AlexSyScan13

Recommendations

Info

Motivation ■ We want to load code in a stealthy way inside another process ■ Or, we are in kernel (first-stage/early payload) and want to go into user-mode (second-stage/persistent payload) ■ Most of these techniques require ■ Writing a file to disk (visible) ■ Injecting a DLL (visible) ■ Current stealthy techniques don’t’ have this problem, but ■ Implement their own loader code (complex, especially in kernel use case) ■ Can’t hope to fully implement all loader intricacies – final payload is simple ■ TLS Initializers? AMD64 Relocations? Shim Engine Callbacks? SafeSEH Initialization? ■ Can we get the benefits of a custom loader… ■ Without having to write one?
Previous Work ■ EliCZ “Microsoft Patching Internals” on OpenRCE ■ Most commonly referenced source of information/header files ■ Used in, among other things, CanSecWest ASLR/ROP bypass talk ■ However, changes were done in Vista/Windows 7 to many of the structures ■ No public officially updated header ■ Derek Soeder “PiXiE: A Self-Propagating Network Boot Virus for Windows” on eEye ■ Used Known DLL Section Object Hijacking for user-mode payload ■ But required patching the kernel (not usable from user-mode) ■ Johannes Passing (blog) ■ Wrote pseudo-code for Vista+ Hotpatch API ■ Mainly focused on kernel driver patching, not user-mode
Page 1 and 2: Hotpatching the Hotpatcher Stealth
Page 3 and 4: Introduction
Page 5: What This Talk Is (Not) About ■ A
Page 9 and 10: What is Hotpatching? ■ First intr
Page 11 and 12: DLL Injection with the Hotpatch API
Page 13 and 14: Bigger Leaps
Page 15 and 16: Known DLL Section Object Misdirecti
Page 17 and 18: Known DLL Section Object Hijacking
Page 19 and 20: Moonshot
Page 21 and 22: Intro to the Hotpatching CodeInfo A
Page 23 and 24: Writing a real patch DLL (continued
Page 25 and 26: …and failing at it ■ Turns out
Page 27 and 28: Why are we failing? ■ What is hap
Page 29 and 30: What’s next? ■ Now the patch wo
Page 31 and 32: DEMO
Page 33 and 34: Key Takeaways ■ The hotpatch API
Page 35: QA ■ Greetz/shouts to: adc, lilho

AlexSyScan13

Create successful ePaper yourself

Delete template?

Save as template?