Attack on the Core

P
Peter Hlavaty
Attack on the Core! @zer0mem
#whoami - Peter Hlavaty (@zer0mem) [ KEEN TEAM ]  Background  @K33nTeam  Previously ~4 years in ESET  Contact  twitter : @zer0mem  weibo : weibo.com/u/5238732594  blog : http://zer0mem.sk  src : https://github.com/zer0mem
outline ATTACKER ▪ KernelIo tech ▪ Vulnerability cases ▪ Design features (flaws) ▪ State of targets / security DEVELOPER ▪ Point of view ▪ Goal ▪ Environment ▪ C++! no more shellcoding!
Part 1 -> KernelIo tech
Privileged cpl3 != cpl0 [NtQuerySystemInformation] • NtQueryInformation from win8.1 requires elevated privileges • Still callable from user mode • Driver Signing Enforcement does not like installing drivers even from privileged ones … • Privileged are enpowered with good eye sight, kernel leakage
Read & Write boosting [windows] • write-where vuln • what => should be above read / write target • Pool address can be sufficient
Read & Write boosting [windows]
 KPP is not here to punish attackers  leak & write-where- (semi)what  patch & use & patch back  turned into full KernelIo  ReadFile alternative just with nt!MmUserProbeAddress Read & Write boosting http://haxpo.nl/wp-content/uploads/2014/01/ D1T2-Bypassing-Endpoint-Security-for-Fun-and-Profit.pdf [windows] https://www.dropbox.com/sh/bkfajegn2mn35ng/AABm_RyD4x9VLzYjI9n9Dl2Wa?dl=0
Read & Write boosting [linux / droids] • leak & write-where vuln • what => should be above read / write target • nullptr / pool address can be sufficient http://vulnfactory.org/blog/2011/06/05/smep-what-is-it-and-how-to-beat-it-on-linux/
[linux / droids]  PXN UDEREF handle it  PXN not in default build of linux  On droids ? XD  turned into full KernelIo Read & Write boosting http://vulnfactory.org/research/stackjacking-infiltrate11.pdf
Why KernelIo ? ▪ abstraction behind virtual address ▪ what is SMAP / SMEP about ?
MMU straigforward idea [PoC by MWR Labs] 1. choose address X with isolated page tables 1. To be sure write-where does not hit other used memory 2. mmap (X) 3. Patch S/U bits (write-where) 4. S/U bits need to patch per PXE ! 1. self ref, can help  5. cpl0 memcpy (X, shellcode) 6. Pwn (SMEP, SMAP out of the game) https://labs.mwrinfosecurity.com/blog/2014/08/15/windows-8-kernel-memory-protections-bypass/ http://fluxius.handgrep.se/2011/10/20/the-art-of-elf-analysises-and-exploitations/
Symbolic cpl0 – cpl3 separators “ The ProbeForRead routine checks that a user-mode buffer actually resides in the user portion of the address space, and is correctly aligned. “  Ok, what about aliasing ?!  and about ret2dir approach ?  https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/kemerlis
KERNEL- FAIL – SAFE – CHECKS  copy_to/from_user  ProbeForRead/Write  Checking just symbolic values  not cover aliasing…
Part 2 -> cases
Out of Boundary 1. Trivial to exploit 2. Generic implementation 3. write/read – where 4. NO -SMAP 5. but sometimes PXN
Out of Boundary  what if SMAP enabled ?  Is over ?  Read – no problem, just do not try to read from usermode   Write – you have to know where to write – relative positioned structs
kmalloc under/overflow 1. under/overflowed kmalloc 2. copy_to/from_user 3. search_exception_table for frv, but idea same 4. force copy_to/from_user fail 5. Copied just controlled bytes even in under/overflow situation!
KASLR • From win8.1 NtQuerySystemInfo is just for privileged user • /proc/kallsyms same, just for privileged ones • Need to info-leak • Read-where vuln • Abusing weak or old mechanism
KASLR  PageTable concept is old  That time no hardering needed  Crucial for performance  Timing attacks, PageFault measuring, seems doable, see recent research  A lot of static PHYSICAL addresses, KASLR weakened  MMU mechanism attacks target of recent research, and it works … http://felinemenace.org/~nemo/docs/TR-HGI-2013-001-real.pdf http://labs.bromium.com/2014/10/27/tsx-improves-timing-attacks-against-kaslr/
Part 3 -> design features (flaws)
Linked lists • nt!_list_entry / list_head • Lazy list entry assertions • Proper design ? • Manipulating next / prev outside of API ? • Hardening ? • Common member • Intrusive containers • Redirect list • pool leak && write-where • Own content && abussing algo ? http://www.k33nteam.org/blog.htm (nt!list_entry)
Kernel hidden pointers plenty of c++ alike vtables callbacks ops context func Interesting design features typecast instead of inheritance Plenty data pointers No integrity checks Plenty data structs Sensitive trusted context No hardening Plain pointers http://www.nosuchcon.org/talks/2013/ D3_02_Nikita_Exploiting_Hardcore_Pool_Corruptions_in_Microsoft_Windows_Kernel.pdf
Kernel ops by design • Callback mechanism • open / write / read … • If not implemented NULLPTR • If not implemented no call performed 1. nullptr write vuln 2. null some operation 3. Abuse scoped resource handling logic 4. pwn
Attack on the Core
Part 4 -> state of exploitation
before win8.1 POOL HARDENING SMEP SMAP PLAIN PTRS “KASLR” NtQuerySysInfo even kids … … do pwn
Era of Windows 8.1, earlier and current linux POOL HARDENING SMEP SMAP PLAIN PTRS KASLR  Cool, seems more hardening  More software security features  Access control improved  UEFI  Finally! More hardware features goes implemented SMEP/SMAP, …  SMAP still waiting in some cases ….  Exploiting coming finally challenging! BUT still kernel not hardened enough
