Captain Hook

More documents

Recommendations

Info

INJECTION METHODS – USER APC • The most common Kernel-To-User injection method • Used by lots of malwares: • TDL • ZERO ACCESS • Sandbox escape shellcodes • … • Also used by lots of security products: • AVG • Kaspersky Home Edition • Avecto • … • Documented: • Blackout: What Really Happened • Much more in forums and leaked source codes
INJECTION METHODS – USER APC Basic Steps (There are several variations): 1. Register load image callback using PsSetLoadImageNotifyRoutine 2. Write payload that injects a dll using LdrLoadDll (Other variations use LoadLibrary) 3. Insert User APC using KeInsertQueueApc
Page 1 and 2: Captain Hook: Pirating AVS to Bypas
Page 3 and 4: AGENDA • Hooking In a Nutshell
Page 5 and 6: SCOPE OF RESEARCH • Our research
Page 7 and 8: INLINE HOOKING - 32-BIT FUNCTION HO
Page 15 and 16: INLINE HOOKING - RECAP • Inline h
Page 17: INTRODUCTION - KERNEL-TO-USER CODE
Page 21 and 22: INJECTION METHODS - ENTRY POINT PAT
Page 27 and 28: INJECTION METHODS - IMPORT TABLE PA
Page 29 and 30: INJECTION METHODS - NTDLL.DLL/USER3
Page 31 and 32: INJECTION METHODS - NTDLL.DLL/USER3
Page 33 and 34: INJECTION METHODS - QUICK SUMMARY
Page 35 and 36: #1 - UNSAFE INJECTION Severity: Ver
Page 37 and 38: #3 - PREDICTABLE R-X CODE STUBS Sev
Page 39 and 40: #5 -RWX CODE STUBS Severity: Medium
Page 41 and 42: SECURITY ISSUES OF HOOKING - RECAP
Page 43 and 44: 3 rd Party Hooking Engines
Page 45 and 46: EASYHOOK - OPEN-SOURCE HOOKING ENGI
Page 47 and 48: MADCODEHOOK - POWERFUL COMMERCIAL H
Page 49 and 50: MICROSOFT DETOURS VULNERABILITY - I
Page 51 and 52: AFFECTED PRODUCTS * Patch wasn’t
Page 53 and 54: Research Tools
Page 55 and 56: RESEARCH TOOLS - HOOKS SCAN • Too
Page 57: Contact Us: Udi, udi@ensilo.com Tom

Captain Hook

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?