Hooking Nirvana

More documents

Recommendations

Info

Gotchas! API Set Map is mapped as PAGE_READONLY ◦ Windows 8 and higher will not allow VirtualProtect due to SEC_NO_CHANGE ◦ Easier modification: Edit the PEB itself Steps: ◦ Read existing API Set Map Size ◦ Allocate identical buffer, plus one page ◦ Copy existing API Set Map ◦ Make required changes in the copy, including creating new offsets ◦ Point Peb->ApiSetMap to the copy Problem #2: All API Set Hosts are assumed to be in %SYSTEMROOT% ◦ Workaround: prefix API Dll Name with “\spool\drivers\color\” Problem #3: If hook DLL is importing kernel32.dll or advapi32.dll, then these imports will be subject to redirection too, and cause self-redirect ◦ Workaround: Build custom .lib file that points directly to API Set Host 1/26/2016 COPYRIGHT 2015 ALEX IONESCU. ALL RIGHTS RESERVED. 20
MinWin <strong>Hooking</strong> Demo 1/26/2016 COPYRIGHT 2015 ALEX IONESCU. ALL RIGHTS RESERVED. 21
Page 1 and 2: Hooking Nirvana STEALTHY INSTRUMENT
Page 3 and 4: WHAT THIS TALK IS ABOUT Five differ
Page 5 and 6: MORE PAST RESEARCH CFG has a Whitep
Page 7 and 8: OUTLINE MinWin Hooks Nirvana Hooks
Page 9 and 10: What is MinWin? MinWin is an intern
Page 11 and 12: API Set Redirection (Win 7) One sin
Page 13 and 14: API Set Redirection (Win 8) Windows
Page 15 and 16: API Set Redirection (Win 10) Window
Page 17 and 18: Parsing Windows 10 API Set peb = Nt
Page 19: Modifying the API Set Map First, de
Page 23 and 24: Double MinWin Bonus While working o
Page 25 and 26: What Is Nirvana? 1/26/2016 COPYRIGH
Page 27 and 28: Instrumentation Callback (Win 7) In
Page 29 and 30: Instrumentation Callback (Win 10) I
Page 31 and 32: Nirvana Hook Demo 1/26/2016 COPYRIG
Page 33 and 34: What is CFG? 1/26/2016 COPYRIGHT 20
Page 35 and 36: Image Load Config Directory Special
Page 37 and 38: Writing a Guard CF Function title
Page 39 and 40: CFG Bonus CFG in Windows 10 covers
Page 41 and 42: What is Application Verifier 1/26/2
Page 43 and 44: Enabling Application Verifier The A
Page 45 and 46: Writing a Verifier Provider This ti
Page 47 and 48: Hooking APIs with Avrf static RTL_V
Page 49 and 50: Application Verifier Bonus Because
Page 51 and 52: What is the Shim Engine 1/26/2016 C
Page 53 and 54: Enabling the Shim Engine The Shim E
Page 55 and 56: Dynamic Shim Installation Shims can
Page 57: QUESTIONS? SEE YOU AT BLACKHAT 1/26

Hooking Nirvana

Create successful ePaper yourself

Delete template?

Save as template?