The document describes a local privilege escalation technique discovered by Soya Aoyama that allows gaining administrator privileges on Windows systems without user account control (UAC) prompts. It works by replacing a legitimate DLL loaded by Explorer.exe with a malicious one, which then exploits the CompMgmtLauncher process to execute code with elevated privileges without UAC. Microsoft was notified but did not pay a bug bounty as it was determined to not be a vulnerability.
DEF CON 27 - AMIT WAISEL and HILA COHEN - malproxyFelipe Prado
Endpoint protection solutions rely on detecting malicious activity, but this can be bypassed using a technique called MALPROXY. MALPROXY works by proxying malicious code's system API calls over the network instead of running the code directly on the target system. This avoids detection as the target system only sees innocent code making valid API calls. The attacker system contains the real malicious code and stubs that hook API calls, serialize them for transport, and emulate the calls on the target system. This allows the malicious logic and intent to be separated from its actual interaction with the operating system.
Playing games-in-the-sandbox-dynamic-analysis-and-modern-evasion-tactics copy1Priyanka Aash
With many organizations using a sandbox to detonate suspicious files, many threats are implementing logic to detect sandbox environments, to alter their behavior and evade detection. This talk will highlight many real-world evasion tactics employed by recent malware, discussing challenges in measuring evasive behaviors and offering insights to improving the effectiveness of the sandbox.
(Source: RSA Conference USA 2018)
This document discusses different techniques for injecting code on Windows systems, including PE file infection, IAT hooking, and runtime code injection. PE file infection involves overwriting a section like .code and changing the entry point to inject malicious code. IAT hooking changes the DLL name in the import address table to point to a proxy DLL for intercepting function calls. Runtime code injection uses APIs like CreateRemoteThread and WriteProcessMemory to load a DLL or executable into another process's memory and execute it remotely.
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...PROIDEA
Banking Trojans have been part of the financial cybercrime landscape for over a decade, causing losses measured in billions of dollars. On the flip side, the constant evolution of defenses against this type of malware has forced Trojan operators to adjust to security controls designed to keep them out. As a result, many Trojan operators have either disappeared or considerably narrowed their activity scope, but more interestingly, are using novel techniques to achieve their goals. In this talk, we will present three top malware operators active in the wild and their use of automated scripts to tackle their challenges: The notorious Gozi (ISFB) malware used to run its own executable files. Nowadays, it avoids storing malicious payloads on disk and instead, writes a Powershell script to the Windows registry and executes it using a special regex-based run-key. Ramnit, a dated foe that focuses on UK banks, encrypts its payload using a Windows API function with a device-unique key. In every system reboot, it decrypts the payload in-memory and runs it with a Visual Basic script that runs Powershell. This allows Ramnit to avoid running a detectable, executable file as it used to do in the past. BackSwap is a new banking Trojan that attacks financial institutions in Spain. Its dropper is a JavaScript Encoded (JSE) file. When decoded, the dropper results in a 30k lines-of-code script which downloads a binary sample from a remote Command-and-Control server. Together with our audience, we will walk through the research process and share our findings along with our (sometimes) quick-and-dirty solutions. We aim to enhance our participants’ knowledge of today’s bankers and help them get deeper into current-day scripting-related techniques cybercriminals use.
Codetainer: a Docker-based browser code 'sandbox'Jen Andre
Codetainer is a browser-based sandbox for running Docker containers. It allows users to "try 'X' in your browser" for any X by running Docker containers in an isolated and programmable manner directly in the browser. Codetainer uses Docker APIs to launch and manage lightweight containers via a Go-based API server. Users can create and register Docker images, launch "codetainers" from those images, and interact with the codetainers through the browser via websockets, viewing terminals and sending keystrokes. Codetainer aims to provide a secure and flexible environment for use cases like tutorials, training, and remote management while addressing challenges around container introspection and security.
Possibility of arbitrary code execution by Step-Oriented Programmingkozossakai
Step-Oriented Programming (SOP) allows executing arbitrary code on embedded systems by repeating step execution and changing the program counter value. A debugger communicates with a target system's stub using the Remote Serial Protocol to read/write memory and registers, enabling full control via simple commands if the connection is compromised. SOP constructs code by combining pieces of existing machine code and executes it without needing to directly inject new code. Therefore attacks are possible even if execution from data areas is prevented. The presentation will demonstrate this attack principle and results from actual experimentation.
Malware analysis - What to learn from your invadersTazdrumm3r
This document outlines a presentation on malware analysis. It discusses analyzing samples of phishing emails to learn about malware behavior. The speaker will demonstrate using tools like VirtualBox, Remnux, Regshot and Wireshark to perform static and behavioral analysis of malware samples. Network and host-based analysis will be used to observe a sample's network activity and changes it makes to the system. Resources for continuing malware research are also provided.
