Captain Hook

More documents

Recommendations

Info

INJECTION METHODS – IMPORT TABLE PATCHING Internet Explorer patched import table
INJECTION METHODS – NTDLL.DLL/USER32.DLL PATCHING • Register load image callback using PsSetLoadImageNotifyRoutine and wait for ntdll.dll module to load Kernel Space Ntoskrnl.exe KiStartUserThread EvilDriver.sys Callback Routine User Space Application RtlUserThreadStart LdrLoadDll
Page 1 and 2: Captain Hook: Pirating AVS to Bypas
Page 3 and 4: AGENDA • Hooking In a Nutshell
Page 5 and 6: SCOPE OF RESEARCH • Our research
Page 7 and 8: INLINE HOOKING - 32-BIT FUNCTION HO
Page 15 and 16: INLINE HOOKING - RECAP • Inline h
Page 17 and 18: INTRODUCTION - KERNEL-TO-USER CODE
Page 19 and 20: INJECTION METHODS - USER APC Basic
Page 21 and 22: INJECTION METHODS - ENTRY POINT PAT
Page 27: INJECTION METHODS - IMPORT TABLE PA
Page 31 and 32: INJECTION METHODS - NTDLL.DLL/USER3
Page 33 and 34: INJECTION METHODS - QUICK SUMMARY
Page 35 and 36: #1 - UNSAFE INJECTION Severity: Ver
Page 37 and 38: #3 - PREDICTABLE R-X CODE STUBS Sev
Page 39 and 40: #5 -RWX CODE STUBS Severity: Medium
Page 41 and 42: SECURITY ISSUES OF HOOKING - RECAP
Page 43 and 44: 3 rd Party Hooking Engines
Page 45 and 46: EASYHOOK - OPEN-SOURCE HOOKING ENGI
Page 47 and 48: MADCODEHOOK - POWERFUL COMMERCIAL H
Page 49 and 50: MICROSOFT DETOURS VULNERABILITY - I
Page 51 and 52: AFFECTED PRODUCTS * Patch wasn’t
Page 53 and 54: Research Tools
Page 55 and 56: RESEARCH TOOLS - HOOKS SCAN • Too
Page 57: Contact Us: Udi, udi@ensilo.com Tom

Captain Hook

Create successful ePaper yourself

Delete template?

Save as template?