Hooking Nirvana

More documents

Recommendations

Info

Instrumentation Callback (Win 10) In Windows 10, the instrumentation callback is registered with a structure: ◦ typedef struct _PROCESS_INSTRUMENTATION_CALLBACK_INFORMATION { ULONG Version; ULONG Reserved; PVOID Callback; } PROCESS_INSTRUMENTATION_CALLBACK_INFORMATION; ◦ Version must be 0 on x64 Windows and 1 on x86 Windows ◦ Reserved must be 0 Yep, it now works on x86 Windows ◦ It also supports WoW64 applications No longer requires DR7 to be set Now catches NtContinue, but on x86 only 1/26/2016 COPYRIGHT 2015 ALEX IONESCU. ALL RIGHTS RESERVED. 28
Instrumentation Callback (Win 10) In order to support x86, a few other changes were made too Due to stack usage issues on x86, the following fields are added to the TEB: ◦ +0x2d0 InstrumentationCallbackSp : Uint8B ◦ +0x2d8 InstrumentationCallbackPreviousPc : Uint8B ◦ +0x2e0 InstrumentationCallbackPreviousSp : Uint8B To avoid recursion, can temporarily use ◦ +0x2ec InstrumentationCallbackDisabled : Uchar On x64, you don’t need these fields, instead ◦ RSP is kept in its original form, because RCX/RDX/R8/R9 can be used to pass arguments, and there aren’t 16-bit/VM8086 idiosyncrasies ◦ R10 contains the Previous RIP (R10 and R11 are volatile and used for SYSCALL/SYSRET in the Windows x64 ABI) 1/26/2016 COPYRIGHT 2015 ALEX IONESCU. ALL RIGHTS RESERVED. 29
Page 1 and 2: Hooking Nirvana STEALTHY INSTRUMENT
Page 3 and 4: WHAT THIS TALK IS ABOUT Five differ
Page 5 and 6: MORE PAST RESEARCH CFG has a Whitep
Page 7 and 8: OUTLINE MinWin Hooks Nirvana Hooks
Page 9 and 10: What is MinWin? MinWin is an intern
Page 11 and 12: API Set Redirection (Win 7) One sin
Page 13 and 14: API Set Redirection (Win 8) Windows
Page 15 and 16: API Set Redirection (Win 10) Window
Page 17 and 18: Parsing Windows 10 API Set peb = Nt
Page 19 and 20: Modifying the API Set Map First, de
Page 21 and 22: MinWin Hooking Demo 1/26/2016 COPYR
Page 23 and 24: Double MinWin Bonus While working o
Page 25 and 26: What Is Nirvana? 1/26/2016 COPYRIGH
Page 27: Instrumentation Callback (Win 7) In
Page 31 and 32: Nirvana Hook Demo 1/26/2016 COPYRIG
Page 33 and 34: What is CFG? 1/26/2016 COPYRIGHT 20
Page 35 and 36: Image Load Config Directory Special
Page 37 and 38: Writing a Guard CF Function title
Page 39 and 40: CFG Bonus CFG in Windows 10 covers
Page 41 and 42: What is Application Verifier 1/26/2
Page 43 and 44: Enabling Application Verifier The A
Page 45 and 46: Writing a Verifier Provider This ti
Page 47 and 48: Hooking APIs with Avrf static RTL_V
Page 49 and 50: Application Verifier Bonus Because
Page 51 and 52: What is the Shim Engine 1/26/2016 C
Page 53 and 54: Enabling the Shim Engine The Shim E
Page 55 and 56: Dynamic Shim Installation Shims can
Page 57: QUESTIONS? SEE YOU AT BLACKHAT 1/26

Hooking Nirvana

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?