AlexSyScan13

Recommendations

Info

Baby Steps
What is Hotpatching? ■ First introduced in Windows XP SP2 ■ Incomplete implementation, was never used ■ Officially supported and implemented in Windows Server 2003 ■ Hopatching Beta program opened for testing ■ List of KB’s is on Elicz’s paper and Johannes’ blog ■ Added code to compiler and linker (/HOTPADMIN, /HOTPATCH) ■ Adds 5 “nop” instructions on top of every function (before the entry) ■ Used to store absolute call address ■ Adds “mov edi, edi” instruction at the start of every function (at the entry) ■ Used to store 2-byte relative jump to the absolute call ■ Less than a dozen Hotpatch updates ever released ■ Project was eventually abandoned ■ Strangely, Vista improved & updated the Hotpatch API
Page 1 and 2: Hotpatching the Hotpatcher Stealth
Page 3 and 4: Introduction
Page 5 and 6: What This Talk Is (Not) About ■ A
Page 7: Previous Work ■ EliCZ “Microsof
Page 11 and 12: DLL Injection with the Hotpatch API
Page 13 and 14: Bigger Leaps
Page 15 and 16: Known DLL Section Object Misdirecti
Page 17 and 18: Known DLL Section Object Hijacking
Page 19 and 20: Moonshot
Page 21 and 22: Intro to the Hotpatching CodeInfo A
Page 23 and 24: Writing a real patch DLL (continued
Page 25 and 26: …and failing at it ■ Turns out
Page 27 and 28: Why are we failing? ■ What is hap
Page 29 and 30: What’s next? ■ Now the patch wo
Page 31 and 32: DEMO
Page 33 and 34: Key Takeaways ■ The hotpatch API
Page 35: QA ■ Greetz/shouts to: adc, lilho

AlexSyScan13

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?