SlideShare une entreprise Scribd logo

Captain Hook: Pirating AVs to Bypass Exploit Mitigations

enSilo
enSilo

In this talk we reveal six(!) different security issues that we uncovered in various hooking engines. The vulnerabilities we found enable a threat actor to bypass the security measures of the underlying operating system. As we uncovered the vulnerabilities one-by-one we found them to impact commercial engines, such as Microsoft’s Detours, open source engines such as EasyHook and proprietary engines such as those belonging to TrendMicro, Symantec, Kaspersky and about twenty others.

Technologie
1  sur  57
Télécharger pour lire hors ligne
Pirating AVS to Bypass Exploit Mitigations Captain Hook:
WHO? Udi Yavo  CTO and Co-Founder, enSilo  Former CTO, Rafael Cyber Security Division  Researcher  Author on BreakingMalware Tomer Bitton  VP Research and Co-Founder, enSilo  Low Level Researcher, Rafael Advanced Defense Systems  Malware Researcher  Author on BreakingMalware
 Hooking In a Nutshell  Scope of Research  Inline Hooking – Under the hood - 32-bit function hooking - 64-bit function hooking  Hooking Engine Injection Techniques  The 6 Security Issues of Hooking  Demo – Bypassing exploit mitigations  3rd Party Hooking Engines  Affected Products  Research Tools  Summary AGENDA
 Hooking is used to intercept function calls in order to alter or augment their behavior  Used in most endpoint security products: • Anti-Exploitation – EMET, Palo-Alto Traps, … • Anti-Virus – Almost all of them • Personal Firewalls – Comodo, Zone-Alarm,… • …  Also used in non-security products for various purposes: • Application Performance Monitoring (APM) • Application Virtualization (Microsoft App-V)  Used in Malware: • Man-In-The-Browser (MITB) HOOKING IN A NUTSHELL
 Our research encompassed about a dozen security products  Focused on user-mode inline hooks – The most common hooking method in real-life products  Hooks are commonly set by an injected DLL. We’ll refer to this DLL as the “Hooking Engine”  Kernel-To-User DLL injection techniques • Used by most vendors to inject their hooking engine • Complex and leads security issues SCOPE OF RESEARCH
Inline Hooking
Disassemble Prolog Allocate Code Stub Copy Prolog Instructions Patch the Prolog with a JMP Straight forward most of the time: INLINE HOOKING – 32-BIT FUNCTION HOOKING
INLINE HOOKING – 32-BIT FUNCTION HOOKING InternetConnectW before the hook is set: InternetConnectW After the hook is set:
The hooking function (0x178940) The Copied Instructions Original Function Code INLINE HOOKING – 32-BIT FUNCTION HOOKING
 Other Techniques: • One Byte Patching (Malware) - Patch with an illegal instruction and catch in the exception handler • Microsoft Hot Patching – Only 2 bytes function prolog overwrite  Some Possible Complications: • Relative jmp/call in the prolog • Very short functions/short prolog • jmp/jxx to the middle of the prolog’s instruction • … Hooking Function INLINE HOOKING – 32-BIT FUNCTION HOOKING
Disassemble Prolog Allocate Trampoline Allocate Code Stub Write Trampoline Copy Prolog Instructions Patch the Prolog with a JMP MOV RAX, <Hooking Function> JMP RAX • More complex • 5 bytes jmp instruction might not be enough (limited to a 2GB range) INLINE HOOKING – 64-BIT FUNCTION HOOKING
• InternetConnectA before the hook is set: • InternetConnectA after the hook is set: • Trampoline code: INLINE HOOKING – 64-BIT FUNCTION HOOKING
If we follow the hooking function we get: Original Function Code INLINE HOOKING – 64-BIT FUNCTION HOOKING
 Other Techniques:  6 Bytes patching (requires hooks’ code stub to be in 32-bit address)  Double Push (Nikolay Igotti) – Preserves all registers  …  Possible Complications:  Similar to 32-bit hooks  More instruction pointer relative instructions: MOV RAX, QWORD [RIP+0x15020] Jumps to 0x7ffc00030000 INLINE HOOKING – 64-BIT FUNCTION HOOKING
 Inline hooking is the most common hooking technique in real-life products  Rather intrusive – modifies the code of the of hooking function  Used by most endpoint security products  More on hooking: • Binary Hooking Problems - By Gil Dabah • Trampolines in X64 - By Gil Dabah • Powerful x86/x64 Mini Hook-Engine - Daniel Pistelli • Inline Hooking for Programmers - Malware Tech • … INLINE HOOKING – RECAP
Kernel-To-User Code Injections
INTRODUCTION - KERNEL-TO-USER CODE INJECTIONS  Mainly used for: • Injecting DLLs • Sandbox escapes – After exploiting privilege escalation vulnerability • Injecting to protected processes  Fewer techniques exist than user-mode  Less documented than user-mode techniques  Used by both Malware and Software/Security vendors
 The most common Kernel-To-User injection method  Used by lots of malwares: • TDL • ZERO ACCESS • Sandbox escape shellcodes • …  Also used by lots of security products: • AVG • Kaspersky Home Edition • Avecto • …  Documented: • Blackout: What Really Happened • Much more in forums and leaked source codes INJECTION METHODS – USER APC
Basic Steps (There are several variations): 1. Register load image callback using PsSetLoadImageNotifyRoutine 2. Write payload that injects a dll using LdrLoadDll (Other variations use LoadLibrary) 3. Insert User APC using KeInsertQueueApc INJECTION METHODS – USER APC
• Not really common but worth mentioning • Used by Duqu • Fully documented in: http://binsec.gforge.inria.fr/pdf/Malware2013-Analysis-Diversion-Duqu-paper.pdf INJECTION METHODS – ENTRY POINT PATCHING
Kernel Space User Space RtlUserThreadStart KiStartUserThread Callback Routine Process Image • Register load image callback using PsSetLoadImageNotifyRoutine and wait for main module to load INJECTION METHODS – ENTRY POINT PATCHING Application Ntoskrnl.exe EvilDriver.sys
Kernel Space User Space RtlUserThreadStart KiStartUserThread Callback Routine Process Image • Write the payload to the process address space INJECTION METHODS – ENTRY POINT PATCHING Application Ntoskrnl.exe EvilDriver.sys Payload
Kernel Space User Space RtlUserThreadStart KiStartUserThread Callback Routine • Replace the image entry point with JMP to the new code INJECTION METHODS – ENTRY POINT PATCHING Application Ntoskrnl.exe EvilDriver.sys Payload JMP Payload Process Image
Kernel Space User Space RtlUserThreadStart KiStartUserThread Callback Routine • The payload executes, fixes the entry point and jumps to it INJECTION METHODS – ENTRY POINT PATCHING Application Ntoskrnl.exe EvilDriver.sys Payload JMP Payload Process Image Jump to entry point
• Internet Explorer patched entrypoint INJECTION METHODS – ENTRY POINT PATCHING
 First published on Codeless-Code-Injections talk (to our knowledge)  Never been used by malware (to our knowledge)  Used by software and security vendors: • Symantec • Trusteer • Microsoft App-V  Similar method could probably use TLS data directory INJECTION METHODS – IMPORT TABLE PATCHING
PE HeaderMZ Header DOS Stub File Header Optional Header Data Directories Imports … Import Descriptor 1 Import Descriptor 2 Before PE HeaderMZ Header DOS Stub File Header Optional Header Data Directories Imports … Import Descriptor 1 Import Descriptor 2 After Import Descriptor 1 Import Descriptor 2 Injected DLL Descriptor … 1. Register load image callback using PsSetLoadImageNotifyRoutine and wait for main module to load 2. Allocate memory for the new import table and copy old table with a new record for the injected DLL INJECTION METHODS – IMPORT TABLE PATCHING 3. Point the import data directory to the new table 4. When the DLL is loaded the original PE header is restored