This document provides an overview of the available debuggers and key features of the Visual Inspect and Native Inspect debuggers. Visual Inspect is preferred for most uses and supports debugging TNS/E and TNS programs. Native Inspect is based on GDB/WDB and uses UNIX-style commands, supporting TNS/E, TNS and COBOL programs. Both debuggers allow setting breakpoints, examining variables, and stepping through code.
DEF CON 27 - AMIT WAISEL and HILA COHEN - malproxyFelipe Prado
Endpoint protection solutions rely on detecting malicious activity, but this can be bypassed using a technique called MALPROXY. MALPROXY works by proxying malicious code's system API calls over the network instead of running the code directly on the target system. This avoids detection as the target system only sees innocent code making valid API calls. The attacker system contains the real malicious code and stubs that hook API calls, serialize them for transport, and emulate the calls on the target system. This allows the malicious logic and intent to be separated from its actual interaction with the operating system.
Playing games-in-the-sandbox-dynamic-analysis-and-modern-evasion-tactics copy1Priyanka Aash
With many organizations using a sandbox to detonate suspicious files, many threats are implementing logic to detect sandbox environments, to alter their behavior and evade detection. This talk will highlight many real-world evasion tactics employed by recent malware, discussing challenges in measuring evasive behaviors and offering insights to improving the effectiveness of the sandbox.
(Source: RSA Conference USA 2018)
This document discusses different techniques for injecting code on Windows systems, including PE file infection, IAT hooking, and runtime code injection. PE file infection involves overwriting a section like .code and changing the entry point to inject malicious code. IAT hooking changes the DLL name in the import address table to point to a proxy DLL for intercepting function calls. Runtime code injection uses APIs like CreateRemoteThread and WriteProcessMemory to load a DLL or executable into another process's memory and execute it remotely.
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...PROIDEA
Banking Trojans have been part of the financial cybercrime landscape for over a decade, causing losses measured in billions of dollars. On the flip side, the constant evolution of defenses against this type of malware has forced Trojan operators to adjust to security controls designed to keep them out. As a result, many Trojan operators have either disappeared or considerably narrowed their activity scope, but more interestingly, are using novel techniques to achieve their goals. In this talk, we will present three top malware operators active in the wild and their use of automated scripts to tackle their challenges: The notorious Gozi (ISFB) malware used to run its own executable files. Nowadays, it avoids storing malicious payloads on disk and instead, writes a Powershell script to the Windows registry and executes it using a special regex-based run-key. Ramnit, a dated foe that focuses on UK banks, encrypts its payload using a Windows API function with a device-unique key. In every system reboot, it decrypts the payload in-memory and runs it with a Visual Basic script that runs Powershell. This allows Ramnit to avoid running a detectable, executable file as it used to do in the past. BackSwap is a new banking Trojan that attacks financial institutions in Spain. Its dropper is a JavaScript Encoded (JSE) file. When decoded, the dropper results in a 30k lines-of-code script which downloads a binary sample from a remote Command-and-Control server. Together with our audience, we will walk through the research process and share our findings along with our (sometimes) quick-and-dirty solutions. We aim to enhance our participants’ knowledge of today’s bankers and help them get deeper into current-day scripting-related techniques cybercriminals use.
Codetainer: a Docker-based browser code 'sandbox'Jen Andre
Codetainer is a browser-based sandbox for running Docker containers. It allows users to "try 'X' in your browser" for any X by running Docker containers in an isolated and programmable manner directly in the browser. Codetainer uses Docker APIs to launch and manage lightweight containers via a Go-based API server. Users can create and register Docker images, launch "codetainers" from those images, and interact with the codetainers through the browser via websockets, viewing terminals and sending keystrokes. Codetainer aims to provide a secure and flexible environment for use cases like tutorials, training, and remote management while addressing challenges around container introspection and security.
Possibility of arbitrary code execution by Step-Oriented Programmingkozossakai
Step-Oriented Programming (SOP) allows executing arbitrary code on embedded systems by repeating step execution and changing the program counter value. A debugger communicates with a target system's stub using the Remote Serial Protocol to read/write memory and registers, enabling full control via simple commands if the connection is compromised. SOP constructs code by combining pieces of existing machine code and executes it without needing to directly inject new code. Therefore attacks are possible even if execution from data areas is prevented. The presentation will demonstrate this attack principle and results from actual experimentation.
Malware analysis - What to learn from your invadersTazdrumm3r
This document outlines a presentation on malware analysis. It discusses analyzing samples of phishing emails to learn about malware behavior. The speaker will demonstrate using tools like VirtualBox, Remnux, Regshot and Wireshark to perform static and behavioral analysis of malware samples. Network and host-based analysis will be used to observe a sample's network activity and changes it makes to the system. Resources for continuing malware research are also provided.
