsden
 
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbgPractical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbgSam Bowne
 

Similaire à Bypassing patchguard on Windows 8.1 and Windows 10 (20)

Typhoon Managed Execution Toolkit
Typhoon Managed Execution ToolkitTyphoon Managed Execution Toolkit
Typhoon Managed Execution Toolkit
 
Owning computers without shell access 2
Owning computers without shell access 2Owning computers without shell access 2
Owning computers without shell access 2
 
Static Code Analysis for Projects, Built on Unreal Engine
Static Code Analysis for Projects, Built on Unreal EngineStatic Code Analysis for Projects, Built on Unreal Engine
Static Code Analysis for Projects, Built on Unreal Engine
 
Keeping your Kubernetes Cluster Secure
Keeping your Kubernetes Cluster SecureKeeping your Kubernetes Cluster Secure
Keeping your Kubernetes Cluster Secure
 
MFF UK - Advanced iOS Topics
MFF UK - Advanced iOS TopicsMFF UK - Advanced iOS Topics
MFF UK - Advanced iOS Topics
 
Евгений Напрягло ".NET Framework Hosting API Overview"
Евгений Напрягло ".NET Framework Hosting API Overview"Евгений Напрягло ".NET Framework Hosting API Overview"
Евгений Напрягло ".NET Framework Hosting API Overview"
 
Jenkins Overview
Jenkins OverviewJenkins Overview
Jenkins Overview
 
NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NSC #2 - D3 02 - Peter Hlavaty - Attack on the CoreNSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
 
Simics - Break the Rules of Product Development
Simics - Break the Rules of Product DevelopmentSimics - Break the Rules of Product Development
Simics - Break the Rules of Product Development
 
Kubernetes in Adform
Kubernetes in AdformKubernetes in Adform
Kubernetes in Adform
 
how-to-bypass-AM-PPL
how-to-bypass-AM-PPLhow-to-bypass-AM-PPL
how-to-bypass-AM-PPL
 
Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE
Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE
Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE
 
Code quality
Code qualityCode quality
Code quality
 
UVM TUTORIAL;
UVM TUTORIAL;UVM TUTORIAL;
UVM TUTORIAL;
 
Securing the continuous integration
Securing the continuous integrationSecuring the continuous integration
Securing the continuous integration
 
Secure all things with CBSecurity 3
Secure all things with CBSecurity 3Secure all things with CBSecurity 3
Secure all things with CBSecurity 3
 
Part of the DLM Story: Automated database build and test with TeamCity
Part of the DLM Story: Automated database build and test with TeamCityPart of the DLM Story: Automated database build and test with TeamCity
Part of the DLM Story: Automated database build and test with TeamCity
 
Efficient Bytecode Analysis: Linespeed Shellcode Detection
Efficient Bytecode Analysis: Linespeed Shellcode DetectionEfficient Bytecode Analysis: Linespeed Shellcode Detection
Efficient Bytecode Analysis: Linespeed Shellcode Detection
 
Continuous Delivery the hard way with Kubernetes
Continuous Delivery the hard way with KubernetesContinuous Delivery the hard way with Kubernetes
Continuous Delivery the hard way with Kubernetes
 
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbgPractical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
 

Dernier

Engineering Drawing section of solid
Engineering Drawing section of solidEngineering Drawing section of solid
Engineering Drawing section of solidnamansinghjarodiya
 
THE SENDAI FRAMEWORK FOR DISASTER RISK REDUCTION
THE SENDAI FRAMEWORK FOR DISASTER RISK REDUCTIONTHE SENDAI FRAMEWORK FOR DISASTER RISK REDUCTION
THE SENDAI FRAMEWORK FOR DISASTER RISK REDUCTIONjhunlian
 
Prach: A Feature-Rich Platform Empowering the Autism Community
Prach: A Feature-Rich Platform Empowering the Autism CommunityPrach: A Feature-Rich Platform Empowering the Autism Community
Prach: A Feature-Rich Platform Empowering the Autism Communityprachaibot
 
