The document discusses advanced persistent threats and techniques used by attackers both historically and currently. It covers topics like out-of-band analysis techniques to gain "perfect knowledge" of attackers through reverse engineering, using telemetry and signatures to detect malware, and challenges with scanning techniques due to polymorphism and evasion methods used by attackers.
Security research over Windows #defcon chinaPeter Hlavaty
Past several years Microsoft Windows undergo lot of fundamental security changes. Where one can argue still imperfect and bound to tons of legacy issues, on the other hand those changes made important shifts in attacker perspective. From tightened sandboxing, restricting attack surface, introducing mitigations, applying virtualization up to stronger focus even on win32k. In our talk we will go trough those changes, how it affects us and how we tackle them from choosing targets, finding bugs up to exploitation primitives we are using. While also empathize that windows research is not only about sandbox, and there are many more interesting target to look for.
This document summarizes techniques discussed at Black Hat 2017 for process injection, post-exploitation tools, cache-side channel attacks, and data-oriented attacks. For process injection, it describes hollow process injection and references papers on atom bombing and evasive hollow process injection techniques. For post-exploitation, it summarizes talks on using signed binaries and the Shadow debugging tool. Regarding cache attacks, it outlines talks on exploitability/countermeasures and SGX attacks. Mitigation techniques like secret-independent code and page coloring are also briefly mentioned.
MacOS forensics and anti-forensics (DC Lviv 2019) presentationOlehLevytskyi1
MacOS forensics and anti-forensics (DC Lviv 2019) presentation. Prepared specially for DC38032. Prepared by Oleh Levytskyi (https://twitter.com/LeOleg97)
This document provides an overview of the best tools for penetration testing web applications. It discusses Nikto for server enumeration and vulnerability scanning, Webscarab for intercepting requests and modifying parameters, w3af as an open source web application exploitation framework, and Firefox with extensions like Firebug and YSlow for manual testing. Commercial tools like Core Impact and Cenzic Hailstorm are also highlighted for their methodologies and capabilities. Additional resources like Samurai Linux are mentioned as a ready-to-go penetration testing environment with pre-installed web assessment tools.
This document discusses vulnerability design patterns for kernel exploitation. It outlines several common vulnerability classes for the kernel including out of boundary errors, buffer overflows, and null pointer writes. It provides examples of how these vulnerabilities could be used to achieve kernel code execution or privilege escalation. It also notes how kernel exploitation techniques have evolved over time to bypass defenses like KASLR and discusses developing exploitation tools instead of just shellcode.
The document discusses volatility and memory forensics. It covers topics like how volatility works on different operating systems like Linux and Windows, acquiring memory dumps, analyzing memory structures like page tables and processes, dealing with semantic gaps in raw memory, plugin development, and investigating various artifacts in memory related to authentication, passwords, encryption, and applications. The document provides information on memory forensics techniques and how volatility is used as an open-source memory forensics framework.
Chipsec is an open source framework for assessing platform security. It can be used to find vulnerabilities in system firmware like BIOS, UEFI and Mac EFI. Some examples shown include exploiting S3 resume boot script vulnerabilities to gain persistence, attacking hypervisors via SMM pointers, and checking for issues with MMIO BAR registers. The tool can also detect "problems" like unlocked firmware, missing hardware protections, and analyze real-world malware implants targeting firmware like DerStarke and HackingTeam UEFI rootkits.
Security research over Windows #defcon chinaPeter Hlavaty
Past several years Microsoft Windows undergo lot of fundamental security changes. Where one can argue still imperfect and bound to tons of legacy issues, on the other hand those changes made important shifts in attacker perspective. From tightened sandboxing, restricting attack surface, introducing mitigations, applying virtualization up to stronger focus even on win32k. In our talk we will go trough those changes, how it affects us and how we tackle them from choosing targets, finding bugs up to exploitation primitives we are using. While also empathize that windows research is not only about sandbox, and there are many more interesting target to look for.
This document summarizes techniques discussed at Black Hat 2017 for process injection, post-exploitation tools, cache-side channel attacks, and data-oriented attacks. For process injection, it describes hollow process injection and references papers on atom bombing and evasive hollow process injection techniques. For post-exploitation, it summarizes talks on using signed binaries and the Shadow debugging tool. Regarding cache attacks, it outlines talks on exploitability/countermeasures and SGX attacks. Mitigation techniques like secret-independent code and page coloring are also briefly mentioned.
MacOS forensics and anti-forensics (DC Lviv 2019) presentationOlehLevytskyi1
MacOS forensics and anti-forensics (DC Lviv 2019) presentation. Prepared specially for DC38032. Prepared by Oleh Levytskyi (https://twitter.com/LeOleg97)
This document provides an overview of the best tools for penetration testing web applications. It discusses Nikto for server enumeration and vulnerability scanning, Webscarab for intercepting requests and modifying parameters, w3af as an open source web application exploitation framework, and Firefox with extensions like Firebug and YSlow for manual testing. Commercial tools like Core Impact and Cenzic Hailstorm are also highlighted for their methodologies and capabilities. Additional resources like Samurai Linux are mentioned as a ready-to-go penetration testing environment with pre-installed web assessment tools.
This document discusses vulnerability design patterns for kernel exploitation. It outlines several common vulnerability classes for the kernel including out of boundary errors, buffer overflows, and null pointer writes. It provides examples of how these vulnerabilities could be used to achieve kernel code execution or privilege escalation. It also notes how kernel exploitation techniques have evolved over time to bypass defenses like KASLR and discusses developing exploitation tools instead of just shellcode.
The document discusses volatility and memory forensics. It covers topics like how volatility works on different operating systems like Linux and Windows, acquiring memory dumps, analyzing memory structures like page tables and processes, dealing with semantic gaps in raw memory, plugin development, and investigating various artifacts in memory related to authentication, passwords, encryption, and applications. The document provides information on memory forensics techniques and how volatility is used as an open-source memory forensics framework.
Chipsec is an open source framework for assessing platform security. It can be used to find vulnerabilities in system firmware like BIOS, UEFI and Mac EFI. Some examples shown include exploiting S3 resume boot script vulnerabilities to gain persistence, attacking hypervisors via SMM pointers, and checking for issues with MMIO BAR registers. The tool can also detect "problems" like unlocked firmware, missing hardware protections, and analyze real-world malware implants targeting firmware like DerStarke and HackingTeam UEFI rootkits.
This document discusses Linux kernel crash capture and analysis. It begins with an overview of what constitutes a kernel crash and reasons crashes may occur, both from hardware and software issues. It then covers using kdump to capture virtual memory cores (vmcores) when a crash happens, and configuring kdump for optimal core collection. Finally, it discusses analyzing vmcores after collection using the crash utility, including commands to inspect system information, backtraces, logs, and more.
Reverse Engineering the TomTom Runner pt. 2Luis Grangeia
Second presentation of my research into reverse engineering a TomTom Runner GPS watch. In this I explain how I got running code inside an unfamiliar device and proceeded to bypass its security measures and extract firmware keys and code from the device.
More details on my personal blog, at http://grangeia.io
Presented in October 2015 at "Confraria de Segurança da Informação" in Lisbon
This document provides an overview of several security tools including Nikto, Burp Suite, Wikto, Nmap, Metasploit, Nessus, OpenVAS, and how some of them relate to and integrate with Nikto. It describes Nikto as a web server scanner that checks for vulnerabilities. It then briefly introduces each of the other tools, their purpose, and in some cases how they can work with Nikto, such as Nikto being able to use Nmap scan results or output results to Metasploit's database.