Future of OS ? POOL HARDENING SMEP SMAP HARDENED PTRS KASLR Hardware features implemented  Strong complex access control policy Well randomized kernel space  Kicked off obsolete designs Well designed core No plain pointers Data integrity checks
Rebirth to K E R N E L Developing begins
CHANGING DIRECTION [everything is just point of view] Until now you were ATTACKER • NO MATTER HOW, but get EXEC! • hooks, patching, non-safe walkers, etc. Now you are DEVELOPER ! • Pretend to be one of them • Now you deal with KPP and others mitigations
Kernel windows DEVELOPER view ▪ In kernel, but some obstacles reminds : ▪ PsSet * Routine, ObRegisterCallbacks, etc. – Callback integrity validation! ▪ IoAttachDeviceToDeviceStack, IoQueueWorkItem – DEVICE_OBJECT* needed (own is preferable)
Kernel DEVELOPing begins [DRIVER/DEVICE_object*] ▪ Kernel loader method, or : ▪ Create your own! – IoCreateDevice – _OBJECT_HEADER + DRIVER_OBJECT
Kernel monitoring [device attaching] ▪ Attach to driver ▪ Filter : – Network communication – File system communication – …
Kernel monitoring [legacy] ▪ File System Filter Driver ▪ FAST_IO_DISPATCH – Register dropped files – Access to files – … ▪ Also minifilters are option
Kernel monitoring [IoCompletion] ▪ IoCompletion – Monitor ALPC – Used by resolving host, etc. etc. – Remote process communication – Per process
Linux, everything is a file 1. Kernel ops 2. Find in which one you are interesting in 3. Register to chain 4. cdev_add ( register_chrdev )
SELinux, SEAndroid, ACL  Kernel escape  Natural bypass  Feature : 1. Developing superuser deamon 2. does not rely on special syscalls 3. Normal application development, api … 4. Separation of responsibilities 5. Kernel – bypass policy checks 6. Daemon – provide boosted functionality to user
C++ come on … why shellcoding or pure c ?
Exploitation means developming! ▪ C++ is about compiler & you skills ▪ You think you can wrote better shellcode than compiler ?  ▪ You can code really close to assembly level – when you know your compiler ▪ c++ well maintainable, scalable, modulable ▪ Design patterns ▪ Complex frameworks http://www.exploit-monday.com/2013/08/writing-optimized-windows-shellcode-in-c.html https://github.com/mattifestation/PIC_Bindshell (Window Shellcode in C)
Exploiting is development! ▪ Before you can write PoC for exploits as easy as hello world ▪ Things getting complex ▪ Now with same style you can end up with unreadable master piece ▪ Next time you have good time to rewriting lot of the same logic ▪ And at the end you end up with black-boxes chained together with black-magic, somehow working ▪ Something will change … start fixing black-box
Exploitation framework can be powerfull ▪ UserCode in kernel allowed! – Kernel code hidden inside binary – Fully c++ driver! ▪ Mixing User & Kernel code – just avoid direct linking imported kernel functions! – Also avoid to mixing um & km headers together in compile time ;) – Compile standalone kernel code as .lib – link kernel code .lib to exploit .exe
KERNEL as exploitation VECTOR 1. Copy whole PE to RWE kernel page  ExAllocatePool(NonPagedPoolExecute,SizeOfImage); 2. 3. Fix Rellocations 4. resolve kernel part of Import table Ready for exec with CPL0! CPL Teleport
Raise of C++, no more shellcoding! 1. Mixing user & kernel code 2. no imports 3. c++ 4. relocations 5. Dynamic loader
Raise of C++, no more shellcoding! 1. c++ kernel code 2. Compiled with user mode code 3. No Imports, but does not impact code
C++ ‘shellcoding’ framework ▪ no import table ▪ no need to handle imports by your own ▪ .py scripts set up all imports ▪ no need to code position independent code ▪ fixups resolved by loader ▪ C++ (partially also std & boost) supported ▪ no need to ship kernel code as resource, or shellcode ▪ no need to special coding style to kernel module, classical developing ▪ All features (c++, imports, fixups..) applies to kernel code as well http://www.zer0mem.sk/?p=517 http://www.hollistech.com/Resources/Cpp/kernel_c_runtime_library.htm http://www.codeproject.com/Articles/22801/Drivers-Exceptions-and-C
C++ ‘shellcoding’ framework https://github.com/k33nteam/cc-shellcoding releasing very soon @K33nTeam
materials (not listed in slides before) – http://www.codeproject.com/Articles/43586/File-System-Filter-Driver-Tutorial – www.bitnuts.de/KernelBasedMonitoring.pdf – https://projects.honeynet.org/svn/capture-hpc/capture-hpc/tags/2.5/capture-client/ KernelDrivers/CaptureKernelDrivers/FileMonitor/CaptureFileMonitor.c – http://www.osronline.com/article.cfm?article=199
Acknowledge Thanks to : jfang liac rafal wojtczuk wushi nforest NTarakanov j00ru aionescu cesarcer dan rosenberg krzywix maxim
We are hiring! ▪ #1 vulnerability research team in China – http://www.k33nteam.org/cvelist.htm – pwn2own ▪ Enjoying research ? – Mobile (Android, iOS, WP) – PC (Windows, OS X, Chrome OS, etc.) ▪ Willing to move to Shanghai ? – Beijing ? ▪ Want to join our team ? – Application security – Kernel security hr (at) keencloudtech.com
2014 - $500,000 2015 - $???????? Pick a device, name your own challenge!
follow us @K33nTeam Thank You. Q & A peter (at) keencloudtech.com
1 of 52

