Hooking Nirvana

More documents

Recommendations

Info

Verifier Provider Demo 1/26/2016 COPYRIGHT 2015 ALEX IONESCU. ALL RIGHTS RESERVED. 48
Application Verifier Bonus Because the IFEO key is stored in the “SOFTWARE” hive, only an Administrator user can turn on Verifier and allow these hooks to be applied Except it turns out that there’s an override in the KUSER_SHARED_DATA ◦ +0x3a0 ImageFileExecutionOptions : Uint4B This override can be set early at boot by the kernel, based on the following registry modification ◦ HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\ImageExecutionOptions = 1 (REG_DWORD) Documented here (“VerifierIsPerUserSettingsEnabled”) ◦ https://msdn.microsoft.com/en-us/library/bb432502(v=vs.85).aspx If this is set to true on your machine, you are vulnerable to hijacks! 1/26/2016 COPYRIGHT 2015 ALEX IONESCU. ALL RIGHTS RESERVED. 49
Page 1 and 2: Hooking Nirvana STEALTHY INSTRUMENT
Page 3 and 4: WHAT THIS TALK IS ABOUT Five differ
Page 5 and 6: MORE PAST RESEARCH CFG has a Whitep
Page 7 and 8: OUTLINE MinWin Hooks Nirvana Hooks
Page 9 and 10: What is MinWin? MinWin is an intern
Page 11 and 12: API Set Redirection (Win 7) One sin
Page 13 and 14: API Set Redirection (Win 8) Windows
Page 15 and 16: API Set Redirection (Win 10) Window
Page 17 and 18: Parsing Windows 10 API Set peb = Nt
Page 19 and 20: Modifying the API Set Map First, de
Page 21 and 22: MinWin Hooking Demo 1/26/2016 COPYR
Page 23 and 24: Double MinWin Bonus While working o
Page 25 and 26: What Is Nirvana? 1/26/2016 COPYRIGH
Page 27 and 28: Instrumentation Callback (Win 7) In
Page 29 and 30: Instrumentation Callback (Win 10) I
Page 31 and 32: Nirvana Hook Demo 1/26/2016 COPYRIG
Page 33 and 34: What is CFG? 1/26/2016 COPYRIGHT 20
Page 35 and 36: Image Load Config Directory Special
Page 37 and 38: Writing a Guard CF Function title
Page 39 and 40: CFG Bonus CFG in Windows 10 covers
Page 41 and 42: What is Application Verifier 1/26/2
Page 43 and 44: Enabling Application Verifier The A
Page 45 and 46: Writing a Verifier Provider This ti
Page 47: Hooking APIs with Avrf static RTL_V
Page 51 and 52: What is the Shim Engine 1/26/2016 C
Page 53 and 54: Enabling the Shim Engine The Shim E
Page 55 and 56: Dynamic Shim Installation Shims can
Page 57: QUESTIONS? SEE YOU AT BLACKHAT 1/26

Hooking Nirvana

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?