This document summarizes an Italian presentation on monitoring and tuning I/O performance on Linux. It discusses key topics like I/O monitoring tools like iostat, iotop and blktrace, tuning techniques like dirty page writeback and filesystem options, and ensuring reliability of data writes through proper synchronization and error handling. The presentation provides an overview of I/O subsystems in Linux and dives into specific tools and parameters for optimizing I/O.
Agenda:
The Linux kernel has multiple "tracers" built-in, with various degrees of support for aggregation, dynamic probes, parameter processing, filtering, histograms, and other features. Starting from the venerable ftrace, introduced in kernel 2.6, all the way through eBPF, which is still under development, there are many options to choose from when you need to statically instrument your software with probes, or diagnose issues in the field using the system's dynamic probes. Modern tools include SystemTap, Sysdig, ktap, perf, bcc, and others. In this talk, we will begin by reviewing the modern tracing landscape -- ftrace, perf_events, kprobes, uprobes, eBPF -- and what insight into system activity these tools can offer. Then, we will look at specific examples of using tracing tools for diagnostics: tracing a memory leak using low-overhead kmalloc/kfree instrumentation, diagnosing a CPU caching issue using perf stat, probing network and block I/O latency distributions under load, or merely snooping user activities by capturing terminal input and output.
Speaker:
Sasha is the CTO of Sela Group, a training and consulting company based in Israel that employs over 400 developers world-wide. Most of Sasha's work revolves around performance optimization, production debugging, and low-level system diagnostics, but he also dabbles in mobile application development on iOS and Android. Sasha is the author of two books and three Pluralsight courses, and a contributor to multiple open-source projects. He blogs at http://blog.sashag.net.
Cloud forensics putting the bits back togetherShakacon
The document discusses forensic investigations of AWS EC2 instances and EBS volumes. It details the process the author took to launch EC2 instances with different EBS volume types, write and delete files, snapshot the volumes, and use forensic software to recover deleted files from the snapshots. The results showed that standard, gp2 and io1 volume types had the highest recovery rates of deleted files from snapshots, while sc1 and st1 volume types recovered fewer files and in some cases produced anomalously large PDF files. Maintaining chain of custody of forensic evidence and using separate AWS accounts was recommended to safeguard recovered data.
50 Shades of Fuzzing by Peter Hlavaty & Marco GrassiShakacon
Graphic drivers and their related code are an essential component in every modern operating system. This particular component involves especially complex logic and a huge amount of code, simply because it must handle equally complex tasks.
As we know from history and experience huge and complex code is often also a security risk. Last but not least, in almost all the popular modern operating system, graphics code and logic is running in a highly privileged context such as the kernel, or even in a higher context, such as VMWare graphics component, which essentially implements your graphic card outside the guest into a host process.
Any mistake made into this highly privileged code can lead to a fatal outcome, especially considering that it is often reachable from interesting sandboxes, such as the browser ones. We will go through the internals for various graphic systems, to show similarities and differences, such as windows heart of graphics aka win32k, then OSX/iOS IOKit, and finally, WMWare emulated GPU graphic subsystem. We can then switch gear and showcase some vulnerabilities in these scenarios, discuss effective fuzzing methodologies both specific to a particular target and generic principles of fuzzing graphic subsystems as well.
How to Root 10 Million Phones with One ExploitJiahong Fang
This document discusses how to root 107 different phone models using a single exploit from 2014. It begins by introducing the author and their background in rooting phones. It then provides historical context on Android rooting methods over time, from early hidden root consoles to exploits of OTA updates, daemons, and kernels. The document focuses on a technique called DKOM (Direct Kernel Object Manipulation) to achieve root access by manipulating kernel objects like task structures even with only write-anywhere capabilities. It analyzes an exploit from 2013 that enabled this technique to root 42% of phones at the time.
The document discusses developing an exploit from a vulnerability and integrating it into the Metasploit framework. It covers finding a buffer overflow vulnerability in an application called "Free MP3 CD Ripper", using tools like ImmunityDebugger and Mona.py to crash the application and gain control of EIP. It then shows using Mona.py to generate an exploit, testing it works, and submitting it to the Metasploit framework. It also provides an overview of Meterpreter and its capabilities.
Slides for JavaOne 2015 talk by Brendan Gregg, Netflix (video/audio, of some sort, hopefully pending: follow @brendangregg on twitter for updates). Description: "At Netflix we dreamed of one visualization to show all CPU consumers: Java methods, GC, JVM internals, system libraries, and the kernel. With the help of Oracle this is now possible on x86 systems using system profilers (eg, Linux perf_events) and the new JDK option -XX:+PreserveFramePointer. This lets us create Java mixed-mode CPU flame graphs, exposing all CPU consumers. We can also use system profilers to analyze memory page faults, TCP events, storage I/O, and scheduler events, also with Java method context. This talk describes the background for this work, instructions generating Java mixed-mode flame graphs, and examples from our use at Netflix where Java on x86 is the primary platform for the Netflix cloud."
Kernel Recipes 2015: Linux Kernel IO subsystem - How it works and how can I s...Anne Nicolas
Understanding how Linux kernel IO subsystem works is a key to analysis of a wide variety of issues occurring when running a Linux system. This talk is aimed at helping Linux users understand what is going on and how to get more insight into what is happening.
First we present an overview of Linux kernel block layer including different IO schedulers. We also talk about a new block multiqueue implementation that gets used for more and more devices.
After surveying the basic architecture we will be prepared to talk about tools to peek into it. We start with lightweight monitoring like iostat and continue with more heavy blktrace and variety of tools that are based on it. We demonstrate use of the tools on analysis of real world issues.
Jan Kara, SUSE
The document discusses exploiting vulnerabilities in web applications using Metasploit. It describes using Kali Linux as the attacker machine, Metasploit for exploits, payloads and establishing sessions, and Metasploitable2 as the vulnerable web server victim. Various exploitation techniques are covered like SQL injection, file uploads, and command injection. Metasploit modules, payloads, and usage are also outlined.
High Performance Storage Devices in the Linux KernelKernel TLV
Agenda:
In this talk we will present the Linux kernel storage layers and dive into blk-mq, a scalable, parallel block layer for high performance block devices, and how it is used to unleash the performance of NVMe, flash and beyond.
Speaker:
Evgeny Budilovsky, Kernel Developer at E8 Storage
https://www.linkedin.com/company/e8-storage
Hacker Halted 2014 - Post-Exploitation After Having Remote AccessEC-Council
In theory, post-exploitation after having remote access is easy. Also in theory, there is no difference between theory and practice. In practice, there is. Imagine a scenario, where you have deployed a malware on a user’s workstation, but the target information is on a secure server accessed via two-factor authentication, with screen access only (e.g. RDP, Citrix, etc.). On top of that, the server runs application white-listing, and only the inbound port to the screen server (e.g. 3389) is allowed through the hardware firewall. But you also need persistent interactive C&C communication (e.g. Netcat, Meterpreter, RAT) to this server through the user’s workstation.
I developed (and will publish) two tools that help you in these situations. The first tool can drop malware to the server through the screen while the user is logged in. The second tool can help you to circumvent the hardware firewall after we can execute code on the server with admin privileges (using a signed kernel driver). My tools are generic meaning that they work against Windows server 2012 and Windows 8, and they work with RDP or other remote desktops. The number of problems you can solve with them are endless, e.g., communicating with bind-shell on webserver behind restricted DMZ. Beware, live demo and fun included!