Attack on the Core

Download to read offline
Education

Kernel vulnerabilities was commonly used to obtain admin privileges, and main rule was to stay in kernel as small time as possible! But nowdays even when you get admin / root then current operating systems are sometimes too restrictive. And that made kernel exploitation nice vector for installing to kernel mode! In this talk we will examine steps from CPL3 to CPL0, including some nice tricks, and we end up with developing kernel mode drivers.

P
Peter Hlavaty

Recommended

Back to the CORE by
Back to the COREBack to the CORE
Back to the COREPeter Hlavaty
6.6K views42 slides
Ice Age melting down: Intel features considered usefull! by
Ice Age melting down: Intel features considered usefull!Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!Peter Hlavaty
599 views64 slides
Power of linked list by
Power of linked listPower of linked list
Power of linked listPeter Hlavaty
1.9K views52 slides
Vulnerability desing patterns by
Vulnerability desing patternsVulnerability desing patterns
Vulnerability desing patternsPeter Hlavaty
4.6K views31 slides
Racing with Droids by
Racing with DroidsRacing with Droids
Racing with DroidsPeter Hlavaty
3.5K views46 slides
You didnt see it’s coming? "Dawn of hardened Windows Kernel" by
You didnt see it’s coming? "Dawn of hardened Windows Kernel" You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" Peter Hlavaty
9.4K views62 slides

More Related Content

What's hot

Rainbow Over the Windows: More Colors Than You Could Expect by
Rainbow Over the Windows: More Colors Than You Could ExpectRainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could ExpectPeter Hlavaty
5.7K views52 slides
When is something overflowing by
When is something overflowingWhen is something overflowing
When is something overflowingPeter Hlavaty
6.3K views37 slides
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes by
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesWindows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesPeter Hlavaty
31.1K views50 slides
Hacking - high school intro by
Hacking - high school introHacking - high school intro
Hacking - high school introPeter Hlavaty
1.3K views31 slides
How Safe is your Link ? by
How Safe is your Link ?How Safe is your Link ?
How Safe is your Link ?Peter Hlavaty
1.2K views37 slides
Security research over Windows #defcon china by
Security research over Windows #defcon chinaSecurity research over Windows #defcon china
Security research over Windows #defcon chinaPeter Hlavaty
375 views33 slides

What's hot(20)

Rainbow Over the Windows: More Colors Than You Could Expect by Peter Hlavaty
Rainbow Over the Windows: More Colors Than You Could ExpectRainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could Expect
Peter Hlavaty5.7K views
When is something overflowing by Peter Hlavaty
When is something overflowingWhen is something overflowing
When is something overflowing
Peter Hlavaty6.3K views
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes by Peter Hlavaty
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesWindows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Peter Hlavaty31.1K views
Hacking - high school intro by Peter Hlavaty
Hacking - high school introHacking - high school intro
Hacking - high school intro
Peter Hlavaty1.3K views
How Safe is your Link ? by Peter Hlavaty
How Safe is your Link ?How Safe is your Link ?
How Safe is your Link ?
Peter Hlavaty1.2K views
Security research over Windows #defcon china by Peter Hlavaty
Security research over Windows #defcon chinaSecurity research over Windows #defcon china
Security research over Windows #defcon china
Peter Hlavaty375 views
Steelcon 2014 - Process Injection with Python by infodox
Steelcon 2014 - Process Injection with PythonSteelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with Python
infodox8.8K views
Memory Corruption: from sandbox to SMM by Positive Hack Days
Memory Corruption: from sandbox to SMMMemory Corruption: from sandbox to SMM
Memory Corruption: from sandbox to SMM
Positive Hack Days4.7K views
One Shellcode to Rule Them All: Cross-Platform Exploitation by Quinn Wilton
One Shellcode to Rule Them All: Cross-Platform ExploitationOne Shellcode to Rule Them All: Cross-Platform Exploitation
One Shellcode to Rule Them All: Cross-Platform Exploitation
Quinn Wilton5.2K views
Packers by Ange Albertini
PackersPackers
Packers
Ange Albertini1.1K views
Process injection - Malware style by Sander Demeester
Process injection - Malware styleProcess injection - Malware style
Process injection - Malware style
Sander Demeester9.4K views
Software Security : From school to reality and back! by Peter Hlavaty
Software Security : From school to reality and back!Software Security : From school to reality and back!
Software Security : From school to reality and back!
Peter Hlavaty1.6K views
Software to the slaughter by Quinn Wilton
Software to the slaughterSoftware to the slaughter
Software to the slaughter
Quinn Wilton1K views
Practical Windows Kernel Exploitation by zeroSteiner
Practical Windows Kernel ExploitationPractical Windows Kernel Exploitation
Practical Windows Kernel Exploitation
zeroSteiner2K views
Injection on Steroids: Codeless code injection and 0-day techniques by enSilo
Injection on Steroids: Codeless code injection and 0-day techniquesInjection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniques
enSilo29.6K views
NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core by NoSuchCon
NSC #2 - D3 02 - Peter Hlavaty - Attack on the CoreNSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NoSuchCon844 views
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by... by CODE BLUE
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
CODE BLUE824 views
Us 16-subverting apple-graphics_practical_approaches_to_remotely_gaining_root... by Liang Chen
Us 16-subverting apple-graphics_practical_approaches_to_remotely_gaining_root...Us 16-subverting apple-graphics_practical_approaches_to_remotely_gaining_root...
Us 16-subverting apple-graphics_practical_approaches_to_remotely_gaining_root...
Liang Chen2.5K views
BSides Hannover 2015 - Shell on Wheels by infodox
BSides Hannover 2015 - Shell on WheelsBSides Hannover 2015 - Shell on Wheels
BSides Hannover 2015 - Shell on Wheels
infodox2.4K views
Low Level Exploits by hughpearse
Low Level ExploitsLow Level Exploits
Low Level Exploits
hughpearse1.5K views

Viewers also liked

How to Root 10 Million Phones with One Exploit by
How to Root 10 Million Phones with One ExploitHow to Root 10 Million Phones with One Exploit
How to Root 10 Million Phones with One ExploitJiahong Fang
14.6K views34 slides
50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi by
50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi
50 Shades of Fuzzing by Peter Hlavaty & Marco GrassiShakacon
1.6K views56 slides
Digging for Android Kernel Bugs by
Digging for Android Kernel BugsDigging for Android Kernel Bugs
Digging for Android Kernel BugsJiahong Fang
4.6K views33 slides
Designing and Attacking DRM (RSA 2008) by
Designing and Attacking DRM (RSA 2008)Designing and Attacking DRM (RSA 2008)
Designing and Attacking DRM (RSA 2008)Nate Lawson
3.5K views28 slides
Find your own iOS kernel bug by
Find your own iOS kernel bugFind your own iOS kernel bug
Find your own iOS kernel bugGustavo Martinez
12.9K views74 slides
(130216) #fitalk potentially malicious ur ls by
(130216) #fitalk potentially malicious ur ls(130216) #fitalk potentially malicious ur ls
(130216) #fitalk potentially malicious ur lsINSIGHT FORENSIC
405 views44 slides