INJECTION METHODS – IMPORT TABLE PATCHING Internet Explorer patched import table
Kernel Space User Space RtlUserThreadStart KiStartUserThread Callback Routine LdrLoadDll • Register load image callback using PsSetLoadImageNotifyRoutine and wait for ntdll.dll module to load INJECTION METHODS – NTDLL.DLL/USER32.DLL PATCHING Application Ntoskrnl.exe EvilDriver.sys
Kernel Space User Space RtlUserThreadStart KiStartUserThread Callback Routine LdrLoadDll • Write the payload to the process address space INJECTION METHODS – NTDLL.DLL/USER32.DLL PATCHING Application Ntoskrnl.exe EvilDriver.sys Payload
Kernel Space User Space RtlUserThreadStart KiStartUserThread Callback Routine LdrLoadDll • Replace the LdrLoadLibrary prolog with JMP (or equivalent) to the payload INJECTION METHODS – NTDLL.DLL/USER32.DLL PATCHING Application Ntoskrnl.exe EvilDriver.sys PayloadPayload JMP Payload
Kernel Space User Space RtlUserThreadStart KiStartUserThread Callback Routine LdrLoadDll • The payload loads a dll, fixes LdrLoadDll and jumps to it INJECTION METHODS – NTDLL.DLL/USER32.DLL PATCHING Application Ntoskrnl.exe EvilDriver.sys PayloadPayload JMP Payload Jump to LdrLoadDll
• Kernel-To-User Injections are extensively used by both malware and security/software products • Kernel injections are mainly used to inject a DLL to target processes • In security products the injected DLL is commonly the hooking engine • Prone to mistakes – due to its relative complexity INJECTION METHODS – QUICK SUMMARY
The 6 security issues of hooking
Severity: Very High Affected Systems: All Windows Versions Occurs due to bad DLL injection implementation  We found 2 types of unsafe injections: • LoadLibrary from a relative path – vulnerable to DLL Hijacking • Unprotected injected DLL file – placed in %appdata%LocalVendor Can easily be replaced by the attacker #1 – UNSAFE INJECTION
RWX PermissionsFunctions pointers in constant addresses Severity: Very High Affected Systems: All Windows Versions The Kernel-To-User DLL injection allocates RWX code in a predictable location • Implications: • ASLR Bypass – The code stubs normally contains addresses of critical OS functions • Great for shellcode – Allows writing malicious code to the allocated code-stub #2 – PREDICTABLE RWX CODE STUBS
Severity: Very High Affected Systems: All Windows Versions The Kernel-To-User DLL injection or hooking engine allocates R-X code in a predictable location Implications: • ASLR Bypass – The code stubs contain the addresses of critical OS functions • Hooks Bypass – Calling the hook code stub effectively bypasses the hook • Code Reuse – The code can also be useful for ROP #3 – PREDICTABLE R-X CODE STUBS
Severity: High Affected Systems: Windows 7 and Below The Kernel-To-User DLL injection allocates RWX code without specifying exact address Implications: • Similar to the first predictable RWX Code issue #4 – PREDICTABLE RWX CODE STUBS 2
Severity: Medium Affected Systems: All Windows Versions The most common issue: most hooking engines leave their hook code stubs as RWX The implication - possible CFG bypass: • Get arbitrary read/write in the target process • Find the hook’s stub (R) • Overwrite it (W) • Trigger the execution of the hooked function (X) #5 –RWX CODE STUBS * Note: Attacker with arbitrary read/write will probably succeed anyway
LdrLoadDll Hook RWX Permissions Severity: Medium Affected Systems: All Windows Versions Some hooking engines leave the code of the hooked modules as RWX The implication - possible CFG bypass #6 –RWX HOOKED MODULES
SECURITY ISSUES OF HOOKING - RECAP
Demo Bypassing Exploit Mitigations
3rd Party Hooking Engines
 Developing a hooking engine is not an easy task  Using open-source* or commercial hooking engines has many advantages: • Easy API to work with • Supports many platforms • Saves development effort • Saves testing effort  3rd party hooking engines are also integrated into non-security products  A security issue in a hooking engine results in many patches… 3RD PARTY HOOKING ENGINES * We really like Gil Dabah’s distormx
 Used by many open-source projects  Also used by a few security vendors. For example, Vera Features:  Kernel Hooking support  Thread Deadlock Barrier  RIP-relative address relocation for 64-bit  … Security Issues:  RWX Hook Code Stubs  RWX Hooked Modules Bad Practice:  Uses Non-Executable heap and changes parts of it to code EASYHOOK – OPEN-SOURCE HOOKING ENGINE
“Several Fortune 500 companies are using Deviare technology for application virtualization, packaging, and troubleshooting, and for computer security.”  Dual License – Commercial or GPL for open-source  Fixed the issues quickly  From their web site: Features:  Defer Hook –Set a hook only when and if a module is loaded  .NET Function hooking  Interface for many languages: (C++, VB, Python, C#,…)  … Security Issues:  RWX Hook Code Stubs DEVIARE2 - OPEN-SOURCE HOOKING ENGINE
 Used by a lot for security vendors (75% of its users)  Used by emsisoft  Fixed the issues quickly Features:  Injection Driver – Used to perform kernel-injection into processes  IPC API –Used to easily communicate with some main process  IAT Hooking  … Security Issues:  RWX Hook Code Stubs MADCODEHOOK – POWERFUL COMMERCIAL HOOKING
 The most popular hooking engine in the world  Microsoft’s App-V uses Detours which is integrated into Office  We were surprised to find out that it has problems too… Features:  ARM support  … Security Issues: • Predictable RX (Universal). MICROSOFT DETOURS * Details won’t be revealed until the patch is released (September)
“Under commercial release for over 10 years, Detours is licensed by over 100 ISVs and used within nearly every product team at Microsoft.”  Microsoft’s hooking engine Detours – via Microsoft.com:  Could potentially affect millions of users  Also used in security products  Hard to patch - In most cases fixing this issue requires recompilation of each product individually which makes patching cumbersome MICROSOFT DETOURS VULNERABILITY - IMPLICATIONS
Affected Products
Products/Vendors UnSafe Injection Predictable RWX(Universal) Predictable RX(Universal) Predictable RWX RWX Hook code stubs RWX Hooked Modules Time To Fix (Days) Symantec X 90 McAfee X X 90 Trend Micro X X (Initial Fix) X 210 Kaspersky X X 90 AVG X 30 BitDefender X X 30 WebRoot X X 29 AVAST X X 30 Emsisoft X 90 Citrix - Xen Desktop X X 90 Microsoft Office* X 180 WebSense X X X 30 Vera X X ? Invincea X(64-bit) X X ? Anti-Exploitation* X ? BeyondTrust X X Fixed Independently T O T A L S 2 2 6 8 7 5 7 9 . 9 *Patchwasn’treleasedyet AFFECTEDPRODUCTS
High
Research Tools
Memory Region Affected Process IDsAffected Process • Tool to detect predictable RWX code regions • Can be found at https://github.com/BreakingMalware/AVulnerabilityChecker • Compares memory maps of processes RESEARCH TOOLS – AVULNERABILITY
• Tool for scanning hooks and checking their code permissions • Compares code “On-Disk” with the code “In-Memory” • Does best-effort to track hooks code stubs RESEARCH TOOLS – HOOKS SCAN
• Code hooking is an important capability for security/software vendors • Similar to other intrusive operations it has security implications • Almost all the vendors we tested were vulnerable to at least one issue • We worked closely with affected vendors to address all these issues – most are already patched SUMMARY
Contact Us: Udi, udi@ensilo.com Tomer, tomer@ensilo.com

