Hooking Nirvana

More documents

Recommendations

Info

Application Verifier Providers Providers are loaded by the Application Verifier Engine based on either the contents of the “VerifierDlls” key in per-image IFEO key, or by the {ApplicationVerifierGlobalSettings} option in the root IFEO key If a provider is called “vrfcore.dll” and exports a function called “AVrfAPILookupCallback”, then all GetProcAddress (LdrGetProcedureAddress) function calls will first be directed to it Callback includes the address of the caller of GetProcAddress, and the ability to redirect the answer to another routine Other than that, verifier providers can hook any exported function of any DLL they please, by filling out special structures during their entrypoint You can set AVrfpDebug (from the “VerifierDebug” IFEO value) to see the internals… 1/26/2016 COPYRIGHT 2015 ALEX IONESCU. ALL RIGHTS RESERVED. 44
Writing a Verifier Provider This time, we have to write an actual DLL Those of you that do Win32 programming are certainly aware of DllMain and its four “reasons” ◦ DLL_PROCESS_ATTACH ◦ DLL_PROCESS_DETACH ◦ DLL_THREAD_ATTACH ◦ DLL_THREAD_DETACH But did you know there’s a fourth? ◦ DLL_PROCESS_VERIFIER This special reason comes with a pointer to a RTL_VERIFIER_PROFIDER_DESCRIPTION structure The structure provides input data to the verifier provider, as well as allows it to register a number of thunks for each exported API from one of the DLLs 1/26/2016 COPYRIGHT 2015 ALEX IONESCU. ALL RIGHTS RESERVED. 45
Page 1 and 2: Hooking Nirvana STEALTHY INSTRUMENT
Page 3 and 4: WHAT THIS TALK IS ABOUT Five differ
Page 5 and 6: MORE PAST RESEARCH CFG has a Whitep
Page 7 and 8: OUTLINE MinWin Hooks Nirvana Hooks
Page 9 and 10: What is MinWin? MinWin is an intern
Page 11 and 12: API Set Redirection (Win 7) One sin
Page 13 and 14: API Set Redirection (Win 8) Windows
Page 15 and 16: API Set Redirection (Win 10) Window
Page 17 and 18: Parsing Windows 10 API Set peb = Nt
Page 19 and 20: Modifying the API Set Map First, de
Page 21 and 22: MinWin Hooking Demo 1/26/2016 COPYR
Page 23 and 24: Double MinWin Bonus While working o
Page 25 and 26: What Is Nirvana? 1/26/2016 COPYRIGH
Page 27 and 28: Instrumentation Callback (Win 7) In
Page 29 and 30: Instrumentation Callback (Win 10) I
Page 31 and 32: Nirvana Hook Demo 1/26/2016 COPYRIG
Page 33 and 34: What is CFG? 1/26/2016 COPYRIGHT 20
Page 35 and 36: Image Load Config Directory Special
Page 37 and 38: Writing a Guard CF Function title
Page 39 and 40: CFG Bonus CFG in Windows 10 covers
Page 41 and 42: What is Application Verifier 1/26/2
Page 43: Enabling Application Verifier The A
Page 47 and 48: Hooking APIs with Avrf static RTL_V
Page 49 and 50: Application Verifier Bonus Because
Page 51 and 52: What is the Shim Engine 1/26/2016 C
Page 53 and 54: Enabling the Shim Engine The Shim E
Page 55 and 56: Dynamic Shim Installation Shims can
Page 57: QUESTIONS? SEE YOU AT BLACKHAT 1/26

Hooking Nirvana

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?