Viewers also liked(20)

How to Root 10 Million Phones with One Exploit by Jiahong Fang
How to Root 10 Million Phones with One ExploitHow to Root 10 Million Phones with One Exploit
How to Root 10 Million Phones with One Exploit
Jiahong Fang14.6K views
50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi by Shakacon
50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi
50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi
Shakacon1.6K views
Digging for Android Kernel Bugs by Jiahong Fang
Digging for Android Kernel BugsDigging for Android Kernel Bugs
Digging for Android Kernel Bugs
Jiahong Fang4.6K views
Designing and Attacking DRM (RSA 2008) by Nate Lawson
Designing and Attacking DRM (RSA 2008)Designing and Attacking DRM (RSA 2008)
Designing and Attacking DRM (RSA 2008)
Nate Lawson3.5K views
Find your own iOS kernel bug by Gustavo Martinez
Find your own iOS kernel bugFind your own iOS kernel bug
Find your own iOS kernel bug
Gustavo Martinez12.9K views
(130216) #fitalk potentially malicious ur ls by INSIGHT FORENSIC
(130216) #fitalk potentially malicious ur ls(130216) #fitalk potentially malicious ur ls
(130216) #fitalk potentially malicious ur ls
INSIGHT FORENSIC405 views
Binary Obfuscation from the Top Down: Obfuscation Executables without Writing... by frank2
Binary Obfuscation from the Top Down: Obfuscation Executables without Writing...Binary Obfuscation from the Top Down: Obfuscation Executables without Writing...
Binary Obfuscation from the Top Down: Obfuscation Executables without Writing...
frank22K views
Applying Anti-Reversing Techniques to Machine Code by Teodoro Cipresso
Applying Anti-Reversing Techniques to Machine CodeApplying Anti-Reversing Techniques to Machine Code
Applying Anti-Reversing Techniques to Machine Code
Teodoro Cipresso1.1K views
Desofuscando um webshell em php h2hc Ed.9 by Ricardo L0gan
Desofuscando um webshell em php h2hc Ed.9Desofuscando um webshell em php h2hc Ed.9
Desofuscando um webshell em php h2hc Ed.9
Ricardo L0gan547 views
Intrusion detection and prevention by Nicholas Davis
Intrusion detection and preventionIntrusion detection and prevention
Intrusion detection and prevention
Nicholas Davis1.3K views
Spo2 t19 spo2-t19 by SelectedPresentations
Spo2 t19 spo2-t19Spo2 t19 spo2-t19
Spo2 t19 spo2-t19
SelectedPresentations403 views
Generic attack detection engine by Vikrant Kansal
Generic attack detection engineGeneric attack detection engine
Generic attack detection engine
Vikrant Kansal382 views
Applciation footprinting, discovery and enumeration by Blueinfy Solutions
Applciation footprinting, discovery and enumerationApplciation footprinting, discovery and enumeration
Applciation footprinting, discovery and enumeration
Blueinfy Solutions2.4K views
Obfuscation, Golfing and Secret Operators in Perl by José Castro
Obfuscation, Golfing and Secret Operators in PerlObfuscation, Golfing and Secret Operators in Perl
Obfuscation, Golfing and Secret Operators in Perl
José Castro2.9K views
EvasionTechniques by Candan BOLUKBAS
EvasionTechniquesEvasionTechniques
EvasionTechniques
Candan BOLUKBAS948 views
CSIRT_16_Jun by Candan BOLUKBAS
CSIRT_16_JunCSIRT_16_Jun
CSIRT_16_Jun
Candan BOLUKBAS1.4K views
Ruxcon 2014 - Stefan Esser - iOS8 Containers, Sandboxes and Entitlements by Stefan Esser
Ruxcon 2014 - Stefan Esser - iOS8 Containers, Sandboxes and EntitlementsRuxcon 2014 - Stefan Esser - iOS8 Containers, Sandboxes and Entitlements
Ruxcon 2014 - Stefan Esser - iOS8 Containers, Sandboxes and Entitlements
Stefan Esser29.5K views
TakeDownCon Rocket City: WebShells by Adrian Crenshaw by EC-Council
TakeDownCon Rocket City: WebShells by Adrian CrenshawTakeDownCon Rocket City: WebShells by Adrian Crenshaw
TakeDownCon Rocket City: WebShells by Adrian Crenshaw
EC-Council13.4K views
Vijay Amarnath - Updated by Vijay Amarnath
Vijay Amarnath - UpdatedVijay Amarnath - Updated
Vijay Amarnath - Updated
Vijay Amarnath251 views
Targeting the iOS kernel by Seguridad Apple
Targeting the iOS kernelTargeting the iOS kernel
Targeting the iOS kernel
Seguridad Apple10.6K views

Similar to Attack on the Core

Container Security - Let's see Falco and Sysdig in Action by Stefan Trimborn by
Container Security - Let's see Falco and Sysdig in Action by Stefan Trimborn Container Security - Let's see Falco and Sysdig in Action by Stefan Trimborn
Container Security - Let's see Falco and Sysdig in Action by Stefan Trimborn ContainerDay Security 2023
22 views25 slides
Larson Macaulay apt_malware_past_present_future_out_of_band_techniques by
Larson Macaulay apt_malware_past_present_future_out_of_band_techniquesLarson Macaulay apt_malware_past_present_future_out_of_band_techniques
Larson Macaulay apt_malware_past_present_future_out_of_band_techniquesScott K. Larson
1.6K views45 slides
Talk 160920 @ Cat System Workshop by
Talk 160920 @ Cat System WorkshopTalk 160920 @ Cat System Workshop
Talk 160920 @ Cat System WorkshopQuey-Liang Kao
297 views52 slides
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi... by
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...Hackito Ergo Sum
471 views62 slides
The Future of Security and Productivity in Our Newly Remote World by
The Future of Security and Productivity in Our Newly Remote WorldThe Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldDevOps.com
208 views95 slides
Network Stack in Userspace (NUSE) by
Network Stack in Userspace (NUSE)Network Stack in Userspace (NUSE)
Network Stack in Userspace (NUSE)Hajime Tazaki
6.7K views27 slides