Recommandé

Process injection - Malware style
Process injection - Malware styleProcess injection - Malware style
Process injection - Malware styleSander Demeester
 
Injection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniquesInjection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniquesenSilo
 
Code Injection in Windows
Code Injection in WindowsCode Injection in Windows
Code Injection in Windowsn|u - The Open Security Community
 
Practical Malware Analysis Ch12
Practical Malware Analysis Ch12Practical Malware Analysis Ch12
Practical Malware Analysis Ch12Sam Bowne
 
Bypassing patchguard on Windows 8.1 and Windows 10
Bypassing patchguard on Windows 8.1 and Windows 10Bypassing patchguard on Windows 8.1 and Windows 10
Bypassing patchguard on Windows 8.1 and Windows 10Honorary_BoT
 
One-Byte Modification for Breaking Memory Forensic Analysis
One-Byte Modification for Breaking Memory Forensic AnalysisOne-Byte Modification for Breaking Memory Forensic Analysis
One-Byte Modification for Breaking Memory Forensic AnalysisTakahiro Haruyama
 
Steelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with PythonSteelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with Pythoninfodox
 
CNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbgCNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbgSam Bowne
 

Recommandé

Process injection - Malware style
Process injection - Malware styleProcess injection - Malware style
Process injection - Malware styleSander Demeester
 
Injection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniquesInjection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniquesenSilo
 
Code Injection in Windows
Code Injection in WindowsCode Injection in Windows
Code Injection in Windowsn|u - The Open Security Community
 
Practical Malware Analysis Ch12
Practical Malware Analysis Ch12Practical Malware Analysis Ch12
Practical Malware Analysis Ch12Sam Bowne
 
Bypassing patchguard on Windows 8.1 and Windows 10
Bypassing patchguard on Windows 8.1 and Windows 10Bypassing patchguard on Windows 8.1 and Windows 10
Bypassing patchguard on Windows 8.1 and Windows 10Honorary_BoT
 
One-Byte Modification for Breaking Memory Forensic Analysis
One-Byte Modification for Breaking Memory Forensic AnalysisOne-Byte Modification for Breaking Memory Forensic Analysis
One-Byte Modification for Breaking Memory Forensic AnalysisTakahiro Haruyama
 
Steelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with PythonSteelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with Pythoninfodox
 
CNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbgCNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbgSam Bowne
 
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbgPractical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbgSam Bowne
 
CNIT 126 12: Covert Malware Launching
CNIT 126 12: Covert Malware LaunchingCNIT 126 12: Covert Malware Launching
CNIT 126 12: Covert Malware LaunchingSam Bowne
 
