Hooking Nirvana

More documents

Recommendations

Info

WHO AM I? Chief Architect at CrowdStrike, a security startup Previously worked at Apple on iOS Core Platform Team Co-author of Windows Internals 5 th and 6 th Editions Reverse engineering NT since 2000 – main kernel developer of ReactOS Instructor of worldwide Windows Internals classes Conference speaking: ◦ Recon 2015-2010, 2006 ◦ SyScan 2015-2012 ◦ NoSuchCon 2014-2013, Breakpoint 2012 ◦ Blackhat 2015, 2013, 2008 For more info, see www.alex-ionescu.com 1/26/2016 COPYRIGHT 2015 ALEX IONESCU. ALL RIGHTS RESERVED. 2
WHAT THIS TALK IS ABOUT Five different technologies in Windows ◦ Time Travel Debugging / iDNA (<strong>Nirvana</strong>) ◦ Application Verifier (AVRF) ◦ Minimalized Windows (MinWin) ◦ Application Compatibility Engine (ShimEng) ◦ Control Flow Guard (CFG) Their intended use in the system How their use can be misappropriated or leveraged for instrumenting binaries and hooking them early (or late) 1/26/2016 COPYRIGHT 2015 ALEX IONESCU. ALL RIGHTS RESERVED. 3
Page 1: Hooking Nirvana STEALTHY INSTRUMENT
Page 5 and 6: MORE PAST RESEARCH CFG has a Whitep
Page 7 and 8: OUTLINE MinWin Hooks Nirvana Hooks
Page 9 and 10: What is MinWin? MinWin is an intern
Page 11 and 12: API Set Redirection (Win 7) One sin
Page 13 and 14: API Set Redirection (Win 8) Windows
Page 15 and 16: API Set Redirection (Win 10) Window
Page 17 and 18: Parsing Windows 10 API Set peb = Nt
Page 19 and 20: Modifying the API Set Map First, de
Page 21 and 22: MinWin Hooking Demo 1/26/2016 COPYR
Page 23 and 24: Double MinWin Bonus While working o
Page 25 and 26: What Is Nirvana? 1/26/2016 COPYRIGH
Page 27 and 28: Instrumentation Callback (Win 7) In
Page 29 and 30: Instrumentation Callback (Win 10) I
Page 31 and 32: Nirvana Hook Demo 1/26/2016 COPYRIG
Page 33 and 34: What is CFG? 1/26/2016 COPYRIGHT 20
Page 35 and 36: Image Load Config Directory Special
Page 37 and 38: Writing a Guard CF Function title
Page 39 and 40: CFG Bonus CFG in Windows 10 covers
Page 41 and 42: What is Application Verifier 1/26/2
Page 43 and 44: Enabling Application Verifier The A
Page 45 and 46: Writing a Verifier Provider This ti
Page 47 and 48: Hooking APIs with Avrf static RTL_V
Page 49 and 50: Application Verifier Bonus Because
Page 51 and 52: What is the Shim Engine 1/26/2016 C
Page 53 and 54:
Enabling the Shim Engine The Shim E
Page 55 and 56:
Dynamic Shim Installation Shims can
Page 57:
QUESTIONS? SEE YOU AT BLACKHAT 1/26
show all

Hooking Nirvana

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?