Hooking Nirvana

More documents

Recommendations

Info

Guard CF Checking Function Based on the pointer that’s stored in GuardCFCheckFunctionPointer, the loader will overwrite this data during load time using LdrpCfgProcessLoadConfig The protection is changed to PAGE_READWRITE, the pointer is overridden and then the protection is restored back The pointer is overridden with LdrpValidateUserCallTarget This only happens if the image is linked with CFG (IMAGE_DLLCHARACTERISTICS_GUARD_CF) And only if the IMAGE_GUARD_CF_INSTRUMENTED flag is set in GuardFlags On failure, RtlpHandleInvalidUserCallTarget is used to determine what to do (suppressed address validation) ◦ Results in exception or inhibition of the error 1/26/2016 COPYRIGHT 2015 ALEX IONESCU. ALL RIGHTS RESERVED. 36
Writing a Guard CF Function title “CFG Hook" include ksamd64.inc subttl "Function to receive CFG Callbacks" EXTERN CfgCHook:PROC NESTED_ENTRY CfgHook, TEXT GENERATE_EXCEPTION_FRAME Rbp call CfgCHook RESTORE_EXCEPTION_STATE Rbp ; More crashes ; Oh no, what will you call here? ; None of this works! ret NESTED_END CfgHook, TEXT end 1/26/2016 COPYRIGHT 2015 ALEX IONESCU. ALL RIGHTS RESERVED. 37
Page 1 and 2: Hooking Nirvana STEALTHY INSTRUMENT
Page 3 and 4: WHAT THIS TALK IS ABOUT Five differ
Page 5 and 6: MORE PAST RESEARCH CFG has a Whitep
Page 7 and 8: OUTLINE MinWin Hooks Nirvana Hooks
Page 9 and 10: What is MinWin? MinWin is an intern
Page 11 and 12: API Set Redirection (Win 7) One sin
Page 13 and 14: API Set Redirection (Win 8) Windows
Page 15 and 16: API Set Redirection (Win 10) Window
Page 17 and 18: Parsing Windows 10 API Set peb = Nt
Page 19 and 20: Modifying the API Set Map First, de
Page 21 and 22: MinWin Hooking Demo 1/26/2016 COPYR
Page 23 and 24: Double MinWin Bonus While working o
Page 25 and 26: What Is Nirvana? 1/26/2016 COPYRIGH
Page 27 and 28: Instrumentation Callback (Win 7) In
Page 29 and 30: Instrumentation Callback (Win 10) I
Page 31 and 32: Nirvana Hook Demo 1/26/2016 COPYRIG
Page 33 and 34: What is CFG? 1/26/2016 COPYRIGHT 20
Page 35: Image Load Config Directory Special
Page 39 and 40: CFG Bonus CFG in Windows 10 covers
Page 41 and 42: What is Application Verifier 1/26/2
Page 43 and 44: Enabling Application Verifier The A
Page 45 and 46: Writing a Verifier Provider This ti
Page 47 and 48: Hooking APIs with Avrf static RTL_V
Page 49 and 50: Application Verifier Bonus Because
Page 51 and 52: What is the Shim Engine 1/26/2016 C
Page 53 and 54: Enabling the Shim Engine The Shim E
Page 55 and 56: Dynamic Shim Installation Shims can
Page 57: QUESTIONS? SEE YOU AT BLACKHAT 1/26

Hooking Nirvana

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?