Practical Malware Analysis Ch13
Practical Malware Analysis Ch13Practical Malware Analysis Ch13
Practical Malware Analysis Ch13Sam Bowne
 
Fuzzing the Media Framework in Android
Fuzzing the Media Framework in AndroidFuzzing the Media Framework in Android
Fuzzing the Media Framework in AndroidE Hacking
 
CNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbgCNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbgSam Bowne
 
Volatile IOCs for Fast Incident Response
Volatile IOCs for Fast Incident ResponseVolatile IOCs for Fast Incident Response
Volatile IOCs for Fast Incident ResponseTakahiro Haruyama
 
Malicious File for Exploiting Forensic Software
Malicious File for Exploiting Forensic SoftwareMalicious File for Exploiting Forensic Software
Malicious File for Exploiting Forensic SoftwareTakahiro Haruyama
 
Fast and Generic Malware Triage Using openioc_scan Volatility Plugin
Fast and Generic Malware Triage Using openioc_scan Volatility PluginFast and Generic Malware Triage Using openioc_scan Volatility Plugin
Fast and Generic Malware Triage Using openioc_scan Volatility PluginTakahiro Haruyama
 
Practical Malware Analysis: Ch 8: Debugging
Practical Malware Analysis: Ch 8: Debugging Practical Malware Analysis: Ch 8: Debugging
Practical Malware Analysis: Ch 8: Debugging Sam Bowne
 
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...CanSecWest
 
Practical Windows Kernel Exploitation
Practical Windows Kernel ExploitationPractical Windows Kernel Exploitation
Practical Windows Kernel ExploitationzeroSteiner
 
How to drive a malware analyst crazy
How to drive a malware analyst crazyHow to drive a malware analyst crazy
How to drive a malware analyst crazyMichael Boman
 
Packers
PackersPackers
PackersAnge Albertini
 
CNIT 127: 8: Windows overflows (Part 2)
CNIT 127: 8: Windows overflows (Part 2)CNIT 127: 8: Windows overflows (Part 2)
CNIT 127: 8: Windows overflows (Part 2)Sam Bowne
 
Practical Malware Analysis: Ch 11: Malware Behavior
Practical Malware Analysis: Ch 11: Malware BehaviorPractical Malware Analysis: Ch 11: Malware Behavior
Practical Malware Analysis: Ch 11: Malware BehaviorSam Bowne
 
Attack on the Core
Attack on the CoreAttack on the Core
Attack on the CorePeter Hlavaty
 
[若渴計畫] Black Hat 2017之過去閱讀相關整理
[若渴計畫] Black Hat 2017之過去閱讀相關整理[若渴計畫] Black Hat 2017之過去閱讀相關整理
[若渴計畫] Black Hat 2017之過去閱讀相關整理Aj MaChInE
 
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013midnite_runr
 
CNIT 126 7: Analyzing Malicious Windows Programs
CNIT 126 7: Analyzing Malicious Windows ProgramsCNIT 126 7: Analyzing Malicious Windows Programs
CNIT 126 7: Analyzing Malicious Windows ProgramsSam Bowne
 
Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!Peter Hlavaty
 
Dll injection
Dll injectionDll injection
Dll injectionKarlFrank99
 
EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22MichaelM85042
 

Contenu connexe

Tendances

Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbgPractical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbgSam Bowne
 
CNIT 126 12: Covert Malware Launching
CNIT 126 12: Covert Malware LaunchingCNIT 126 12: Covert Malware Launching
CNIT 126 12: Covert Malware LaunchingSam Bowne
 
Practical Malware Analysis Ch13
Practical Malware Analysis Ch13Practical Malware Analysis Ch13
Practical Malware Analysis Ch13Sam Bowne
 
Fuzzing the Media Framework in Android
Fuzzing the Media Framework in AndroidFuzzing the Media Framework in Android
Fuzzing the Media Framework in AndroidE Hacking
 
CNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbgCNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbgSam Bowne
 
Volatile IOCs for Fast Incident Response
Volatile IOCs for Fast Incident ResponseVolatile IOCs for Fast Incident Response
Volatile IOCs for Fast Incident ResponseTakahiro Haruyama
 
Malicious File for Exploiting Forensic Software
Malicious File for Exploiting Forensic SoftwareMalicious File for Exploiting Forensic Software
Malicious File for Exploiting Forensic SoftwareTakahiro Haruyama
 
Fast and Generic Malware Triage Using openioc_scan Volatility Plugin
Fast and Generic Malware Triage Using openioc_scan Volatility PluginFast and Generic Malware Triage Using openioc_scan Volatility Plugin
Fast and Generic Malware Triage Using openioc_scan Volatility PluginTakahiro Haruyama
 
Practical Malware Analysis: Ch 8: Debugging
Practical Malware Analysis: Ch 8: Debugging Practical Malware Analysis: Ch 8: Debugging
Practical Malware Analysis: Ch 8: Debugging Sam Bowne
 
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...CanSecWest
 
Practical Windows Kernel Exploitation
Practical Windows Kernel ExploitationPractical Windows Kernel Exploitation
Practical Windows Kernel ExploitationzeroSteiner
 
How to drive a malware analyst crazy
How to drive a malware analyst crazyHow to drive a malware analyst crazy
How to drive a malware analyst crazyMichael Boman
 
CNIT 127: 8: Windows overflows (Part 2)
CNIT 127: 8: Windows overflows (Part 2)CNIT 127: 8: Windows overflows (Part 2)
CNIT 127: 8: Windows overflows (Part 2)Sam Bowne
 
Practical Malware Analysis: Ch 11: Malware Behavior
Practical Malware Analysis: Ch 11: Malware BehaviorPractical Malware Analysis: Ch 11: Malware Behavior
Practical Malware Analysis: Ch 11: Malware BehaviorSam Bowne
 
[若渴計畫] Black Hat 2017之過去閱讀相關整理
[若渴計畫] Black Hat 2017之過去閱讀相關整理[若渴計畫] Black Hat 2017之過去閱讀相關整理
[若渴計畫] Black Hat 2017之過去閱讀相關整理Aj MaChInE
 