[若渴計畫] Challenges and Solutions of Window Remote ShellcodeAj MaChInE
This document discusses challenges and solutions related to window remote shellcode. It outlines challenges posed by antivirus software, EMET, firewalls, and IDS/IPS systems. It then describes various techniques for bypassing these protections, such as encryption, obfuscation, non-standard programming languages, and the use of tools like Meterpreter and Veil Framework payloads. Specific bypass techniques covered include DLL injection, process hollowing, reflective loading, and the use of techniques like one-way shells and HTTP stagers.
This document provides an overview of blktrace, a Linux kernel feature and set of utilities that allow detailed tracing of operations within the block I/O layer. Blktrace captures events for each I/O request as it is processed, including queue operations, merges, remapping by software RAID, and driver handling. The blktrace utilities extract these events and allow live tracing or storage for later analysis. Analysis tools like btt can analyze the stored blktrace data to measure processing times and identify bottlenecks or anomalies in how I/O requests are handled throughout the block I/O stack.
Analyzing OS X Systems Performance with the USE MethodBrendan Gregg
Talk for MacIT 2014. This talk is about systems performance on OS X, and introduces the USE Method to check for common performance bottlenecks and errors. This methodology can be used by beginners and experts alike, and begins by constructing a checklist of the questions we’d like to ask of the system, before reaching for tools to answer them. The focus is resources: CPUs, GPUs, memory capacity, network interfaces, storage devices, controllers, interconnects, as well as some software resources such as mutex locks. These areas are investigated by a wide variety of tools, including vm_stat, iostat, netstat, top, latency, the DTrace scripts in /usr/bin (which were written by Brendan), custom DTrace scripts, Instruments, and more. This is a tour of the tools needed to solve our performance needs, rather than understanding tools just because they exist. This talk will make you aware of many areas of OS X that you can investigate, which will be especially useful for the time when you need to get to the bottom of a performance issue.
XPDS14 - Zero-Footprint Guest Memory Introspection from Xen - Mihai Dontu, Bi...The Linux Foundation
This presentation will detail a practical approach to memory introspection of virtual machines running on the Xen hypervisor with no in-guest footprint. The functionality makes use of the mem-event API with a number of improvements which enable the proper tracking of guest OS activity. The technology created on top of this Xen API opens the door for several immediate applications, including: rootkit detection and prevention, detection and action on several categories of malware, and event source information for low-level post-event forensics and correlation based on real event data during events.
Introduction to Linux Kernel by Quontra SolutionsQUONTRASOLUTIONS
Course Duration: 30-35 hours Training + Assignments + Actual Project Based Case Studies
Training Materials: All attendees will receive,
Assignment after each module, Video recording of every session
Notes and study material for examples covered.
Access to the Training Blog & Repository of Materials
Pre-requisites:
Basic Computer Skills and knowledge of IT.
Training Highlights
* Focus on Hands on training.
* 30 hours of Assignments, Live Case Studies.
* Video Recordings of sessions provided.
* One Problem Statement discussed across the whole training program.
* Resume prep, Interview Questions provided.
WEBSITE: www.QuontraSolutions.com
Contact Info: Phone +1 404-900-9988(or) Email - info@quontrasolutions.com
This document discusses Linux kernel crash capture and analysis. It begins with an overview of what constitutes a kernel crash and reasons crashes may occur, both from hardware and software issues. It then covers using kdump to capture virtual memory cores (vmcores) when a crash happens, and configuring kdump for optimal core collection. Finally, it discusses analyzing vmcores after collection using the crash utility, including commands to inspect system information, backtraces, logs, and more.
Reverse Engineering the TomTom Runner pt. 2Luis Grangeia
Second presentation of my research into reverse engineering a TomTom Runner GPS watch. In this I explain how I got running code inside an unfamiliar device and proceeded to bypass its security measures and extract firmware keys and code from the device.
More details on my personal blog, at http://grangeia.io
Presented in October 2015 at "Confraria de Segurança da Informação" in Lisbon
This document provides an overview of several security tools including Nikto, Burp Suite, Wikto, Nmap, Metasploit, Nessus, OpenVAS, and how some of them relate to and integrate with Nikto. It describes Nikto as a web server scanner that checks for vulnerabilities. It then briefly introduces each of the other tools, their purpose, and in some cases how they can work with Nikto, such as Nikto being able to use Nmap scan results or output results to Metasploit's database.
This document summarizes an Italian presentation on monitoring and tuning I/O performance on Linux. It discusses key topics like I/O monitoring tools like iostat, iotop and blktrace, tuning techniques like dirty page writeback and filesystem options, and ensuring reliability of data writes through proper synchronization and error handling. The presentation provides an overview of I/O subsystems in Linux and dives into specific tools and parameters for optimizing I/O.
Agenda:
The Linux kernel has multiple "tracers" built-in, with various degrees of support for aggregation, dynamic probes, parameter processing, filtering, histograms, and other features. Starting from the venerable ftrace, introduced in kernel 2.6, all the way through eBPF, which is still under development, there are many options to choose from when you need to statically instrument your software with probes, or diagnose issues in the field using the system's dynamic probes. Modern tools include SystemTap, Sysdig, ktap, perf, bcc, and others. In this talk, we will begin by reviewing the modern tracing landscape -- ftrace, perf_events, kprobes, uprobes, eBPF -- and what insight into system activity these tools can offer. Then, we will look at specific examples of using tracing tools for diagnostics: tracing a memory leak using low-overhead kmalloc/kfree instrumentation, diagnosing a CPU caching issue using perf stat, probing network and block I/O latency distributions under load, or merely snooping user activities by capturing terminal input and output.
Speaker:
Sasha is the CTO of Sela Group, a training and consulting company based in Israel that employs over 400 developers world-wide. Most of Sasha's work revolves around performance optimization, production debugging, and low-level system diagnostics, but he also dabbles in mobile application development on iOS and Android. Sasha is the author of two books and three Pluralsight courses, and a contributor to multiple open-source projects. He blogs at http://blog.sashag.net.
Cloud forensics putting the bits back togetherShakacon
The document discusses forensic investigations of AWS EC2 instances and EBS volumes. It details the process the author took to launch EC2 instances with different EBS volume types, write and delete files, snapshot the volumes, and use forensic software to recover deleted files from the snapshots. The results showed that standard, gp2 and io1 volume types had the highest recovery rates of deleted files from snapshots, while sc1 and st1 volume types recovered fewer files and in some cases produced anomalously large PDF files. Maintaining chain of custody of forensic evidence and using separate AWS accounts was recommended to safeguard recovered data.
50 Shades of Fuzzing by Peter Hlavaty & Marco GrassiShakacon
Graphic drivers and their related code are an essential component in every modern operating system. This particular component involves especially complex logic and a huge amount of code, simply because it must handle equally complex tasks.
As we know from history and experience huge and complex code is often also a security risk. Last but not least, in almost all the popular modern operating system, graphics code and logic is running in a highly privileged context such as the kernel, or even in a higher context, such as VMWare graphics component, which essentially implements your graphic card outside the guest into a host process.