Cost estimation approach: FP to COCOMO scenario based question
Cost estimation approach: FP to COCOMO scenario based questionCost estimation approach: FP to COCOMO scenario based question
Cost estimation approach: FP to COCOMO scenario based questionSneha Padhiar
 
Energy Awareness training ppt for manufacturing process.pptx
Energy Awareness training ppt for manufacturing process.pptxEnergy Awareness training ppt for manufacturing process.pptx
Energy Awareness training ppt for manufacturing process.pptxsiddharthjain2303
 
Stork Webinar | APM Transformational planning, Tool Selection & Performance T...
Stork Webinar | APM Transformational planning, Tool Selection & Performance T...Stork Webinar | APM Transformational planning, Tool Selection & Performance T...
Stork Webinar | APM Transformational planning, Tool Selection & Performance T...Stork
 
Immutable Image-Based Operating Systems - EW2024.pdf
Immutable Image-Based Operating Systems - EW2024.pdfImmutable Image-Based Operating Systems - EW2024.pdf
Immutable Image-Based Operating Systems - EW2024.pdfDrew Moseley
 
List of Accredited Concrete Batching Plant.pdf
List of Accredited Concrete Batching Plant.pdfList of Accredited Concrete Batching Plant.pdf
List of Accredited Concrete Batching Plant.pdfisabel213075
 
Novel 3D-Printed Soft Linear and Bending Actuators
Novel 3D-Printed Soft Linear and Bending ActuatorsNovel 3D-Printed Soft Linear and Bending Actuators
Novel 3D-Printed Soft Linear and Bending ActuatorsResearcher Researcher
 
signals in triangulation .. ...Surveying
signals in triangulation .. ...Surveyingsignals in triangulation .. ...Surveying
signals in triangulation .. ...Surveyingsapna80328
 
Computer Graphics Introduction, Open GL, Line and Circle drawing algorithm
Computer Graphics Introduction, Open GL, Line and Circle drawing algorithmComputer Graphics Introduction, Open GL, Line and Circle drawing algorithm
Computer Graphics Introduction, Open GL, Line and Circle drawing algorithmDeepika Walanjkar
 
Earthing details of Electrical Substation
Earthing details of Electrical SubstationEarthing details of Electrical Substation
Earthing details of Electrical Substationstephanwindworld
 
TEST CASE GENERATION GENERATION BLOCK BOX APPROACH
TEST CASE GENERATION GENERATION BLOCK BOX APPROACHTEST CASE GENERATION GENERATION BLOCK BOX APPROACH
TEST CASE GENERATION GENERATION BLOCK BOX APPROACHSneha Padhiar
 
Gravity concentration_MI20612MI_________
Gravity concentration_MI20612MI_________Gravity concentration_MI20612MI_________
Gravity concentration_MI20612MI_________Romil Mishra
 
Virtual memory management in Operating System
Virtual memory management in Operating SystemVirtual memory management in Operating System
Virtual memory management in Operating SystemRashmi Bhat
 
Levelling - Rise and fall - Height of instrument method
Levelling - Rise and fall - Height of instrument methodLevelling - Rise and fall - Height of instrument method
Levelling - Rise and fall - Height of instrument methodManicka Mamallan Andavar
 
CS 3251 Programming in c all unit notes pdf
CS 3251 Programming in c all unit notes pdfCS 3251 Programming in c all unit notes pdf
CS 3251 Programming in c all unit notes pdfBalamuruganV28
 
Robotics-Asimov's Laws, Mechanical Subsystems, Robot Kinematics, Robot Dynami...
Robotics-Asimov's Laws, Mechanical Subsystems, Robot Kinematics, Robot Dynami...Robotics-Asimov's Laws, Mechanical Subsystems, Robot Kinematics, Robot Dynami...
Robotics-Asimov's Laws, Mechanical Subsystems, Robot Kinematics, Robot Dynami...Sumanth A
 
Input Output Management in Operating System
Input Output Management in Operating SystemInput Output Management in Operating System
Input Output Management in Operating SystemRashmi Bhat
 
Artificial Intelligence in Power System overview
Artificial Intelligence in Power System overviewArtificial Intelligence in Power System overview
Artificial Intelligence in Power System overviewsandhya757531
 