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013midnite_runr
 
CNIT 126 7: Analyzing Malicious Windows Programs
CNIT 126 7: Analyzing Malicious Windows ProgramsCNIT 126 7: Analyzing Malicious Windows Programs
CNIT 126 7: Analyzing Malicious Windows ProgramsSam Bowne
 
Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!Peter Hlavaty
 

Tendances (20)

Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbgPractical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
 
CNIT 126 12: Covert Malware Launching
CNIT 126 12: Covert Malware LaunchingCNIT 126 12: Covert Malware Launching
CNIT 126 12: Covert Malware Launching
 
Practical Malware Analysis Ch13
Practical Malware Analysis Ch13Practical Malware Analysis Ch13
Practical Malware Analysis Ch13
 
Fuzzing the Media Framework in Android
Fuzzing the Media Framework in AndroidFuzzing the Media Framework in Android
Fuzzing the Media Framework in Android
 
CNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbgCNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbg
 
Volatile IOCs for Fast Incident Response
Volatile IOCs for Fast Incident ResponseVolatile IOCs for Fast Incident Response
Volatile IOCs for Fast Incident Response
 
Malicious File for Exploiting Forensic Software
Malicious File for Exploiting Forensic SoftwareMalicious File for Exploiting Forensic Software
Malicious File for Exploiting Forensic Software
 
Fast and Generic Malware Triage Using openioc_scan Volatility Plugin
Fast and Generic Malware Triage Using openioc_scan Volatility PluginFast and Generic Malware Triage Using openioc_scan Volatility Plugin
Fast and Generic Malware Triage Using openioc_scan Volatility Plugin
 
Practical Malware Analysis: Ch 8: Debugging
Practical Malware Analysis: Ch 8: Debugging Practical Malware Analysis: Ch 8: Debugging
Practical Malware Analysis: Ch 8: Debugging
 
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...
 
Practical Windows Kernel Exploitation
Practical Windows Kernel ExploitationPractical Windows Kernel Exploitation
Practical Windows Kernel Exploitation
 
How to drive a malware analyst crazy
How to drive a malware analyst crazyHow to drive a malware analyst crazy
How to drive a malware analyst crazy
 
Packers
PackersPackers
Packers
 
CNIT 127: 8: Windows overflows (Part 2)
CNIT 127: 8: Windows overflows (Part 2)CNIT 127: 8: Windows overflows (Part 2)
CNIT 127: 8: Windows overflows (Part 2)
 
Practical Malware Analysis: Ch 11: Malware Behavior
Practical Malware Analysis: Ch 11: Malware BehaviorPractical Malware Analysis: Ch 11: Malware Behavior
Practical Malware Analysis: Ch 11: Malware Behavior
 
Attack on the Core
Attack on the CoreAttack on the Core
Attack on the Core
 
[若渴計畫] Black Hat 2017之過去閱讀相關整理
[若渴計畫] Black Hat 2017之過去閱讀相關整理[若渴計畫] Black Hat 2017之過去閱讀相關整理
[若渴計畫] Black Hat 2017之過去閱讀相關整理
 
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
 
CNIT 126 7: Analyzing Malicious Windows Programs
CNIT 126 7: Analyzing Malicious Windows ProgramsCNIT 126 7: Analyzing Malicious Windows Programs
CNIT 126 7: Analyzing Malicious Windows Programs
 
Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!
 

Similaire à Captain Hook: Pirating AVs to Bypass Exploit Mitigations

EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22MichaelM85042
 
Typhoon Managed Execution Toolkit
Typhoon Managed Execution ToolkitTyphoon Managed Execution Toolkit
Typhoon Managed Execution ToolkitDimitry Snezhkov
 
Talos: Neutralizing Vulnerabilities with Security Workarounds for Rapid Respo...
Talos: Neutralizing Vulnerabilities with Security Workarounds for Rapid Respo...Talos: Neutralizing Vulnerabilities with Security Workarounds for Rapid Respo...
Talos: Neutralizing Vulnerabilities with Security Workarounds for Rapid Respo...Zhen Huang
 
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan BalazsHacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan BalazsShakacon
 
how-to-bypass-AM-PPL
how-to-bypass-AM-PPLhow-to-bypass-AM-PPL
how-to-bypass-AM-PPLnitinscribd
 
Bypass_AV-EDR.pdf
Bypass_AV-EDR.pdfBypass_AV-EDR.pdf
Bypass_AV-EDR.pdfFarouk2nd
 
openioc_scan - IOC scanner for memory forensics
openioc_scan - IOC scanner for memory forensicsopenioc_scan - IOC scanner for memory forensics
openioc_scan - IOC scanner for memory forensicsTakahiro Haruyama
 
Hacker Halted 2014 - Post-Exploitation After Having Remote Access
Hacker Halted 2014 - Post-Exploitation After Having Remote AccessHacker Halted 2014 - Post-Exploitation After Having Remote Access
Hacker Halted 2014 - Post-Exploitation After Having Remote AccessEC-Council
 
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteliDefcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteliPriyanka Aash
 
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)BlueHat Security Conference
 
Software Protection Techniques
Software Protection TechniquesSoftware Protection Techniques
Software Protection TechniquesChaitanya Anpat
 
Ceh v8 labs module 05 system hacking
Ceh v8 labs module 05 system hackingCeh v8 labs module 05 system hacking
Ceh v8 labs module 05 system hackingAsep Sopyan
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware AnalysisAndrew McNicol
 
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1 Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1 securityxploded
 
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022lior mazor
 
Safe and secure programming practices for embedded devices
Safe and secure programming practices for embedded devicesSafe and secure programming practices for embedded devices
Safe and secure programming practices for embedded devicesSoumitra Bhattacharyya
 
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote ShellcodeAj MaChInE
 
Vulnerability Inheritance in ICS (English)
Vulnerability Inheritance in ICS (English)Vulnerability Inheritance in ICS (English)
Vulnerability Inheritance in ICS (English)Digital Bond
 
Techniques of attacking ICS systems
Techniques of attacking ICS systems Techniques of attacking ICS systems
Techniques of attacking ICS systems qqlan
 

Similaire à Captain Hook: Pirating AVs to Bypass Exploit Mitigations (20)

Dll injection
Dll injectionDll injection
Dll injection
 
EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22
 
Typhoon Managed Execution Toolkit
Typhoon Managed Execution ToolkitTyphoon Managed Execution Toolkit
Typhoon Managed Execution Toolkit
 
Talos: Neutralizing Vulnerabilities with Security Workarounds for Rapid Respo...
Talos: Neutralizing Vulnerabilities with Security Workarounds for Rapid Respo...Talos: Neutralizing Vulnerabilities with Security Workarounds for Rapid Respo...
Talos: Neutralizing Vulnerabilities with Security Workarounds for Rapid Respo...
 