Any mistake made into this highly privileged code can lead to a fatal outcome, especially considering that it is often reachable from interesting sandboxes, such as the browser ones. We will go through the internals for various graphic systems, to show similarities and differences, such as windows heart of graphics aka win32k, then OSX/iOS IOKit, and finally, WMWare emulated GPU graphic subsystem. We can then switch gear and showcase some vulnerabilities in these scenarios, discuss effective fuzzing methodologies both specific to a particular target and generic principles of fuzzing graphic subsystems as well.
How to Root 10 Million Phones with One ExploitJiahong Fang
This document discusses how to root 107 different phone models using a single exploit from 2014. It begins by introducing the author and their background in rooting phones. It then provides historical context on Android rooting methods over time, from early hidden root consoles to exploits of OTA updates, daemons, and kernels. The document focuses on a technique called DKOM (Direct Kernel Object Manipulation) to achieve root access by manipulating kernel objects like task structures even with only write-anywhere capabilities. It analyzes an exploit from 2013 that enabled this technique to root 42% of phones at the time.
The document discusses developing an exploit from a vulnerability and integrating it into the Metasploit framework. It covers finding a buffer overflow vulnerability in an application called "Free MP3 CD Ripper", using tools like ImmunityDebugger and Mona.py to crash the application and gain control of EIP. It then shows using Mona.py to generate an exploit, testing it works, and submitting it to the Metasploit framework. It also provides an overview of Meterpreter and its capabilities.
Slides for JavaOne 2015 talk by Brendan Gregg, Netflix (video/audio, of some sort, hopefully pending: follow @brendangregg on twitter for updates). Description: "At Netflix we dreamed of one visualization to show all CPU consumers: Java methods, GC, JVM internals, system libraries, and the kernel. With the help of Oracle this is now possible on x86 systems using system profilers (eg, Linux perf_events) and the new JDK option -XX:+PreserveFramePointer. This lets us create Java mixed-mode CPU flame graphs, exposing all CPU consumers. We can also use system profilers to analyze memory page faults, TCP events, storage I/O, and scheduler events, also with Java method context. This talk describes the background for this work, instructions generating Java mixed-mode flame graphs, and examples from our use at Netflix where Java on x86 is the primary platform for the Netflix cloud."
Kernel Recipes 2015: Linux Kernel IO subsystem - How it works and how can I s...Anne Nicolas
Understanding how Linux kernel IO subsystem works is a key to analysis of a wide variety of issues occurring when running a Linux system. This talk is aimed at helping Linux users understand what is going on and how to get more insight into what is happening.
First we present an overview of Linux kernel block layer including different IO schedulers. We also talk about a new block multiqueue implementation that gets used for more and more devices.
After surveying the basic architecture we will be prepared to talk about tools to peek into it. We start with lightweight monitoring like iostat and continue with more heavy blktrace and variety of tools that are based on it. We demonstrate use of the tools on analysis of real world issues.
Jan Kara, SUSE
The document discusses exploiting vulnerabilities in web applications using Metasploit. It describes using Kali Linux as the attacker machine, Metasploit for exploits, payloads and establishing sessions, and Metasploitable2 as the vulnerable web server victim. Various exploitation techniques are covered like SQL injection, file uploads, and command injection. Metasploit modules, payloads, and usage are also outlined.
High Performance Storage Devices in the Linux KernelKernel TLV
Agenda:
In this talk we will present the Linux kernel storage layers and dive into blk-mq, a scalable, parallel block layer for high performance block devices, and how it is used to unleash the performance of NVMe, flash and beyond.
Speaker:
Evgeny Budilovsky, Kernel Developer at E8 Storage
https://www.linkedin.com/company/e8-storage
Hacker Halted 2014 - Post-Exploitation After Having Remote AccessEC-Council
In theory, post-exploitation after having remote access is easy. Also in theory, there is no difference between theory and practice. In practice, there is. Imagine a scenario, where you have deployed a malware on a user’s workstation, but the target information is on a secure server accessed via two-factor authentication, with screen access only (e.g. RDP, Citrix, etc.). On top of that, the server runs application white-listing, and only the inbound port to the screen server (e.g. 3389) is allowed through the hardware firewall. But you also need persistent interactive C&C communication (e.g. Netcat, Meterpreter, RAT) to this server through the user’s workstation.
I developed (and will publish) two tools that help you in these situations. The first tool can drop malware to the server through the screen while the user is logged in. The second tool can help you to circumvent the hardware firewall after we can execute code on the server with admin privileges (using a signed kernel driver). My tools are generic meaning that they work against Windows server 2012 and Windows 8, and they work with RDP or other remote desktops. The number of problems you can solve with them are endless, e.g., communicating with bind-shell on webserver behind restricted DMZ. Beware, live demo and fun included!
[若渴計畫] Challenges and Solutions of Window Remote ShellcodeAj MaChInE
This document discusses challenges and solutions related to window remote shellcode. It outlines challenges posed by antivirus software, EMET, firewalls, and IDS/IPS systems. It then describes various techniques for bypassing these protections, such as encryption, obfuscation, non-standard programming languages, and the use of tools like Meterpreter and Veil Framework payloads. Specific bypass techniques covered include DLL injection, process hollowing, reflective loading, and the use of techniques like one-way shells and HTTP stagers.
This document provides an overview of blktrace, a Linux kernel feature and set of utilities that allow detailed tracing of operations within the block I/O layer. Blktrace captures events for each I/O request as it is processed, including queue operations, merges, remapping by software RAID, and driver handling. The blktrace utilities extract these events and allow live tracing or storage for later analysis. Analysis tools like btt can analyze the stored blktrace data to measure processing times and identify bottlenecks or anomalies in how I/O requests are handled throughout the block I/O stack.
Analyzing OS X Systems Performance with the USE MethodBrendan Gregg
Talk for MacIT 2014. This talk is about systems performance on OS X, and introduces the USE Method to check for common performance bottlenecks and errors. This methodology can be used by beginners and experts alike, and begins by constructing a checklist of the questions we’d like to ask of the system, before reaching for tools to answer them. The focus is resources: CPUs, GPUs, memory capacity, network interfaces, storage devices, controllers, interconnects, as well as some software resources such as mutex locks. These areas are investigated by a wide variety of tools, including vm_stat, iostat, netstat, top, latency, the DTrace scripts in /usr/bin (which were written by Brendan), custom DTrace scripts, Instruments, and more. This is a tour of the tools needed to solve our performance needs, rather than understanding tools just because they exist. This talk will make you aware of many areas of OS X that you can investigate, which will be especially useful for the time when you need to get to the bottom of a performance issue.
XPDS14 - Zero-Footprint Guest Memory Introspection from Xen - Mihai Dontu, Bi...The Linux Foundation
This presentation will detail a practical approach to memory introspection of virtual machines running on the Xen hypervisor with no in-guest footprint. The functionality makes use of the mem-event API with a number of improvements which enable the proper tracking of guest OS activity. The technology created on top of this Xen API opens the door for several immediate applications, including: rootkit detection and prevention, detection and action on several categories of malware, and event source information for low-level post-event forensics and correlation based on real event data during events.
Introduction to Linux Kernel by Quontra SolutionsQUONTRASOLUTIONS
Course Duration: 30-35 hours Training + Assignments + Actual Project Based Case Studies
Training Materials: All attendees will receive,
Assignment after each module, Video recording of every session
Notes and study material for examples covered.
Access to the Training Blog & Repository of Materials
Pre-requisites:
Basic Computer Skills and knowledge of IT.