Similar to Attack on the Core(20)

Container Security - Let's see Falco and Sysdig in Action by Stefan Trimborn by ContainerDay Security 2023
Container Security - Let's see Falco and Sysdig in Action by Stefan Trimborn Container Security - Let's see Falco and Sysdig in Action by Stefan Trimborn
Container Security - Let's see Falco and Sysdig in Action by Stefan Trimborn
ContainerDay Security 2023 22 views
Larson Macaulay apt_malware_past_present_future_out_of_band_techniques by Scott K. Larson
Larson Macaulay apt_malware_past_present_future_out_of_band_techniquesLarson Macaulay apt_malware_past_present_future_out_of_band_techniques
Larson Macaulay apt_malware_past_present_future_out_of_band_techniques
Scott K. Larson1.6K views
Talk 160920 @ Cat System Workshop by Quey-Liang Kao
Talk 160920 @ Cat System WorkshopTalk 160920 @ Cat System Workshop
Talk 160920 @ Cat System Workshop
Quey-Liang Kao297 views
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi... by Hackito Ergo Sum
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
Hackito Ergo Sum471 views
The Future of Security and Productivity in Our Newly Remote World by DevOps.com
The Future of Security and Productivity in Our Newly Remote WorldThe Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote World
DevOps.com208 views
Network Stack in Userspace (NUSE) by Hajime Tazaki
Network Stack in Userspace (NUSE)Network Stack in Userspace (NUSE)
Network Stack in Userspace (NUSE)
Hajime Tazaki6.7K views
Metasploit & Windows Kernel Exploitation by zeroSteiner
Metasploit & Windows Kernel ExploitationMetasploit & Windows Kernel Exploitation
Metasploit & Windows Kernel Exploitation
zeroSteiner4.3K views
Vulnerability, exploit to metasploit by Tiago Henriques
Vulnerability, exploit to metasploitVulnerability, exploit to metasploit
Vulnerability, exploit to metasploit
Tiago Henriques2.6K views
Application Profiling for Memory and Performance by pradeepfn
Application Profiling for Memory and PerformanceApplication Profiling for Memory and Performance
Application Profiling for Memory and Performance
pradeepfn1.7K views
Dockers zero to hero by Nicolas De Loof
Dockers zero to heroDockers zero to hero
Dockers zero to hero
Nicolas De Loof3.1K views
Hacktivity2014: Virtual Machine Introspection to Detect and Protect by Tamas K Lengyel
Hacktivity2014: Virtual Machine Introspection to Detect and ProtectHacktivity2014: Virtual Machine Introspection to Detect and Protect
Hacktivity2014: Virtual Machine Introspection to Detect and Protect
Tamas K Lengyel2.6K views
What Linux can learn from Solaris performance and vice-versa by Brendan Gregg
What Linux can learn from Solaris performance and vice-versaWhat Linux can learn from Solaris performance and vice-versa
What Linux can learn from Solaris performance and vice-versa
Brendan Gregg319.5K views
Application Profiling for Memory and Performance by WSO2
Application Profiling for Memory and PerformanceApplication Profiling for Memory and Performance
Application Profiling for Memory and Performance
WSO21.5K views
OffensiveCon2022: Case Studies of Fuzzing with Xen by Tamas K Lengyel
OffensiveCon2022: Case Studies of Fuzzing with XenOffensiveCon2022: Case Studies of Fuzzing with Xen
OffensiveCon2022: Case Studies of Fuzzing with Xen
Tamas K Lengyel1.6K views
Fuzzing_with_Xen.pdf by distortdistort
Fuzzing_with_Xen.pdfFuzzing_with_Xen.pdf
Fuzzing_with_Xen.pdf
distortdistort4 views
StorageOS, Storage for Containers Shouldn't Be Annoying at Container Camp UK by StorageOS
StorageOS, Storage for Containers Shouldn't Be Annoying at Container Camp UKStorageOS, Storage for Containers Shouldn't Be Annoying at Container Camp UK
StorageOS, Storage for Containers Shouldn't Be Annoying at Container Camp UK
StorageOS499 views
Linux kernel-rootkit-dev - Wonokaerun by idsecconf
Linux kernel-rootkit-dev - WonokaerunLinux kernel-rootkit-dev - Wonokaerun
Linux kernel-rootkit-dev - Wonokaerun
idsecconf2.6K views
One bite and all your dreams will come true: Analyzing and Attacking Apple Ke... by Priyanka Aash
One bite and all your dreams will come true: Analyzing and Attacking Apple Ke...One bite and all your dreams will come true: Analyzing and Attacking Apple Ke...
One bite and all your dreams will come true: Analyzing and Attacking Apple Ke...
Priyanka Aash351 views
OSDC 2017 | Linux Performance Profiling and Monitoring by Werner Fischer by NETWAYS
OSDC 2017 | Linux Performance Profiling and Monitoring by Werner FischerOSDC 2017 | Linux Performance Profiling and Monitoring by Werner Fischer
OSDC 2017 | Linux Performance Profiling and Monitoring by Werner Fischer
NETWAYS27 views
OSDC 2017 | Open POWER for the data center by Werner Fischer by NETWAYS
OSDC 2017 | Open POWER for the data center by Werner FischerOSDC 2017 | Open POWER for the data center by Werner Fischer
OSDC 2017 | Open POWER for the data center by Werner Fischer
NETWAYS30 views