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan BalazsHacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
 
how-to-bypass-AM-PPL
how-to-bypass-AM-PPLhow-to-bypass-AM-PPL
how-to-bypass-AM-PPL
 
Bypass_AV-EDR.pdf
Bypass_AV-EDR.pdfBypass_AV-EDR.pdf
Bypass_AV-EDR.pdf
 
openioc_scan - IOC scanner for memory forensics
openioc_scan - IOC scanner for memory forensicsopenioc_scan - IOC scanner for memory forensics
openioc_scan - IOC scanner for memory forensics
 
Hacker Halted 2014 - Post-Exploitation After Having Remote Access
Hacker Halted 2014 - Post-Exploitation After Having Remote AccessHacker Halted 2014 - Post-Exploitation After Having Remote Access
Hacker Halted 2014 - Post-Exploitation After Having Remote Access
 
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteliDefcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
 
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
 
Software Protection Techniques
Software Protection TechniquesSoftware Protection Techniques
Software Protection Techniques
 
Ceh v8 labs module 05 system hacking
Ceh v8 labs module 05 system hackingCeh v8 labs module 05 system hacking
Ceh v8 labs module 05 system hacking
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware Analysis
 
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1 Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
 
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022The Hacking Games - Operation System Vulnerabilities Meetup 29112022
The Hacking Games - Operation System Vulnerabilities Meetup 29112022
 
Safe and secure programming practices for embedded devices
Safe and secure programming practices for embedded devicesSafe and secure programming practices for embedded devices
Safe and secure programming practices for embedded devices
 
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
 
Vulnerability Inheritance in ICS (English)
Vulnerability Inheritance in ICS (English)Vulnerability Inheritance in ICS (English)
Vulnerability Inheritance in ICS (English)
 
Techniques of attacking ICS systems
Techniques of attacking ICS systems Techniques of attacking ICS systems
Techniques of attacking ICS systems
 

Dernier

Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 

Dernier (20)

Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 

Captain Hook: Pirating AVs to Bypass Exploit Mitigations

  • 1. Pirating AVS to Bypass Exploit Mitigations Captain Hook:
  • 2. WHO? Udi Yavo  CTO and Co-Founder, enSilo  Former CTO, Rafael Cyber Security Division  Researcher  Author on BreakingMalware Tomer Bitton  VP Research and Co-Founder, enSilo  Low Level Researcher, Rafael Advanced Defense Systems  Malware Researcher  Author on BreakingMalware
  • 3.  Hooking In a Nutshell  Scope of Research  Inline Hooking – Under the hood - 32-bit function hooking - 64-bit function hooking  Hooking Engine Injection Techniques  The 6 Security Issues of Hooking  Demo – Bypassing exploit mitigations  3rd Party Hooking Engines  Affected Products  Research Tools  Summary AGENDA
  • 4.  Hooking is used to intercept function calls in order to alter or augment their behavior  Used in most endpoint security products: • Anti-Exploitation – EMET, Palo-Alto Traps, … • Anti-Virus – Almost all of them • Personal Firewalls – Comodo, Zone-Alarm,… • …  Also used in non-security products for various purposes: • Application Performance Monitoring (APM) • Application Virtualization (Microsoft App-V)  Used in Malware: • Man-In-The-Browser (MITB) HOOKING IN A NUTSHELL
  • 5.  Our research encompassed about a dozen security products  Focused on user-mode inline hooks – The most common hooking method in real-life products  Hooks are commonly set by an injected DLL. We’ll refer to this DLL as the “Hooking Engine”  Kernel-To-User DLL injection techniques • Used by most vendors to inject their hooking engine • Complex and leads security issues SCOPE OF RESEARCH
  • 7. Disassemble Prolog Allocate Code Stub Copy Prolog Instructions Patch the Prolog with a JMP Straight forward most of the time: INLINE HOOKING – 32-BIT FUNCTION HOOKING
  • 8. INLINE HOOKING – 32-BIT FUNCTION HOOKING InternetConnectW before the hook is set: InternetConnectW After the hook is set:
  • 9. The hooking function (0x178940) The Copied Instructions Original Function Code INLINE HOOKING – 32-BIT FUNCTION HOOKING
  • 10.  Other Techniques: • One Byte Patching (Malware) - Patch with an illegal instruction and catch in the exception handler • Microsoft Hot Patching – Only 2 bytes function prolog overwrite  Some Possible Complications: • Relative jmp/call in the prolog • Very short functions/short prolog • jmp/jxx to the middle of the prolog’s instruction • … Hooking Function INLINE HOOKING – 32-BIT FUNCTION HOOKING
  • 11. Disassemble Prolog Allocate Trampoline Allocate Code Stub Write Trampoline Copy Prolog Instructions Patch the Prolog with a JMP MOV RAX, <Hooking Function> JMP RAX • More complex • 5 bytes jmp instruction might not be enough (limited to a 2GB range) INLINE HOOKING – 64-BIT FUNCTION HOOKING
  • 12. • InternetConnectA before the hook is set: • InternetConnectA after the hook is set: • Trampoline code: INLINE HOOKING – 64-BIT FUNCTION HOOKING
  • 13. If we follow the hooking function we get: Original Function Code INLINE HOOKING – 64-BIT FUNCTION HOOKING
  • 14.  Other Techniques:  6 Bytes patching (requires hooks’ code stub to be in 32-bit address)  Double Push (Nikolay Igotti) – Preserves all registers  …  Possible Complications:  Similar to 32-bit hooks  More instruction pointer relative instructions: MOV RAX, QWORD [RIP+0x15020] Jumps to 0x7ffc00030000 INLINE HOOKING – 64-BIT FUNCTION HOOKING
  • 15.  Inline hooking is the most common hooking technique in real-life products  Rather intrusive – modifies the code of the of hooking function  Used by most endpoint security products  More on hooking: • Binary Hooking Problems - By Gil Dabah • Trampolines in X64 - By Gil Dabah • Powerful x86/x64 Mini Hook-Engine - Daniel Pistelli • Inline Hooking for Programmers - Malware Tech • … INLINE HOOKING – RECAP
  • 17. INTRODUCTION - KERNEL-TO-USER CODE INJECTIONS  Mainly used for: • Injecting DLLs • Sandbox escapes – After exploiting privilege escalation vulnerability • Injecting to protected processes  Fewer techniques exist than user-mode  Less documented than user-mode techniques  Used by both Malware and Software/Security vendors
  • 18.  The most common Kernel-To-User injection method  Used by lots of malwares: • TDL • ZERO ACCESS • Sandbox escape shellcodes • …  Also used by lots of security products: • AVG • Kaspersky Home Edition • Avecto • …  Documented: • Blackout: What Really Happened • Much more in forums and leaked source codes INJECTION METHODS – USER APC
  • 19. Basic Steps (There are several variations): 1. Register load image callback using PsSetLoadImageNotifyRoutine 2. Write payload that injects a dll using LdrLoadDll (Other variations use LoadLibrary) 3. Insert User APC using KeInsertQueueApc INJECTION METHODS – USER APC
  • 20. • Not really common but worth mentioning • Used by Duqu • Fully documented in: http://binsec.gforge.inria.fr/pdf/Malware2013-Analysis-Diversion-Duqu-paper.pdf INJECTION METHODS – ENTRY POINT PATCHING
  • 21. Kernel Space User Space RtlUserThreadStart KiStartUserThread Callback Routine Process Image • Register load image callback using PsSetLoadImageNotifyRoutine and wait for main module to load INJECTION METHODS – ENTRY POINT PATCHING Application Ntoskrnl.exe EvilDriver.sys
  • 22. Kernel Space User Space RtlUserThreadStart KiStartUserThread Callback Routine Process Image • Write the payload to the process address space INJECTION METHODS – ENTRY POINT PATCHING Application Ntoskrnl.exe EvilDriver.sys Payload
  • 23. Kernel Space User Space RtlUserThreadStart KiStartUserThread Callback Routine • Replace the image entry point with JMP to the new code INJECTION METHODS – ENTRY POINT PATCHING Application Ntoskrnl.exe EvilDriver.sys Payload JMP Payload Process Image
  • 24. Kernel Space User Space RtlUserThreadStart KiStartUserThread Callback Routine • The payload executes, fixes the entry point and jumps to it INJECTION METHODS – ENTRY POINT PATCHING Application Ntoskrnl.exe EvilDriver.sys Payload JMP Payload Process Image Jump to entry point
  • 25. • Internet Explorer patched entrypoint INJECTION METHODS – ENTRY POINT PATCHING
  • 26.  First published on Codeless-Code-Injections talk (to our knowledge)  Never been used by malware (to our knowledge)  Used by software and security vendors: • Symantec • Trusteer • Microsoft App-V  Similar method could probably use TLS data directory INJECTION METHODS – IMPORT TABLE PATCHING
  • 27. PE HeaderMZ Header DOS Stub File Header Optional Header Data Directories Imports … Import Descriptor 1 Import Descriptor 2 Before PE HeaderMZ Header DOS Stub File Header Optional Header Data Directories Imports … Import Descriptor 1 Import Descriptor 2 After Import Descriptor 1 Import Descriptor 2 Injected DLL Descriptor … 1. Register load image callback using PsSetLoadImageNotifyRoutine and wait for main module to load 2. Allocate memory for the new import table and copy old table with a new record for the injected DLL INJECTION METHODS – IMPORT TABLE PATCHING 3. Point the import data directory to the new table 4. When the DLL is loaded the original PE header is restored
  • 28. INJECTION METHODS – IMPORT TABLE PATCHING Internet Explorer patched import table