Training Highlights
* Focus on Hands on training.
* 30 hours of Assignments, Live Case Studies.
* Video Recordings of sessions provided.
* One Problem Statement discussed across the whole training program.
* Resume prep, Interview Questions provided.
WEBSITE: www.QuontraSolutions.com
Contact Info: Phone +1 404-900-9988(or) Email - info@quontrasolutions.com
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...DefconRussia
This document summarizes techniques for reverse engineering MIPS firmware. It discusses extracting firmware from devices, analyzing firmware binaries to find code, filesystems and encryption. It provides an overview of the MIPS architecture and reversing tools. It also presents a case study on analyzing routers from Draytek, including decrypting configuration files, dumping firmware and extracting the compressed filesystem. Master keys were derived from MAC addresses using a simple polynomial algorithm.
Hyper-V best practices document provides recommendations in three main areas:
1. Host server hardware configuration including standardized hardware, latest drivers, and optimized power settings.
2. Hyper-V installation and configuration including roles, features, paths, and antivirus exclusions.
3. Virtual machine configuration best practices such as Generation 2 VMs, optimized devices, and automatic stop settings.
The document discusses best practices for deploying MongoDB including sizing hardware with sufficient memory, CPU and I/O; using an appropriate operating system and filesystem; installing and upgrading MongoDB; ensuring durability with replication and backups; implementing security, monitoring performance with tools, and considerations for deploying on Amazon EC2.
Platform Security Summit 18: Xen Security Weather Report 2018The Linux Foundation
The Xen Project is unique in its breadth of adoption and diverse contributions. Many vendors in the ecosystem are not directly competing, enabling collaboration which otherwise would not be possible. While hypervisors were once seen as purely cloud and server technologies, they are now used in many market segments to add compartmentalization and layers of security. This has led to renewed focus on older technologies, such as L4Re/seL4 and new technologies such as zircon, ACRN and others.
Meanwhile, the Xen Project has been trailblazing in adopting virtualization in new market segments and continues to innovate and set the direction for the industry. This has enabled downstream Xen developers to build viable businesses and products in areas such as security and embedded. This talk will cover Xen feature changes that are driven by security needs, and the challenges of safety certification within the context of open source projects and Xen Project in particular.
Kernel vulnerabilities was commonly used to obtain admin privileges, and main rule was to stay in kernel as small time as possible! But nowdays even when you get admin / root then current operating systems are sometimes too restrictive. And that made kernel exploitation nice vector for installing to kernel mode!
In this talk we will examine steps from CPL3 to CPL0, including some nice tricks, and we end up with developing kernel mode drivers.
NSC #2 - D3 02 - Peter Hlavaty - Attack on the CoreNoSuchCon
This document discusses kernel exploitation techniques. It begins by explaining the KernelIo technique for reading and writing kernel memory on Windows and Linux despite protections like SMAP and SMEP. It then discusses several vulnerability cases that can enable KernelIo like out of bounds writes, kmalloc overflows, and abusing KASLR. Next, it analyzes design flaws in kernels like linked lists, hidden pointers, and callback mechanisms. It evaluates the state of exploitation on modern systems and envisions future hardened operating system designs. It advocates moving to C++ for exploitation development rather than shellcoding and introduces a C++ exploitation framework. The document was presented by Peter Hlavaty of the Keen Team and encourages recruitment for vulnerability research.
RIoT (Raiding Internet of Things) by Jacob HolcombPriyanka Aash
The recorded version of 'Best Of The World Webcast Series' [Webinar] where Jacob Holcomb speaks on 'RIoT (Raiding Internet of Things)' is available on CISOPlatform.
Best Of The World Webcast Series are webinars where breakthrough/original security researchers showcase their study, to offer the CISO/security experts the best insights in information security.
For more signup(it's free): www.cisoplatform.com
31c3 Presentation - Virtual Machine IntrospectionTamas K Lengyel
This document discusses virtual machine introspection (VMI) using the Xen hypervisor. VMI allows reconstructing a guest VM's state from outside the guest by monitoring its memory, CPU, and devices. It provides isolation, interpretation of the guest's state, and ability to intercept execution. The document outlines challenges like reconstructing paged memory and kernel data structures. It presents tools like LibVMI and DRAKVUF that use VMI for malware analysis and cloud security. Kernel code integrity during runtime patching is also discussed.
Pitfalls and limits of dynamic malware analysisTamas K Lengyel
This document discusses the pitfalls and limits of dynamic malware analysis. It summarizes that dynamic analysis aims to observe malware execution but is challenging due to evasion techniques. Several problems are outlined, including the difficulty of scalability, isolation, and stealth when analyzing malware. The document also discusses issues with using debuggers, emulators, and hypervisor introspection for dynamic analysis. It notes that complete stealth is not feasible and that halting and evasion problems cannot be fully solved.
This presentation "Threat hunting on the wire" is part of a a series of courses on the subject of Threat Hunting. It covers command-line packet analysis, and network forensics.
This document summarizes the history and development of the Xen virtualization project. It discusses how Xen addressed the issues with server sprawl and lack of isolation in early operating systems. It describes the benefits of server consolidation and manageability that virtualization provided. It also outlines the different approaches Xen took to virtualizing memory management and network interfaces to improve performance.
Buffer overflows are a major vulnerability that allow arbitrary code to be executed remotely by exploiting flaws in how software handles memory. They occur when a program lacks sufficient bounds checking on user input written to a buffer, allowing an attacker to overwrite adjacent memory and hijack the program flow. While techniques like data execution prevention and stack canaries provide some protection, buffer overflows remain a threat due to weaknesses in software testing and development practices. Careful coding through measures like code reviews is the best way to prevent buffer overflows.
From the current offensive and defensive technique arsenal, memory analysis applied to volatile memory is far from being the most explored channel. It is more likely to hear about input validation attacks or attacks against the protocol & cryptography while keys, passphrases, credit card numbers and other precious artifacts are kept unsafely in memory. This analysis arises as a mine waiting to be explored since it is sustained by one of the most vulnerable and unavoidable resource to systems, memory. From Java to Stuxnex, as well as Windows but without forgetting the Cloud, I will try to show some scenarios where these techniques can be applied, its impact as a threat and bring an important and fun subject not just to those who work in forensics but also to penetration testers as myself. Finally, I will also try to show how can this be used for defensive technologies as tools for monitoring and protection in networks with systems in production.
JavaOne 2010: Top 10 Causes for Java Issues in Production and What to Do When...srisatish ambati
Top 10 Causes for Java Issues in Production and What to Do When Things Go Wrong
JavaOne 2010.
Abstract: It's Friday evening and you hear the first rumble . . . one java node has become slightly unresponsive. You lookup the process, get a thread dump, and for good measure restart it at 8 p.m. Saturday afternoon is when you realize that other nodes have caught the flu and you get the ugly call from the customer. In a matter of hours, you're on that conference bridge with support groups of different packages and Java vendors and one of your uberarchitects. Yes, production instances are up and down, and restarting like there's no tomorrow. Here's an accumulated compendium of the op 10 things that can cause Java production heartburn and what to do when your Java production is on fire. And yes, please have your tools belt on.
Speaker(s):
Cliff Click, Azul Systems, Distinguished Engineer
SriSatish Ambati, Azul Systems, Performance Engineer
Freeze Drying for Capturing Environment-Sensitive Malware AliveFFRI, Inc.
