Hooking Nirvana

More documents

Recommendations

Info

PAST RESEARCH Some of these techniques have partially been exposed before For example, the <strong>Nirvana</strong> hook was discovered by Nick Everdox ◦ http://www.codeproject.com/Articles/543542/Windows-x-system-service-hooksand-advanced-debu ◦ But Windows 10 totally changes the interface… MinWin has some good information from QuarksLab and ARTeam ◦ http://blog.quarkslab.com/runtime-dll-name-resolution-apisetschema-part-i.html ◦ http://www.xchg.info/wiki/index.php?title=ApiMapSet ◦ But they used manually reverse engineered symbols, and Windows 10 changed them 1/26/2016 COPYRIGHT 2015 ALEX IONESCU. ALL RIGHTS RESERVED. 4
MORE PAST RESEARCH CFG has a Whitepaper from TrendMicro, and a presentation from MJ0011 ◦ http://sjc1-te-ftp.trendmicro.com/assets/wp/exploring-control-flow-guard-inwindows10.pdf ◦ http://www.powerofcommunity.net/poc2014/mj0011.pdf ◦ But they don’t cover the hooking capabilities AVRF is a mystery, except to TSS, a Russian Hacker: ◦ http://kitrap08.blogspot.ca/2011/04/application-verifier.html ◦ Not many details Only one Chinese Forum site talks about the Shim Engine hooks: ◦ http://bbs.pediy.com/showpost.php?p=1199075&postcount=1 ◦ Accurate for Windows 8 1/26/2016 COPYRIGHT 2015 ALEX IONESCU. ALL RIGHTS RESERVED. 5
Page 1 and 2: Hooking Nirvana STEALTHY INSTRUMENT
Page 3: WHAT THIS TALK IS ABOUT Five differ
Page 7 and 8: OUTLINE MinWin Hooks Nirvana Hooks
Page 9 and 10: What is MinWin? MinWin is an intern
Page 11 and 12: API Set Redirection (Win 7) One sin
Page 13 and 14: API Set Redirection (Win 8) Windows
Page 15 and 16: API Set Redirection (Win 10) Window
Page 17 and 18: Parsing Windows 10 API Set peb = Nt
Page 19 and 20: Modifying the API Set Map First, de
Page 21 and 22: MinWin Hooking Demo 1/26/2016 COPYR
Page 23 and 24: Double MinWin Bonus While working o
Page 25 and 26: What Is Nirvana? 1/26/2016 COPYRIGH
Page 27 and 28: Instrumentation Callback (Win 7) In
Page 29 and 30: Instrumentation Callback (Win 10) I
Page 31 and 32: Nirvana Hook Demo 1/26/2016 COPYRIG
Page 33 and 34: What is CFG? 1/26/2016 COPYRIGHT 20
Page 35 and 36: Image Load Config Directory Special
Page 37 and 38: Writing a Guard CF Function title
Page 39 and 40: CFG Bonus CFG in Windows 10 covers
Page 41 and 42: What is Application Verifier 1/26/2
Page 43 and 44: Enabling Application Verifier The A
Page 45 and 46: Writing a Verifier Provider This ti
Page 47 and 48: Hooking APIs with Avrf static RTL_V
Page 49 and 50: Application Verifier Bonus Because
Page 51 and 52: What is the Shim Engine 1/26/2016 C
Page 53 and 54: Enabling the Shim Engine The Shim E
Page 55 and 56:
Dynamic Shim Installation Shims can
Page 57:
QUESTIONS? SEE YOU AT BLACKHAT 1/26
show all

Hooking Nirvana

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?