  • 29. Kernel Space User Space RtlUserThreadStart KiStartUserThread Callback Routine LdrLoadDll • Register load image callback using PsSetLoadImageNotifyRoutine and wait for ntdll.dll module to load INJECTION METHODS – NTDLL.DLL/USER32.DLL PATCHING Application Ntoskrnl.exe EvilDriver.sys
  • 30. Kernel Space User Space RtlUserThreadStart KiStartUserThread Callback Routine LdrLoadDll • Write the payload to the process address space INJECTION METHODS – NTDLL.DLL/USER32.DLL PATCHING Application Ntoskrnl.exe EvilDriver.sys Payload
  • 31. Kernel Space User Space RtlUserThreadStart KiStartUserThread Callback Routine LdrLoadDll • Replace the LdrLoadLibrary prolog with JMP (or equivalent) to the payload INJECTION METHODS – NTDLL.DLL/USER32.DLL PATCHING Application Ntoskrnl.exe EvilDriver.sys PayloadPayload JMP Payload
  • 32. Kernel Space User Space RtlUserThreadStart KiStartUserThread Callback Routine LdrLoadDll • The payload loads a dll, fixes LdrLoadDll and jumps to it INJECTION METHODS – NTDLL.DLL/USER32.DLL PATCHING Application Ntoskrnl.exe EvilDriver.sys PayloadPayload JMP Payload Jump to LdrLoadDll
  • 33. • Kernel-To-User Injections are extensively used by both malware and security/software products • Kernel injections are mainly used to inject a DLL to target processes • In security products the injected DLL is commonly the hooking engine • Prone to mistakes – due to its relative complexity INJECTION METHODS – QUICK SUMMARY
  • 34. The 6 security issues of hooking
  • 35. Severity: Very High Affected Systems: All Windows Versions Occurs due to bad DLL injection implementation  We found 2 types of unsafe injections: • LoadLibrary from a relative path – vulnerable to DLL Hijacking • Unprotected injected DLL file – placed in %appdata%LocalVendor Can easily be replaced by the attacker #1 – UNSAFE INJECTION
  • 36. RWX PermissionsFunctions pointers in constant addresses Severity: Very High Affected Systems: All Windows Versions The Kernel-To-User DLL injection allocates RWX code in a predictable location • Implications: • ASLR Bypass – The code stubs normally contains addresses of critical OS functions • Great for shellcode – Allows writing malicious code to the allocated code-stub #2 – PREDICTABLE RWX CODE STUBS
  • 37. Severity: Very High Affected Systems: All Windows Versions The Kernel-To-User DLL injection or hooking engine allocates R-X code in a predictable location Implications: • ASLR Bypass – The code stubs contain the addresses of critical OS functions • Hooks Bypass – Calling the hook code stub effectively bypasses the hook • Code Reuse – The code can also be useful for ROP #3 – PREDICTABLE R-X CODE STUBS
  • 38. Severity: High Affected Systems: Windows 7 and Below The Kernel-To-User DLL injection allocates RWX code without specifying exact address Implications: • Similar to the first predictable RWX Code issue #4 – PREDICTABLE RWX CODE STUBS 2
  • 39. Severity: Medium Affected Systems: All Windows Versions The most common issue: most hooking engines leave their hook code stubs as RWX The implication - possible CFG bypass: • Get arbitrary read/write in the target process • Find the hook’s stub (R) • Overwrite it (W) • Trigger the execution of the hooked function (X) #5 –RWX CODE STUBS * Note: Attacker with arbitrary read/write will probably succeed anyway
  • 40. LdrLoadDll Hook RWX Permissions Severity: Medium Affected Systems: All Windows Versions Some hooking engines leave the code of the hooked modules as RWX The implication - possible CFG bypass #6 –RWX HOOKED MODULES
  • 41. SECURITY ISSUES OF HOOKING - RECAP
  • 43. 3rd Party Hooking Engines
  • 44.  Developing a hooking engine is not an easy task  Using open-source* or commercial hooking engines has many advantages: • Easy API to work with • Supports many platforms • Saves development effort • Saves testing effort  3rd party hooking engines are also integrated into non-security products  A security issue in a hooking engine results in many patches… 3RD PARTY HOOKING ENGINES * We really like Gil Dabah’s distormx
  • 45.  Used by many open-source projects  Also used by a few security vendors. For example, Vera Features:  Kernel Hooking support  Thread Deadlock Barrier  RIP-relative address relocation for 64-bit  … Security Issues:  RWX Hook Code Stubs  RWX Hooked Modules Bad Practice:  Uses Non-Executable heap and changes parts of it to code EASYHOOK – OPEN-SOURCE HOOKING ENGINE
  • 46. “Several Fortune 500 companies are using Deviare technology for application virtualization, packaging, and troubleshooting, and for computer security.”  Dual License – Commercial or GPL for open-source  Fixed the issues quickly  From their web site: Features:  Defer Hook –Set a hook only when and if a module is loaded  .NET Function hooking  Interface for many languages: (C++, VB, Python, C#,…)  … Security Issues:  RWX Hook Code Stubs DEVIARE2 - OPEN-SOURCE HOOKING ENGINE
  • 47.  Used by a lot for security vendors (75% of its users)  Used by emsisoft  Fixed the issues quickly Features:  Injection Driver – Used to perform kernel-injection into processes  IPC API –Used to easily communicate with some main process  IAT Hooking  … Security Issues:  RWX Hook Code Stubs MADCODEHOOK – POWERFUL COMMERCIAL HOOKING
  • 48.  The most popular hooking engine in the world  Microsoft’s App-V uses Detours which is integrated into Office  We were surprised to find out that it has problems too… Features:  ARM support  … Security Issues: • Predictable RX (Universal). MICROSOFT DETOURS * Details won’t be revealed until the patch is released (September)
  • 49. “Under commercial release for over 10 years, Detours is licensed by over 100 ISVs and used within nearly every product team at Microsoft.”  Microsoft’s hooking engine Detours – via Microsoft.com:  Could potentially affect millions of users  Also used in security products  Hard to patch - In most cases fixing this issue requires recompilation of each product individually which makes patching cumbersome MICROSOFT DETOURS VULNERABILITY - IMPLICATIONS
  • 51. Products/Vendors UnSafe Injection Predictable RWX(Universal) Predictable RX(Universal) Predictable RWX RWX Hook code stubs RWX Hooked Modules Time To Fix (Days) Symantec X 90 McAfee X X 90 Trend Micro X X (Initial Fix) X 210 Kaspersky X X 90 AVG X 30 BitDefender X X 30 WebRoot X X 29 AVAST X X 30 Emsisoft X 90 Citrix - Xen Desktop X X 90 Microsoft Office* X 180 WebSense X X X 30 Vera X X ? Invincea X(64-bit) X X ? Anti-Exploitation* X ? BeyondTrust X X Fixed Independently T O T A L S 2 2 6 8 7 5 7 9 . 9 *Patchwasn’treleasedyet AFFECTEDPRODUCTS
  • 52. High
  • 54. Memory Region Affected Process IDsAffected Process • Tool to detect predictable RWX code regions • Can be found at https://github.com/BreakingMalware/AVulnerabilityChecker • Compares memory maps of processes RESEARCH TOOLS – AVULNERABILITY
  • 55. • Tool for scanning hooks and checking their code permissions • Compares code “On-Disk” with the code “In-Memory” • Does best-effort to track hooks code stubs RESEARCH TOOLS – HOOKS SCAN
  • 56. • Code hooking is an important capability for security/software vendors • Similar to other intrusive operations it has security implications • Almost all the vendors we tested were vulnerable to at least one issue • We worked closely with affected vendors to address all these issues – most are already patched SUMMARY