We propose a set of techniques for "freeze drying" malware and restoring the captured malware to enable live process migration. Our system can capture environment-sensitive malware in-process and run it in an environment other than the infected host.
Sophisticated malware, such as Citadel and ZeuS/GameOver, are armed with anti-analysis techniques to prevent running except on an infected host. These malwares detect the execution environment and do not engage in malicious behavior when the current host differs from the infected host.
We developed a malware capture system called Sweetspot that can capture malware in-process by using process live migration and mimicking the infected host's environment on the analyzer by means of system call proxies. In addition, Sweetspot can serve as a honeypot and provide dummy data when the malware requests sensitive information. In briefings, we will demonstrate freeze-drying and instant dynamic analysis of real malware.
Unmasking Careto through Memory Forensics (video in description)Andrew Case
My presentation from SecTor 2014 on analyzing the sophisticated Careto malware with memory forensics & Volatility
Video here: http://2014.video.sector.ca/video/110388398
Similar to Larson Macaulay apt_malware_past_present_future_out_of_band_techniques (20)
Advance Salary Loans and Cash Loans in India A Comprehensive Guide.pdfMy Loan Bazar
Discover everything you need to know about advance salary loans and cash loans in India. This comprehensive guide covers their features, benefits, eligibility criteria, and application processes. Learn how to make informed financial decisions, compare different lenders, and understand the impact on your credit score. Whether you're facing an emergency or planning a significant expense, this ebook will help you navigate your financial needs with confidence.
Website: https://myloanbazar.in/payday
App: http://bit.ly/2SNLH2W
⬆️Kolkata ""Call ""Girls ⬇️86 07 57 54 83⬇️ Low Price "Call "Girls In Kolkata
Hi my name is Renuka and I am from Kolkata. Here with me you can be sure that your details are safe and secure so that you can appear complete of assurance and enjoy my services. I provide a very low rate sex services Starting with just Rs 3000. Book me now with...
IT Outsourcing Services in Dubai: eliteconsultingsllceliteconsulting54
Information Technology (IT) plays a pivotal role in the success of businesses across various industries in Dubai. As technology evolves rapidly, many companies outsource IT services to streamline operations, enhance efficiency, and stay ahead of the competition. This article explores the landscape of IT outsourcing services in Dubai, highlighting key offerings, benefits, and considerations for businesses looking to leverage these services.
Best Event Planner In Pune | Wedding Event | Birthday Party | Baby Shower Jol Events
JOL Events is a premier event planning and decoration company in Pune, offering exceptional services for all your special occasions. Whether you're planning a grand wedding, an intimate birthday celebration, or a memorable kids' party, our team of experienced professionals is here to make your vision a reality.
Wedding Events
Elevate your wedding celebrations with our exquisite decor and meticulous planning. From the grand entrance to the dance floor, we'll transform your venue into a enchanting wonderland that reflects your unique style and personality. Our team of wedding experts will handle every detail, ensuring a seamless and unforgettable experience for you and your guests.
Birthday Decorations
Birthdays are a time to celebrate life and create lasting memories. JOL Events specializes in crafting personalized birthday decorations that will make your special day truly unforgettable. From elegant adult celebrations to whimsical kids' themes, we'll bring your vision to life with stunning floral arrangements, custom backdrops, and delightful accents.
Kids Birthday Themes
Delight the little ones with our enchanting kids' birthday theme decorations. Whether they're dreaming of a magical unicorn party or an out-of-this-world space adventure, our team will transform the venue into a enchanting wonderland that will have them and their friends in awe. We'll handle every detail, from the themed decor to the interactive activities, ensuring a truly memorable celebration.
Baby Showers & Naming Ceremonies
Celebrate the arrival of a new life with our beautifully curated baby shower and naming ceremony decorations. Our team will create a warm and welcoming atmosphere, with delicate floral arrangements, soothing color palettes, and thoughtful touches that honor the special occasion. Let us help you create a cherished moment that the family will treasure forever.
Couple Surprises
Add an extra touch of romance to your special moments with our couple surprise packages. Whether it's a romantic anniversary celebration, a surprise proposal, or a just-because gesture, our team will work with you to craft a unique and unforgettable experience. From rose petal-strewn paths to intimate candlelit setups, we'll make sure your partner feels truly special.
At JOL Events, we believe that every occasion deserves to be celebrated with style and elegance. Contact us today to start planning your next event and let us transform your vision into a reality.
Decentralized Crowdfunding for Educational Programs_ Empowering Learning Oppo...DAISY Global
Decentralized crowdfunding has emerged as a revolutionary force in the realm of creative industries, providing artists, musicians, writers, and creators with a powerful platform to fund their projects and connect directly with their audience. Unlike traditional crowdfunding platforms, decentralized crowdfunding leverages blockchain technology to offer greater transparency, security, and autonomy to both creators and backers. In this blog, we will explore the transformative potential of decentralized crowdfunding for creative industries, its benefits, challenges, and the impact it is having on the creative landscape.
The best time to visit Bali in 2024......anothemjohn
The best time to visit Bali in 2024 is during the dry season from April to September. These months offer sunny weather with minimal rainfall, perfect for enjoying Bali's stunning beaches, outdoor activities like surfing and hiking, and exploring cultural sites without the disruption of heavy rains. July and August are peak months with the highest number of visitors, ideal for those seeking lively atmospheres and vibrant nightlife. For a quieter experience with lower accommodation prices, consider visiting during the shoulder months of April, May, or September.
Private Investigator in Noida | Private Detective Agencyion Detective
Private Investigator in Noida is an India based renowned Private Detective Agency providing detective services to matrimonial investigations with expertise and it promises you faithful, reliable work. They look into Premarital verifications, Post marital disloyalty checks and Background Investigations. By gathering important evidence, they assist clients and to decide how to proceed in their relationship without compromising confidentiality or lack of integrity.
Client Services Management: Strategies, Roles, and Best PracticesMuhammad Talha Rafiq
Discover the essential strategies, roles, and best practices in Client Services Management (CSM) through this comprehensive presentation. Learn how to effectively manage client relationships, enhance client satisfaction, and drive business success. This presentation covers key aspects such as defining the roles of CSM, communication strategies, people management, and techniques for continuous improvement. Ideal for professionals looking to elevate their client service practices and deliver exceptional value to their clients.
Employment background checks are vital for ensuring a safe and qualified workforce. They cover criminal history, employment and education verification, credit (where applicable), references, social media scrutiny, and for some roles, drug testing and driving records. Candidates should prepare for thorough scrutiny to build trust with employers during the hiring process.