Dernier (20)

Engineering Drawing section of solid
Engineering Drawing section of solidEngineering Drawing section of solid
Engineering Drawing section of solid
 
THE SENDAI FRAMEWORK FOR DISASTER RISK REDUCTION
THE SENDAI FRAMEWORK FOR DISASTER RISK REDUCTIONTHE SENDAI FRAMEWORK FOR DISASTER RISK REDUCTION
THE SENDAI FRAMEWORK FOR DISASTER RISK REDUCTION
 
Prach: A Feature-Rich Platform Empowering the Autism Community
Prach: A Feature-Rich Platform Empowering the Autism CommunityPrach: A Feature-Rich Platform Empowering the Autism Community
Prach: A Feature-Rich Platform Empowering the Autism Community
 
Cost estimation approach: FP to COCOMO scenario based question
Cost estimation approach: FP to COCOMO scenario based questionCost estimation approach: FP to COCOMO scenario based question
Cost estimation approach: FP to COCOMO scenario based question
 
Energy Awareness training ppt for manufacturing process.pptx
Energy Awareness training ppt for manufacturing process.pptxEnergy Awareness training ppt for manufacturing process.pptx
Energy Awareness training ppt for manufacturing process.pptx
 
Stork Webinar | APM Transformational planning, Tool Selection & Performance T...
Stork Webinar | APM Transformational planning, Tool Selection & Performance T...Stork Webinar | APM Transformational planning, Tool Selection & Performance T...
Stork Webinar | APM Transformational planning, Tool Selection & Performance T...
 
Immutable Image-Based Operating Systems - EW2024.pdf
Immutable Image-Based Operating Systems - EW2024.pdfImmutable Image-Based Operating Systems - EW2024.pdf
Immutable Image-Based Operating Systems - EW2024.pdf
 
List of Accredited Concrete Batching Plant.pdf
List of Accredited Concrete Batching Plant.pdfList of Accredited Concrete Batching Plant.pdf
List of Accredited Concrete Batching Plant.pdf
 
Novel 3D-Printed Soft Linear and Bending Actuators
Novel 3D-Printed Soft Linear and Bending ActuatorsNovel 3D-Printed Soft Linear and Bending Actuators
Novel 3D-Printed Soft Linear and Bending Actuators
 
signals in triangulation .. ...Surveying
signals in triangulation .. ...Surveyingsignals in triangulation .. ...Surveying
signals in triangulation .. ...Surveying
 
Computer Graphics Introduction, Open GL, Line and Circle drawing algorithm
Computer Graphics Introduction, Open GL, Line and Circle drawing algorithmComputer Graphics Introduction, Open GL, Line and Circle drawing algorithm
Computer Graphics Introduction, Open GL, Line and Circle drawing algorithm
 
Earthing details of Electrical Substation
Earthing details of Electrical SubstationEarthing details of Electrical Substation
Earthing details of Electrical Substation
 
TEST CASE GENERATION GENERATION BLOCK BOX APPROACH
TEST CASE GENERATION GENERATION BLOCK BOX APPROACHTEST CASE GENERATION GENERATION BLOCK BOX APPROACH
TEST CASE GENERATION GENERATION BLOCK BOX APPROACH
 
Gravity concentration_MI20612MI_________
Gravity concentration_MI20612MI_________Gravity concentration_MI20612MI_________
Gravity concentration_MI20612MI_________
 
Virtual memory management in Operating System
Virtual memory management in Operating SystemVirtual memory management in Operating System
Virtual memory management in Operating System
 
Levelling - Rise and fall - Height of instrument method
Levelling - Rise and fall - Height of instrument methodLevelling - Rise and fall - Height of instrument method
Levelling - Rise and fall - Height of instrument method
 
CS 3251 Programming in c all unit notes pdf
CS 3251 Programming in c all unit notes pdfCS 3251 Programming in c all unit notes pdf
CS 3251 Programming in c all unit notes pdf
 
Robotics-Asimov's Laws, Mechanical Subsystems, Robot Kinematics, Robot Dynami...
Robotics-Asimov's Laws, Mechanical Subsystems, Robot Kinematics, Robot Dynami...Robotics-Asimov's Laws, Mechanical Subsystems, Robot Kinematics, Robot Dynami...
Robotics-Asimov's Laws, Mechanical Subsystems, Robot Kinematics, Robot Dynami...
 
