AlexSyScan13

Recommendations

Info

Known DLL Section Object Hijacking ■ The loader has an interesting “bug”/behavior: ■ It trusts that the \KnownDll section object is a SEC_IMAGE section ■ i.e.: That it really is an image file on disk ■ In other words, the manually created \KnownDll object does not have to be a DLL on disk… ■ It can be any random piece of shared data created through NtCreateSection/CreateFileMapping ■ The loader does use NtQuerySection to get information on the section however… ■ And this API fails for non-image sections ■ But the loader ignores the failure code! ■ So can we load arbitrary “DLLs” that don’t really exist on disk?
Known DLL Section Object Hijacking Advantages ■ Ultimately, when the loader does NtMapViewOfSection, this goes inside the kernel ■ Section mappings notifications are delivered to ■ User-mode debugger (to load symbols and be notified of the new DLL) ■ Kernel-mode debugger (same reason) ■ AV and other drivers (PsSetImageLoadNotifyRoutine) ■ …but only for SEC_IMAGE mappings ■ Otherwise, every single random piece of shared data would cause a notify ■ Loading a data section object through the loader results in absolutely no kernel/debugger notification that a DLL was loaded
Page 1 and 2: Hotpatching the Hotpatcher Stealth
Page 3 and 4: Introduction
Page 5 and 6: What This Talk Is (Not) About ■ A
Page 7 and 8: Previous Work ■ EliCZ “Microsof
Page 9 and 10: What is Hotpatching? ■ First intr
Page 11 and 12: DLL Injection with the Hotpatch API
Page 13 and 14: Bigger Leaps
Page 15: Known DLL Section Object Misdirecti
Page 19 and 20: Moonshot
Page 21 and 22: Intro to the Hotpatching CodeInfo A
Page 23 and 24: Writing a real patch DLL (continued
Page 25 and 26: …and failing at it ■ Turns out
Page 27 and 28: Why are we failing? ■ What is hap
Page 29 and 30: What’s next? ■ Now the patch wo
Page 31 and 32: DEMO
Page 33 and 34: Key Takeaways ■ The hotpatch API
Page 35: QA ■ Greetz/shouts to: adc, lilho

AlexSyScan13

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?