This document provides an overview of the available debuggers and key features of the Visual Inspect and Native Inspect debuggers. Visual Inspect is preferred for most uses and supports debugging TNS/E and TNS programs. Native Inspect is based on GDB/WDB and uses UNIX-style commands, supporting TNS/E, TNS and COBOL programs. Both debuggers allow setting breakpoints, examining variables, and stepping through code.
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...CODE BLUE
In this talk, we are going to disclose two unconventional Use-after-free kernel bugs on Android we found last year, and introduce the new techniques we used to make these exploits 100% reliable.
The first bug is CVE-2017-0403, which we used to gain root privilege on almost all devices shipped with 3.10 or earlier Linux kernel last year. So far more than 14 million users have successfully rooted their smartphones with this exploit. With this vulnerability, an attacker only can overwrite the freed object at a fixed offset with a pointer to object itself. How to achieve kernel code execution with this bug can be very challenging.To solve the problem, we propose a new method which is using iovec to re-fill the freed object and compromising the pipe subsystem in kernel.In this way we can covert this unusual memory corruption to arbitrary kernel memory overwriting.
The second bug is CVE-2016-6787. The bug is an UAF due to race condition, may corrupt a critical kernel structure, and lead to the kernel crash when scheduler switched context back to attacker's process. So we'll introduce a way to freeze the attacker's process soon after UAF happened ,stop kernel from crashing, and make the exploit reliable.
In summary, this presentation gives out the new techniques of exploiting use-after-free bugs we just found in Android kernel. The ideas of exploitation are fresh, detail of bugs is also never discussed before.
The document discusses the uncertainties that come with cloud security due to unknown devices and applications running in cloud environments. It advocates for automating security monitoring and response to help reduce dwell times for attackers. Specific techniques recommended include using Linux auditing tools to monitor processes, logins and network activity across cloud instances and storing the data in a backend for analysis to detect anomalies. Monitoring APIs and authentications is also suggested to detect compromised credentials or suspicious activity. The document stresses the importance of automating security to keep pace with threats in cloud environments.
This document discusses Cisco IOS shellcoding and reverse engineering. It covers topics like Cisco IOS shellcodes that are image-independent by disassembling or interrupting hijacking. It also discusses Tcl shellcodes, Cisco IOS reverse engineering challenges including lack of modularity and APIs. The document details subsystems, registries, processes, command parser tree, debugging Cisco IOS, and magic numbers used in Cisco IOS.
The document discusses Monnappa, a security investigator at Cisco who focuses on threat intelligence and malware analysis. It provides an overview of static analysis, dynamic analysis, and memory analysis techniques for analyzing malware. It includes steps for each technique and screenshots demonstrating running analysis on a Zeus bot sample, including using tools like PEiD, Dependency Walker, Volatility, and VirusTotal. The analysis uncovered the malware creating registry runs keys for persistence and injecting itself into the explorer.exe process.
Powershella lubią admini, programiści, a najbardziej hakerzy. Będąc natywną powłoką systemów Windows nie rzuca się w oczy, jednocześnie dając ogromne możliwości ofensywne. Podczas prelekcji Paweł zaprezentuje zarówno skuteczne one-linery jak i wielolinijkowe skrypty, które mogą siać spustoszenie w nieprzygotowanej organizacji. Pojawią się ciekawe kanały C2, malware napisany w całości w Powershellu, wyszukiwanie i eksploitacja słabo skonfigurowanych serwerów MSSQL etc.100% mięsa.
This document discusses the Heartbleed bug in OpenSSL and the creation of LibreSSL as a more secure alternative. It notes that 17% of HTTPS servers were vulnerable to Heartbleed, which allowed attackers to steal passwords, credit cards, and other private data from server memory. LibreSSL was created to have fewer lines of code, modern coding practices, and fewer portability workarounds than OpenSSL to address bugs like Heartbleed. The document emphasizes fixing bugs quickly and not reinventing standard library functions.
This document discusses moving beyond just prevention of cyber attacks and instead assuming that networks will be breached. It argues that protective technologies will inevitably fail and the focus should shift to detection of breaches. Red team assessments are suggested to shift from just finding vulnerabilities to acting as training partners for blue teams by providing indicators of compromise, attack signatures, and use cases to help improve detection capabilities. A pyramid of pain model is presented to show moving up from just tools to full tactics, techniques and procedures used by attackers.