Recently uploaded

AI Tools for Business and Startups by
AI Tools for Business and StartupsAI Tools for Business and Startups
AI Tools for Business and StartupsSvetlin Nakov
107 views39 slides
MIXING OF PHARMACEUTICALS.pptx by
MIXING OF PHARMACEUTICALS.pptxMIXING OF PHARMACEUTICALS.pptx
MIXING OF PHARMACEUTICALS.pptxAnupkumar Sharma
77 views35 slides
Computer Introduction-Lecture06 by
Computer Introduction-Lecture06Computer Introduction-Lecture06
Computer Introduction-Lecture06Dr. Mazin Mohamed alkathiri
89 views12 slides
CWP_23995_2013_17_11_2023_FINAL_ORDER.pdf by
CWP_23995_2013_17_11_2023_FINAL_ORDER.pdfCWP_23995_2013_17_11_2023_FINAL_ORDER.pdf
CWP_23995_2013_17_11_2023_FINAL_ORDER.pdfSukhwinderSingh895865
527 views6 slides
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively by
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks EffectivelyISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks EffectivelyPECB
585 views18 slides
MercerJesse2.1Doc.pdf by
MercerJesse2.1Doc.pdfMercerJesse2.1Doc.pdf
MercerJesse2.1Doc.pdfjessemercerail
169 views5 slides

Recently uploaded(20)

AI Tools for Business and Startups by Svetlin Nakov
AI Tools for Business and StartupsAI Tools for Business and Startups
AI Tools for Business and Startups
Svetlin Nakov107 views
MIXING OF PHARMACEUTICALS.pptx by Anupkumar Sharma
MIXING OF PHARMACEUTICALS.pptxMIXING OF PHARMACEUTICALS.pptx
MIXING OF PHARMACEUTICALS.pptx
Anupkumar Sharma77 views
Computer Introduction-Lecture06 by Dr. Mazin Mohamed alkathiri
Computer Introduction-Lecture06Computer Introduction-Lecture06
Computer Introduction-Lecture06
Dr. Mazin Mohamed alkathiri89 views
CWP_23995_2013_17_11_2023_FINAL_ORDER.pdf by SukhwinderSingh895865
CWP_23995_2013_17_11_2023_FINAL_ORDER.pdfCWP_23995_2013_17_11_2023_FINAL_ORDER.pdf
CWP_23995_2013_17_11_2023_FINAL_ORDER.pdf
SukhwinderSingh895865527 views
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively by PECB
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks EffectivelyISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
ISO/IEC 27001 and ISO/IEC 27005: Managing AI Risks Effectively
PECB 585 views
MercerJesse2.1Doc.pdf by jessemercerail
MercerJesse2.1Doc.pdfMercerJesse2.1Doc.pdf
MercerJesse2.1Doc.pdf
jessemercerail169 views
2022 CAPE Merit List 2023 by Caribbean Examinations Council
2022 CAPE Merit List 2023 2022 CAPE Merit List 2023
2022 CAPE Merit List 2023
Caribbean Examinations Council5K views
JiscOAWeek_LAIR_slides_October2023.pptx by Jisc
JiscOAWeek_LAIR_slides_October2023.pptxJiscOAWeek_LAIR_slides_October2023.pptx
JiscOAWeek_LAIR_slides_October2023.pptx
Jisc96 views
Psychology KS4 by WestHatch
Psychology KS4Psychology KS4
Psychology KS4
WestHatch84 views
ACTIVITY BOOK key water sports.pptx by Mar Caston Palacio
ACTIVITY BOOK key water sports.pptxACTIVITY BOOK key water sports.pptx
ACTIVITY BOOK key water sports.pptx
Mar Caston Palacio605 views
Structure and Functions of Cell.pdf by Nithya Murugan
Structure and Functions of Cell.pdfStructure and Functions of Cell.pdf
Structure and Functions of Cell.pdf
Nithya Murugan545 views
Collective Bargaining and Understanding a Teacher Contract(16793704.1).pptx by Center for Integrated Training & Education
Collective Bargaining and Understanding a Teacher Contract(16793704.1).pptxCollective Bargaining and Understanding a Teacher Contract(16793704.1).pptx
Collective Bargaining and Understanding a Teacher Contract(16793704.1).pptx
Center for Integrated Training & Education93 views
The Open Access Community Framework (OACF) 2023 (1).pptx by Jisc
The Open Access Community Framework (OACF) 2023 (1).pptxThe Open Access Community Framework (OACF) 2023 (1).pptx
The Open Access Community Framework (OACF) 2023 (1).pptx
Jisc110 views
The basics - information, data, technology and systems.pdf by JonathanCovena1
The basics - information, data, technology and systems.pdfThe basics - information, data, technology and systems.pdf
The basics - information, data, technology and systems.pdf
JonathanCovena1115 views
Women from Hackney’s History: Stoke Newington by Sue Doe by History of Stoke Newington
Women from Hackney’s History: Stoke Newington by Sue DoeWomen from Hackney’s History: Stoke Newington by Sue Doe
Women from Hackney’s History: Stoke Newington by Sue Doe
History of Stoke Newington150 views
11.30.23 Poverty and Inequality in America.pptx by mary850239
11.30.23 Poverty and Inequality in America.pptx11.30.23 Poverty and Inequality in America.pptx
11.30.23 Poverty and Inequality in America.pptx
mary850239160 views
Ch. 7 Political Participation and Elections.pptx by Rommel Regala
Ch. 7 Political Participation and Elections.pptxCh. 7 Political Participation and Elections.pptx
Ch. 7 Political Participation and Elections.pptx
Rommel Regala97 views
Gopal Chakraborty Memorial Quiz 2.0 Prelims.pptx by Debapriya Chakraborty
Gopal Chakraborty Memorial Quiz 2.0 Prelims.pptxGopal Chakraborty Memorial Quiz 2.0 Prelims.pptx
Gopal Chakraborty Memorial Quiz 2.0 Prelims.pptx
Debapriya Chakraborty655 views
Class 10 English notes 23-24.pptx by TARIQ KHAN
Class 10 English notes 23-24.pptxClass 10 English notes 23-24.pptx
Class 10 English notes 23-24.pptx
TARIQ KHAN131 views
PLASMA PROTEIN (2).pptx by MEGHANA C
PLASMA PROTEIN (2).pptxPLASMA PROTEIN (2).pptx
PLASMA PROTEIN (2).pptx
MEGHANA C68 views

