Hooking Nirvana

Recommendations

Info

Indirect Jump Integrity When a binary is compiled with CFG, any indirect call now looks like this At compile time, the guard check function points to: Which in turn, is just a “ret” So what changes this to a useful function? The key lies in the loader… 1/26/2016 COPYRIGHT 2015 ALEX IONESCU. ALL RIGHTS RESERVED. 34
Image Load Config Directory Special data structure provided by the linker (with support from the compiler) which was originally used for compatibility/debugging flags Became relevant again when security mitigations were added: ◦ Contains the security cookie ◦ Contains the array of trusted SEH dispatch routines When CFG was introduced, the following new fields were added to IMAGE_LOAD_CONFIG_DIRECTORY: ◦ ULONGLONG GuardCFCheckFunctionPointer; ◦ ULONGLONG GuardCFFunctionTable; ◦ ULONGLONG GuardCFFunctionCount; ◦ DWORD GuardFlags; Bonus: check out GuardCFDispatchFunctionPointer and CodeIntegrity fields in Win 10 1/26/2016 COPYRIGHT 2015 ALEX IONESCU. ALL RIGHTS RESERVED. 35
Page 1 and 2: Hooking Nirvana STEALTHY INSTRUMENT
Page 3 and 4: WHAT THIS TALK IS ABOUT Five differ
Page 5 and 6: MORE PAST RESEARCH CFG has a Whitep
Page 7 and 8: OUTLINE MinWin Hooks Nirvana Hooks
Page 9 and 10: What is MinWin? MinWin is an intern
Page 11 and 12: API Set Redirection (Win 7) One sin
Page 13 and 14: API Set Redirection (Win 8) Windows
Page 15 and 16: API Set Redirection (Win 10) Window
Page 17 and 18: Parsing Windows 10 API Set peb = Nt
Page 19 and 20: Modifying the API Set Map First, de
Page 21 and 22: MinWin Hooking Demo 1/26/2016 COPYR
Page 23 and 24: Double MinWin Bonus While working o
Page 25 and 26: What Is Nirvana? 1/26/2016 COPYRIGH
Page 27 and 28: Instrumentation Callback (Win 7) In
Page 29 and 30: Instrumentation Callback (Win 10) I
Page 31 and 32: Nirvana Hook Demo 1/26/2016 COPYRIG
Page 33: What is CFG? 1/26/2016 COPYRIGHT 20
Page 37 and 38: Writing a Guard CF Function title
Page 39 and 40: CFG Bonus CFG in Windows 10 covers
Page 41 and 42: What is Application Verifier 1/26/2
Page 43 and 44: Enabling Application Verifier The A
Page 45 and 46: Writing a Verifier Provider This ti
Page 47 and 48: Hooking APIs with Avrf static RTL_V
Page 49 and 50: Application Verifier Bonus Because
Page 51 and 52: What is the Shim Engine 1/26/2016 C
Page 53 and 54: Enabling the Shim Engine The Shim E
Page 55 and 56: Dynamic Shim Installation Shims can
Page 57: QUESTIONS? SEE YOU AT BLACKHAT 1/26

Hooking Nirvana

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?