Hooking Nirvana

More documents

Recommendations

Info

Special Kernel Base Handling When the loader (Ntdll.dll) loads kernel base, it also calls LdrpSnapKernelBaseExtensions This parses all of the delay load descriptors for KernelBase.dll Looks for any which start with ext- Finds the API Set Hosts for those extensions, and checks if any resolve to Kernel32.dll ◦ Load them if so, by calling LdrpResolveDelayLoadDescriptor 1/26/2016 COPYRIGHT 2015 ALEX IONESCU. ALL RIGHTS RESERVED. 16
Parsing Windows 10 API Set peb = NtCurrentTeb()->ProcessEnvironmentBlock; ApiSetMap = peb->Reserved9[0]; // ApiSetMap nsEntry = (PAPI_SET_NAMESPACE_ENTRY)(ApiSetMap->EntryOffset + (ULONG_PTR)ApiSetMap); for (i = 0; i < ApiSetMap->Count; i++) { nameString.Length = (USHORT)nsEntry->NameLength; nameString.Buffer = (PWCHAR)((ULONG_PTR)ApiSetMap + nsEntry->NameOffset); valueEntry = (PAPI_SET_VALUE_ENTRY)((ULONG_PTR)ApiSetMap + nsEntry->ValueOffset); for (j = 0; j < nsEntry->ValueCount; j++) { valueString.Buffer = (PWCHAR)((ULONG_PTR)ApiSetMap + valueEntry->ValueOffset); valueString.Length = (USHORT)valueEntry->ValueLength; nameString.Length = (USHORT)valueEntry->NameLength; nameString.Buffer = (PWCHAR)((ULONG_PTR)ApiSetMap + valueEntry->NameOffset); } valueEntry++; } nsEntry++; 1/26/2016 COPYRIGHT 2015 ALEX IONESCU. ALL RIGHTS RESERVED. 17
Page 1 and 2: Hooking Nirvana STEALTHY INSTRUMENT
Page 3 and 4: WHAT THIS TALK IS ABOUT Five differ
Page 5 and 6: MORE PAST RESEARCH CFG has a Whitep
Page 7 and 8: OUTLINE MinWin Hooks Nirvana Hooks
Page 9 and 10: What is MinWin? MinWin is an intern
Page 11 and 12: API Set Redirection (Win 7) One sin
Page 13 and 14: API Set Redirection (Win 8) Windows
Page 15: API Set Redirection (Win 10) Window
Page 19 and 20: Modifying the API Set Map First, de
Page 21 and 22: MinWin Hooking Demo 1/26/2016 COPYR
Page 23 and 24: Double MinWin Bonus While working o
Page 25 and 26: What Is Nirvana? 1/26/2016 COPYRIGH
Page 27 and 28: Instrumentation Callback (Win 7) In
Page 29 and 30: Instrumentation Callback (Win 10) I
Page 31 and 32: Nirvana Hook Demo 1/26/2016 COPYRIG
Page 33 and 34: What is CFG? 1/26/2016 COPYRIGHT 20
Page 35 and 36: Image Load Config Directory Special
Page 37 and 38: Writing a Guard CF Function title
Page 39 and 40: CFG Bonus CFG in Windows 10 covers
Page 41 and 42: What is Application Verifier 1/26/2
Page 43 and 44: Enabling Application Verifier The A
Page 45 and 46: Writing a Verifier Provider This ti
Page 47 and 48: Hooking APIs with Avrf static RTL_V
Page 49 and 50: Application Verifier Bonus Because
Page 51 and 52: What is the Shim Engine 1/26/2016 C
Page 53 and 54: Enabling the Shim Engine The Shim E
Page 55 and 56: Dynamic Shim Installation Shims can
Page 57: QUESTIONS? SEE YOU AT BLACKHAT 1/26

Hooking Nirvana

Create successful ePaper yourself

Delete template?

Save as template?