10. Out of band analysis
• Out of band analysis
– Perfect knowledge
– Attacker is unprepared
• Derive understanding from reverse engineering
– Feed back to tactical cleanup/more detection
• Leveraging virtual infrastructure to increase information assurance
– Existing approaches
• Agents
• Virus Scanning
• Whitelists
• A better way
11. Perfect knowledge
• To find an artifact
– Malware/Virus Scanning
– Manual analysis
– Incident day 0
• Finding more
– Collect telemetry
– Signature development
• Reverse engineering
12. Collecting Telemetry
• Useful for improving OODA loop
– more effective decision making during an in
progress event
• Configurable
– System Center Operations Manager / “Agentless”
Exception Monitoring
– Group Policy (XP/2K3)
– Registry CorporateWerServer
13. Signature based scanning
• Devise a set of unique artifacts from a known
malware sample
– TimeDateStamp
– Unencrypted data
– Names of sections or exported Functions
– *wildcard*matching*
14. Heuristics
• A function that derives a score or other
threshold to determine good vs. bad
– Entropy scanning
• Detects encrypted/compressed sections
• Attempt to compress a block to determine if it’s already
compressed
– API Imports
• OpenProcess/WriteProcessMemory
• Hook use
• Low-level interfaces
15. Scanning Approaches
• Agent’s
– A background process which interacts with some
management infrastructure
– Understands known malware through the use of
signatures or behavioral heuristics monitoring
– Typically reports to management consoles
• Virus/Malware Scanning
– Similar to agent based techniques but in the foreground
• Agentless
– VM guest memory snapshots
– SCOM AEM
16. White lists
• Default deny
– Similar to how firewall rules are built
• Only allow known/approved services
• Tripwire uses this technique to guard against file-
system persistence
– Off-line assurances
• Unable to definitively report for live systems
• Can we use this in memory
18. Memory Analysis Options
• WinDbg/Olly/IDA
– Mostly Manual
• Volatility
– Scriptable
• BlockWatch / The Memory Cruncher
– Automated data reduction and navigation support
19. WinDbg
• Works on every version
• Invasive/non-invasive debugging
• Plugin/scriptable
• Essentially Basic Debugging interface
“ContinueDebugEvent”
• User space anti-debugging is very complicated
– Ntdll!*breakpoint* can be tampered with (unable to attach)
– Starting a program does not break at first module instruction
• Break on other events
• Kernel debugger (kd) not as simple to use
– Network debugger can still use windbg
20. Generic Unpacking issues
• Encoding/Obfuscation
– Page decoding
• Non linear execution
– Exceptions (divide by zero)
– Other Process/Threads
– Debugging self
• Detecting a debugger, VM or other analysis
tool
22. Signature development
• Yara
– Lots of support
• https://yaragenerator.com/
• http://www.deependresearch.org/2013/02/yara-
resources.html
• ClamAV
– Less active, some support from SourceFire
• Custom Engine
23. Custom Engine
• Private implementation
– Leverage public tools but developed with
information gained from incident
– May use a variety of analysis techniques
• Combine Yara/Clam/Hash/etc…
• “Perfect knowledge” of attacker
25. Performance
• Complicated generic scanning can be slow
• Regex’s with Overlapping sub-sections may
take a long time to evaluate
– E.g. (.*A).*(.*A) -- or something similar can be a
DoS
26. Windows hardening
• Windows XP does not memset(0) driver .text sections
– Random slack can be executed
– Updated 2k3+
• KINTERRUPT no longer has huge code templates/glue included as part of it’s
structure
– KINTERRUPT.DispatchCode is now 4 bytes (and always just points to a registered handler in the
module) instead of up too 106 bytes of arbitrary code
• Updated Vista+
• Page table entries secured
– Win8 no longer has executable page table entries
• Kernel 9200+ (8/2012) Kernel Pool (heap) is no longer default executable
– This is a MAJOR win!!!!!!
– No more huge degree’s of unknown executable memory to inspect
27. Analyzing Windows Memory
• Rootkit can shadow/move itself during dump’s
• Issues from dumping memory from a live/physical system is
problematic and has lead to an interesting arms race;
– Using cold-boot attacks
– Purpose built dumping hardware or commodity FireWire type
inputs
– Cause kernel panic to induce a dump
• Windows Kernel 9600 (Windows 8.1/2012R2)
– A snapshot from VMWare or Hyper-V
– We will ignore dump acquisition issues for now and focus on VM
snapshots
28. X64 Kernel Virtual Address Space
http://www.codemachine.com/article_x64kvas.html
Start End Size Description Notes
FFFF0800`00000000 FFFFF67F`FFFFFFFF 238TB Unused System Space WIN9600 NOW USE &
CAN CONTAIN +X AREAS
FFFFF680`00000000 FFFFF6FF`FFFFFFFF 512GB PTE Space -X used to be executable
Win7
FFFFF700`00000000 FFFFF77F`FFFFFFFF 512GB HyperSpace 8.1 seems to have cleaned
up here, 9200 had 1 +X
page
FFFFF780`00000000 FFFFF780`00000FFF 4K Shared System Page
FFFFF780`00001000 FFFFF7FF`FFFFFFFF 512GB-4K System Cache Working Set
FFFFF800`00000000 FFFFF87F`FFFFFFFF 512GB Initial Loader Mappings Large Page (2MB)
allocations
FFFFF880`00000000 FFFFF89F`FFFFFFFF 128GB Sys PTEs
FFFFF8a0`00000000 FFFFF8bF`FFFFFFFF 128GB Paged Pool Area
FFFFF900`00000000 FFFFF97F`FFFFFFFF 512GB Session Space
FFFFF980`00000000 FFFFFa70`FFFFFFFF 1TB Dynamic Kernel VA Space
FFFFFa80`00000000 *nt!MmNonPagedPoolStart-
1
6TB Max PFN Database
*nt!MmNonPagedPoolSt
art
*nt!MmNonPagedPoolEnd 512GB Max Non-Paged Pool DEFAULT NO EXECUTE
FFFFFFFF`FFc00000 FFFFFFFF`FFFFFFFF 4MB HAL and Loader Mappings
29. Page Table Shellcode weird-machine
• Win7 and earlier
– Can we emit intended shellcode into PTE area?
• Perform some VirtualAlloc from user space => executable memory in
kernel
– Just reserving memory writes PTE
• Page Table shell-code is non-trivial
– Lots of gadgets!
fffff6fb`7e201ea0 63 b8 c3 2d 00 00 00 00 63 a8 13 2f 00 00 00 00 c..-....c../....
fffff6fb`7e201eb0 63 98 e3 2d 00 00 00 00 63 88 13 2f 00 00 00 00 c..-....c../....
fffff6fb`7e201ec0 63 78 63 30 00 00 00 00 63 68 d3 2e 00 00 00 00 cxc0....ch......
fffff6fb`7e201ed0 63 58 53 30 00 00 00 00 63 48 a3 2e 00 00 00 00 cXS0....cH......
fffff6fb`7e201ee0 63 38 c3 2e 00 00 00 00 63 28 83 2e 00 00 00 00 c8......c(......
PXE at FFFFF6FB7DBEDF68 PPE at FFFFF6FB7DBEDF88 PDE at FFFFF6FB7DBF1008 PTE at FFFFF6FB7E201EA0
contains 0000000000187063 contains 0000000134C04863 contains 0000000100512863 contains
000000002DC3B863
pfn 187 ---DA--KWEV pfn 134c04 ---DA--KWEV pfn 100512 ---DA--KWEV pfn 2dc3b ---DA--KWEV
30. Defense: Rootkit revealing
• Default non-execute pool space helps tremendously
• Detect the presence of a rootkit by comparing results
from multiple sources/abstraction layers
– Physical (page tables)
– Logical
• Driver LIST_ENTRY
• VAD
– SECTION’s, …
31. Tool evaluation
• https://blockwatch.ioactive.com
– Operates on direct physical memory dumps from VM snapshots
– Demo script that identifies KVAS physical/logical sections
– Transforms/Dumps memory / Generates hashes
– Install IronPython
• Example, from Crunch install directory
ipy64 UnLinkedRR.py C:BW_Folder VMWare.VMSS.or.VMSD d:dest-
folder
• Future
– More well known blocks (local optimization)?