Attack on the Core

  • 1. Attack on the Core! @zer0mem
  • 2. #whoami - Peter Hlavaty (@zer0mem) [ KEEN TEAM ]  Background  @K33nTeam  Previously ~4 years in ESET  Contact  twitter : @zer0mem  weibo : weibo.com/u/5238732594  blog : http://zer0mem.sk  src : https://github.com/zer0mem
  • 3. outline ATTACKER ▪ KernelIo tech ▪ Vulnerability cases ▪ Design features (flaws) ▪ State of targets / security DEVELOPER ▪ Point of view ▪ Goal ▪ Environment ▪ C++! no more shellcoding!
  • 4. Part 1 -> KernelIo tech
  • 5. Privileged cpl3 != cpl0 [NtQuerySystemInformation] • NtQueryInformation from win8.1 requires elevated privileges • Still callable from user mode • Driver Signing Enforcement does not like installing drivers even from privileged ones … • Privileged are enpowered with good eye sight, kernel leakage
  • 6. Read & Write boosting [windows] • write-where vuln • what => should be above read / write target • Pool address can be sufficient
  • 7. Read & Write boosting [windows]
  • 8.  KPP is not here to punish attackers  leak & write-where- (semi)what  patch & use & patch back  turned into full KernelIo  ReadFile alternative just with nt!MmUserProbeAddress Read & Write boosting http://haxpo.nl/wp-content/uploads/2014/01/ D1T2-Bypassing-Endpoint-Security-for-Fun-and-Profit.pdf [windows] https://www.dropbox.com/sh/bkfajegn2mn35ng/AABm_RyD4x9VLzYjI9n9Dl2Wa?dl=0
  • 9. Read & Write boosting [linux / droids] • leak & write-where vuln • what => should be above read / write target • nullptr / pool address can be sufficient http://vulnfactory.org/blog/2011/06/05/smep-what-is-it-and-how-to-beat-it-on-linux/
  • 10. [linux / droids]  PXN UDEREF handle it  PXN not in default build of linux  On droids ? XD  turned into full KernelIo Read & Write boosting http://vulnfactory.org/research/stackjacking-infiltrate11.pdf
  • 11. Why KernelIo ? ▪ abstraction behind virtual address ▪ what is SMAP / SMEP about ?
  • 12. MMU straigforward idea [PoC by MWR Labs] 1. choose address X with isolated page tables 1. To be sure write-where does not hit other used memory 2. mmap (X) 3. Patch S/U bits (write-where) 4. S/U bits need to patch per PXE ! 1. self ref, can help  5. cpl0 memcpy (X, shellcode) 6. Pwn (SMEP, SMAP out of the game) https://labs.mwrinfosecurity.com/blog/2014/08/15/windows-8-kernel-memory-protections-bypass/ http://fluxius.handgrep.se/2011/10/20/the-art-of-elf-analysises-and-exploitations/
  • 13. Symbolic cpl0 – cpl3 separators “ The ProbeForRead routine checks that a user-mode buffer actually resides in the user portion of the address space, and is correctly aligned. “  Ok, what about aliasing ?!  and about ret2dir approach ?  https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/kemerlis
  • 14. KERNEL- FAIL – SAFE – CHECKS  copy_to/from_user  ProbeForRead/Write  Checking just symbolic values  not cover aliasing…
  • 15. Part 2 -> cases
  • 16. Out of Boundary 1. Trivial to exploit 2. Generic implementation 3. write/read – where 4. NO -SMAP 5. but sometimes PXN
  • 17. Out of Boundary  what if SMAP enabled ?  Is over ?  Read – no problem, just do not try to read from usermode   Write – you have to know where to write – relative positioned structs
  • 18. kmalloc under/overflow 1. under/overflowed kmalloc 2. copy_to/from_user 3. search_exception_table for frv, but idea same 4. force copy_to/from_user fail 5. Copied just controlled bytes even in under/overflow situation!
  • 19. KASLR • From win8.1 NtQuerySystemInfo is just for privileged user • /proc/kallsyms same, just for privileged ones • Need to info-leak • Read-where vuln • Abusing weak or old mechanism
  • 20. KASLR  PageTable concept is old  That time no hardering needed  Crucial for performance  Timing attacks, PageFault measuring, seems doable, see recent research  A lot of static PHYSICAL addresses, KASLR weakened  MMU mechanism attacks target of recent research, and it works … http://felinemenace.org/~nemo/docs/TR-HGI-2013-001-real.pdf http://labs.bromium.com/2014/10/27/tsx-improves-timing-attacks-against-kaslr/
  • 21. Part 3 -> design features (flaws)
  • 22. Linked lists • nt!_list_entry / list_head • Lazy list entry assertions • Proper design ? • Manipulating next / prev outside of API ? • Hardening ? • Common member • Intrusive containers • Redirect list • pool leak && write-where • Own content && abussing algo ? http://www.k33nteam.org/blog.htm (nt!list_entry)
  • 23. Kernel hidden pointers plenty of c++ alike vtables callbacks ops context func Interesting design features typecast instead of inheritance Plenty data pointers No integrity checks Plenty data structs Sensitive trusted context No hardening Plain pointers http://www.nosuchcon.org/talks/2013/ D3_02_Nikita_Exploiting_Hardcore_Pool_Corruptions_in_Microsoft_Windows_Kernel.pdf
  • 24. Kernel ops by design • Callback mechanism • open / write / read … • If not implemented NULLPTR • If not implemented no call performed 1. nullptr write vuln 2. null some operation 3. Abuse scoped resource handling logic 4. pwn
  • 26. Part 4 -> state of exploitation
  • 27. before win8.1 POOL HARDENING SMEP SMAP PLAIN PTRS “KASLR” NtQuerySysInfo even kids … … do pwn
  • 28. Era of Windows 8.1, earlier and current linux POOL HARDENING SMEP SMAP PLAIN PTRS KASLR  Cool, seems more hardening  More software security features  Access control improved  UEFI  Finally! More hardware features goes implemented SMEP/SMAP, …  SMAP still waiting in some cases ….  Exploiting coming finally challenging! BUT still kernel not hardened enough