Input Output Management in Operating System
Input Output Management in Operating SystemInput Output Management in Operating System
Input Output Management in Operating System
 
Artificial Intelligence in Power System overview
Artificial Intelligence in Power System overviewArtificial Intelligence in Power System overview
Artificial Intelligence in Power System overview
 

Bypassing patchguard on Windows 8.1 and Windows 10

  • 1. Bypassing patchguard on Windows 8.1 and Windows 10 Mark Ermolov, Artem Shishkin Positive Technologies
  • 2. What is patchguard? ―“Please don’t patch our kernels” call from MS ―Even if your kernel patch is correct, you’ll catch a BSOD •0x109 CRITICAL_STRUCTURE_CORRUPTION ―Protected structures •System images: ntoskrnl.exe, win32k.sys, hal.dll etc. •System structures: IDT, GDT, Syscalltables etc. ―Periodic checksums validation for protected stuff ―Doesn’t work on Windows 9
  • 3. What if we really need to? ―Go for it! ―But… •Patchguard developers are prepared for reverse engineers •Hyper-inlinedobfuscation © Alex Ionescu •Anti-debugging tricks •Several ways of checks invocation
  • 6. Code obfuscation ―Code junk generation •Loop unrolling •Dead code insertion •Indirect calls and variable accesses
  • 7. Anti-debugging ―Works only on free builds without kernel debugger!
  • 8. Anti-debugging ―Randomly inserted checks for debugger presence
  • 9. Anti-debugging ―If you use breakpoints, they will be included to a patchguard checksum, leading to a 0x109 bugcheck ―If you use hardware breakpoints, well…
  • 10. Non-linear code flow ―Active usage of Vectored Exception Handling
  • 11. Reverse-engineering ―For dynamic analysis with KD (with windbgf.e.) •Remove all kdpresence checks manually —Look them up with IDA scripting —Apply patches in KD with pykd —Do it before “Phase1InitializationDiscard“ ―For static analysis with IDA •Try not to give up waiting for patchguard initialization function decompilation ―Use something else, like hypervisor-based debugger ;)
  • 12. Reverse-engineering ―Since patchguard is developed incrementally, the key functions in reversing it are •KiFilterFiberContext–chooses the way for invoking patchguard checks •Unnamed sub inside KiFilterFiberContext–creates a structure aka patchguard context and schedules it’s verification •Other functions (like context checkers) can be misleadingly named, but you can look them up around KiFilterFiberContextsince they are located in a single compilation unit
  • 13. Bypassing patchguard ―There are different approaches •patch kernel image so that patchguard will just not start •hook KeBugCheckExand restore the state of a system •modify checkers so that they would be always valid •de-schedule contexts verification —This is what we’ve implemented
  • 14. Contexts verification scheduling ―Context verification might be launched with •KeSetCoalescableTimer —A timer that periodically launches context verification •Prcb.AcpiReserved —A certain ACPI event (f.e. Idle transition) •Prcb.HalReserved —A haltimer clock •PsCreateSystemThread —A queued system thread that sleeps a random amount of time •KeInsertQueueApc —A queued regular kernel APC •KiBalanceSetManagerPeriodicDpc —A periodic event which happens every "KiBalanceSetManagerPeriod" ticks
  • 15. Contexts verification descheduling ―So we’ve got to deschedulecontext verification once and for all •KeSetCoalescableTimer —Timer? Disable! •Prcb.AcpiReserved —Zero out this field •Prcb.HalReserved —Same here •PsCreateSystemThread —Scan sleeping worker threads and set wait time to infinite for suitable •KeInsertQueueApc —Same here •KiBalanceSetManagerPeriodicDpc —Revert to KiBalanceSetManagerDeferredRoutine
  • 16. •research [at] ptsecurity[dot] com •www.ptsecurity.com •blog.ptsecurity.com Thank you!