• There’s some weird looking fill patterns often sitting around as exec;
• More page table checks, CR0.WP etc…
32. Example VMWare ~8GB
BlockWatch Folder: t:BW_DEMO
Dumping data from : Clone of Clone of Current Win 8.1 - PRO (2)-66bb942e.vmss
Found probable kernel @ fffff800b508c000
Debug symbol being loaded for ntkrnlmp.pdb
Kernel build number 9600
Root PT Entries: 16, SubTable Entries: 778263
Unlinked entry count: 1544
UnLinked Section: System Space @: 0xffffd00020180000L, Size: 0x1000L
UnLinked Section: Loader Mappings @: 0xfffff800021d0000L, Size: 0x1000L
UnLinked Section: HAL and Loader Mappings @: 0xffffffffffd02000L, Size: 0x1000L
UnLinked Section: hal @: 0xfffff800b5000000L, Size: 0x200000L
UnLinked Section: Loader Mappings @: 0xfffff800b5800000L, Size: 0x200000L
33. …moving on; Attack! To the Unknown!
kd> !pte ffffd000`201a0000
VA ffffd000201a0000
PXE at FFFFF6FB7DBEDD00 PPE at FFFFF6FB7DBA0000 PDE at FFFFF6FB74000800 PTE at FFFFF6E800100D00
contains 0000000000523863 contains 0000000000522863 contains 0000000000527863 contains 0000000000555963
pfn 523 ---DA--KWEV pfn 522 ---DA--KWEV pfn 527 ---DA--KWEV pfn 555 -G-DA—KWEV
• ffffd000201a0000 appears across Hyper-V &
VMWare, reboots
– Provides RoP gadgets
– Fixed writeable executable memory location
• Writable/Executable at a fixed address
!pool ffffd000`201a0000
Pool page ffffd000201a0000 region is Unknown
ffffd000201a0000 is not a valid large pool allocation, checking large session pool...
Unable to read large session pool table (Session data is not present in mini and kernel-only dumps)
ffffd000201a0000 is not valid pool. Checking for freed (or corrupt) pool
34. Can you guess what it is?
• ??
• Segoe_slboot.ttf
– Starts at offset 0x1d0
– Initial bytes some sort of heap tag ? BG*
– System boot/load time artifact
ffffd000`201a0000 21 01 a0 00 00 00 00 80 42 47 49 4b 00 00 00 80 !.......BGIK....
ffffd000`201a01d0 00 19 00 23 00 01 2e 4c 00 00 00 10 67 6c 79 66 ...#...L....glyf
ffffd000`201b2fb0 00 6e 00 74 00 65 00 6e 00 74 00 2e 00 53 00 65 .n.t.e.n.t...S.e
ffffd000`201b2fc0 00 67 00 6f 00 65 00 20 00 55 00 49 00 03 00 00 .g.o.e. .U.I....
35. A little more (past end of font)
ffffd000`201b3000 ffffd000201b3020 0000000100002000 ffffd000201b3020 8000000000300121
…
ffffd000`201b3020 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 MZ..............
ffffd000`201b3070 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f is program canno
…
ffffd000`201b46b2 49 00 6e 00 74 00 65 00 72 00 6e 00 61 00 6c 00 4e 00 61 00 I.n.t.e.r.n.a.l.N.a.
ffffd000`201b46c6 6d 00 65 00 00 00 62 00 6f 00 6f 00 74 00 72 00 65 00 73 00 m.e...b.o.o.t.r.e.s.
• Seems to have some basic heap structure
pointer’s/allocation sizes
– Unfortunately it’s all default executable/writable at
a fixed address across systems/rebooting
• This leaves a lot of room for RoP gadgets (MZ
is only .rsrc, why +x?)
36. BIOS Ranges
• Platform specific (vmware in this case)
– 2012R2 0xffffd00020500000, 8.1 0xffffd00020600000
– Fixed address across reboots (size is 241,664 - 0x3B000)
– Physical system dumps
ffffd000`206c5a50 c3 32 2e 30 00 56 4d 77 61 72 65 20 76 69 72 74 .2.0.VMware virt
ffffd000`206c5a60 75 61 6c 20 6d 61 63 68 69 6e 65 00 56 4d 77 61 ual machine.VMwa
ffffd000`206c5a70 72 65 2c 20 49 6e 63 00 56 20 4d 20 77 61 72 65 re, Inc.V M ware
ffffd000`206c5a80 2c 20 49 6e 63 2e 20 56 42 45 20 73 75 70 70 6f , Inc. VBE suppo
ffffd000`206c5a90 72 74 20 32 2e 30 00 90 c8 02 00 00 c4 5e 04 33 rt 2.0.......^.3
3: kd> !pte ffffd000`206c5a50
VA ffffd000206c5a50
PXE at FFFFF6FB7DBEDD00 PPE at FFFFF6FB7DBA0000 PDE at FFFFF6FB74000818 PTE at FFFFF6E800103628
contains 0000000000B22863 contains 0000000000B21863 contains 0000000000852863 contains 00000000000C5963
pfn b22 ---DA--KWEV pfn b21 ---DA--KWEV pfn 852 ---DA--KWEV pfn c5 -G-DA--KWEV
37. Other/More dynamic/Misc Areas
• Slack
• Audit MDL structures
• Session Space
• ACPI FACS -- exec
– Firmware ACPI Control Structure
– Verify ACPI with wite list
• Shim Engine (i.e. handling for drvmain.sdb)
• Bootloader artifacts
• Volume manager heap
0: kd> !pool ffffe00000420000
Pool page ffffe00000420000 region is Nonpaged pool
*ffffe00000420000 size: 90 previous size: 0 (Allocated) *VM3D
Pooltag VM3D : Volume Manager, Binary : volmgr.sys
0: kd> !pool ffffe000`00418000
Pool page ffffe00000418000 region is Nonpaged pool
*ffffe00000418000 size: 90 previous size: 0 (Allocated) *VM3D
Pooltag VM3D : Volume Manager, Binary : volmgr.sys
38. Other Gadget Areas
• There are other +X areas, in the region, but have
small variability in their allocation
• Windows Boot manager, network boot support code,
more font areas
39. Defense: RoP Detection
• Spurious Saved Return Addresses
– Sometimes RoP Gadget is just random data present
in an executable section!!!
– All existing RoP Databases or techniques target
arbitrary saved return addresses
• https://www.corelan.be/index.php/security/corelan-
ropdb/#advapi32dll_8211_5126005755
– 0x77e25c1f, # POP EAX # RETN
– Saved Return should be
• Simple/Effective/Very reliable reducing gadget surface area
40. Spurious Saved Return Addresses
Validation
• Conceptually similar to heap back-checking logical links
except we walk the stack
– Think Heap/Pool verification
– Verify op-code preceding saved return address
– Adding into BlockWatch
• Our operation is static so performance is no big deal and we like to
be current!
– Some performance impact if implemented at run time
– May not reduce the gadget surface area sufficiently
41. Comprehensive verification
• Forensics
– Reduction / Analysis aid
• APT Detection
– Diffing
– White list
• Blockwatch.ioactive.com
– Signup & use
– Less unknown’s more secure
42. BlockWatch Service
• Largest Hash Database on the planet
– 300+Million entries in the white list
– High degree of Windows OS’s and server software
• Run with local white list definition