  • 29. Future of OS ? POOL HARDENING SMEP SMAP HARDENED PTRS KASLR Hardware features implemented  Strong complex access control policy Well randomized kernel space  Kicked off obsolete designs Well designed core No plain pointers Data integrity checks
  • 30. Rebirth to K E R N E L Developing begins
  • 31. CHANGING DIRECTION [everything is just point of view] Until now you were ATTACKER • NO MATTER HOW, but get EXEC! • hooks, patching, non-safe walkers, etc. Now you are DEVELOPER ! • Pretend to be one of them • Now you deal with KPP and others mitigations
  • 32. Kernel windows DEVELOPER view ▪ In kernel, but some obstacles reminds : ▪ PsSet * Routine, ObRegisterCallbacks, etc. – Callback integrity validation! ▪ IoAttachDeviceToDeviceStack, IoQueueWorkItem – DEVICE_OBJECT* needed (own is preferable)
  • 33. Kernel DEVELOPing begins [DRIVER/DEVICE_object*] ▪ Kernel loader method, or : ▪ Create your own! – IoCreateDevice – _OBJECT_HEADER + DRIVER_OBJECT
  • 34. Kernel monitoring [device attaching] ▪ Attach to driver ▪ Filter : – Network communication – File system communication – …
  • 35. Kernel monitoring [legacy] ▪ File System Filter Driver ▪ FAST_IO_DISPATCH – Register dropped files – Access to files – … ▪ Also minifilters are option
  • 36. Kernel monitoring [IoCompletion] ▪ IoCompletion – Monitor ALPC – Used by resolving host, etc. etc. – Remote process communication – Per process
  • 37. Linux, everything is a file 1. Kernel ops 2. Find in which one you are interesting in 3. Register to chain 4. cdev_add ( register_chrdev )
  • 38. SELinux, SEAndroid, ACL  Kernel escape  Natural bypass  Feature : 1. Developing superuser deamon 2. does not rely on special syscalls 3. Normal application development, api … 4. Separation of responsibilities 5. Kernel – bypass policy checks 6. Daemon – provide boosted functionality to user
  • 39. C++ come on … why shellcoding or pure c ?
  • 40. Exploitation means developming! ▪ C++ is about compiler & you skills ▪ You think you can wrote better shellcode than compiler ?  ▪ You can code really close to assembly level – when you know your compiler ▪ c++ well maintainable, scalable, modulable ▪ Design patterns ▪ Complex frameworks http://www.exploit-monday.com/2013/08/writing-optimized-windows-shellcode-in-c.html https://github.com/mattifestation/PIC_Bindshell (Window Shellcode in C)
  • 41. Exploiting is development! ▪ Before you can write PoC for exploits as easy as hello world ▪ Things getting complex ▪ Now with same style you can end up with unreadable master piece ▪ Next time you have good time to rewriting lot of the same logic ▪ And at the end you end up with black-boxes chained together with black-magic, somehow working ▪ Something will change … start fixing black-box
  • 42. Exploitation framework can be powerfull ▪ UserCode in kernel allowed! – Kernel code hidden inside binary – Fully c++ driver! ▪ Mixing User & Kernel code – just avoid direct linking imported kernel functions! – Also avoid to mixing um & km headers together in compile time ;) – Compile standalone kernel code as .lib – link kernel code .lib to exploit .exe
  • 43. KERNEL as exploitation VECTOR 1. Copy whole PE to RWE kernel page  ExAllocatePool(NonPagedPoolExecute,SizeOfImage); 2. 3. Fix Rellocations 4. resolve kernel part of Import table Ready for exec with CPL0! CPL Teleport
  • 44. Raise of C++, no more shellcoding! 1. Mixing user & kernel code 2. no imports 3. c++ 4. relocations 5. Dynamic loader
  • 45. Raise of C++, no more shellcoding! 1. c++ kernel code 2. Compiled with user mode code 3. No Imports, but does not impact code
  • 46. C++ ‘shellcoding’ framework ▪ no import table ▪ no need to handle imports by your own ▪ .py scripts set up all imports ▪ no need to code position independent code ▪ fixups resolved by loader ▪ C++ (partially also std & boost) supported ▪ no need to ship kernel code as resource, or shellcode ▪ no need to special coding style to kernel module, classical developing ▪ All features (c++, imports, fixups..) applies to kernel code as well http://www.zer0mem.sk/?p=517 http://www.hollistech.com/Resources/Cpp/kernel_c_runtime_library.htm http://www.codeproject.com/Articles/22801/Drivers-Exceptions-and-C
  • 47. C++ ‘shellcoding’ framework https://github.com/k33nteam/cc-shellcoding releasing very soon @K33nTeam
  • 48. materials (not listed in slides before) – http://www.codeproject.com/Articles/43586/File-System-Filter-Driver-Tutorial – www.bitnuts.de/KernelBasedMonitoring.pdf – https://projects.honeynet.org/svn/capture-hpc/capture-hpc/tags/2.5/capture-client/ KernelDrivers/CaptureKernelDrivers/FileMonitor/CaptureFileMonitor.c – http://www.osronline.com/article.cfm?article=199
  • 49. Acknowledge Thanks to : jfang liac rafal wojtczuk wushi nforest NTarakanov j00ru aionescu cesarcer dan rosenberg krzywix maxim
  • 50. We are hiring! ▪ #1 vulnerability research team in China – http://www.k33nteam.org/cvelist.htm – pwn2own ▪ Enjoying research ? – Mobile (Android, iOS, WP) – PC (Windows, OS X, Chrome OS, etc.) ▪ Willing to move to Shanghai ? – Beijing ? ▪ Want to join our team ? – Application security – Kernel security hr (at) keencloudtech.com
  • 51. 2014 - $500,000 2015 - $???????? Pick a device, name your own challenge!
  • 52. follow us @K33nTeam Thank You. Q & A peter (at) keencloudtech.com