This document discusses fileless attacks, which use existing software and authorized protocols to carry out malicious activities without downloading files. Fileless attacks can use things like PowerShell, WMI, browsers, and Office applications to connect to command and control servers and execute malicious scripts in memory only. Some behaviors and evidence of fileless attacks include unusual child processes starting, legitimate DLLs loading from unexpected parents, and applications like Word or Excel invoking PowerShell or making network connections. The document demonstrates detecting fileless attacks using Event IDs in Windows logs related to process creation and PowerShell pipeline execution details.
The document discusses volatility and memory forensics. It covers topics like how volatility works on different operating systems like Linux and Windows, acquiring memory dumps, analyzing memory structures like page tables and processes, dealing with semantic gaps in raw memory, plugin development, and investigating various artifacts in memory related to authentication, passwords, encryption, and applications. The document provides information on memory forensics techniques and how volatility is used as an open-source memory forensics framework.
Relayd is a daemon to relay and dynamically redirect incoming connections to a target host.
Its main purposes are to run as a load-balancer, application layer gateway, or transparent proxy.
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...MITRE ATT&CK
From ATT&CKcon 3.0
By Jonny Johnson, Red Canary and Olaf Hartong, FalconForce
As defenders, we often find ourselves wanting "more" data. But why? Will this new data provide a lot of value or is it for a very niche circumstance? How many attacks does it apply to? Are we leveraging previous data sources to their full capability? Within this talk, Olaf and Jonny will walk through different data sources they leverage more than most when analyzing data within environments, why they do, and what these data sources do and can provide in terms of value to a defender.
pf(4) is the OpenBSD packet filter that provides stateful packet filtering and network address translation (NAT). It is used in OpenBSD, FreeBSD, NetBSD, DragonflyBSD, and other systems. Some key features of pf include its flexible rule syntax, atomic ruleset updates, integrated traffic shaping, and ability to divert packets to userspace processes like spamd for inspection. It provides logging in tcpdump format and can integrate with CARP and other services. The pf code was developed for OpenBSD after the previous IPFilter code was removed due to licensing issues.
This document describes a malware analysis sandbox that executes suspicious files in a monitored and controlled virtual environment. It monitors the file system, registry, processes, and network activity of the sample to determine its purpose and behavior. The sandbox automates analysis using open source tools and outputs comprehensive reports, packet captures, artifacts, and screenshots for further examination. It takes samples as input, runs static and dynamic analysis, executes the sample in a clean virtual machine snapshot while monitoring for changes, analyzes memory dumps, and stores the results for later review.
This Java file defines a Hash class with integer and character attributes to represent a key and status. It includes multiple constructors to initialize the attributes in different ways. Methods are provided to get and set the key and status values.
Chromium Sandbox on Linux (NDC Security 2019)Patricia Aas
The Linux Security and Isolation APIs have become the basis of some of the most useful features server-side, providing the isolation required for efficient containers.
However, these APIs also form the basis of the Chromium Sandbox on Linux, and we will study them in that context in this talk.
When it comes to actual, real-world, active malware detection there are surprisingly few choices. Most companies invest in one anti-virus vendor and when they suspect a compromise they simply wait for them to issue signatures.
If a company thinks they may be compromised but there is no AV signature, then what?
What if we could use basic python scripting to identify malware based on signatures we produce in real time? There are plenty of python tools, scripts and frameworks for malware identification including yara, pefile, nsrl hash db, pyemu, hachoir, volatility and pyew.
What if we could integrate these together into a system for centrally issuing
indicators of compromise? What if hosts we suspect as being compromised used this system to check themselves for compromise? Lets find out...
This document discusses software obfuscation techniques using C++ metaprogramming. It presents several implementations of string obfuscation using templates to encrypt strings at compile-time. It also discusses obfuscating function calls using finite state machines generated with metaprogramming. Debugger detection is added to fight dynamic analysis. The techniques aim to make reverse engineering and static/dynamic analysis more difficult without changing program semantics.
The document discusses reverse engineering the firmware of Swisscom's Centro Grande modems. It identifies several vulnerabilities found, including a command overflow issue that allows complete control of the device by exceeding the input buffer, and multiple buffer overflow issues that can be exploited to execute code remotely by crafting specially formatted XML files. Details are provided on the exploitation techniques and timeline of coordination with Swisscom to address the vulnerabilities.
seccomp is a computer security facility in the Linux kernel, pledge is a similar security facility in the OpenBSD kernel. In this presentation Giovanni Bechis will review the development story and progress of both kernel interfaces and will analyze the main differences. There will be some examples of implementations of security patches made for some important open source projects.
An inconvenient truth: Evading the Ransomware Protection in windows 10 @ LeHackSoya Aoyama
How many sites do you use? Is the password long enough and secure? Do not tell me you reused it.
Unfortunately, we have not a memory good enough to remember so many passwords long and secure.
For this reason, there are several companies providing password management applications. However, are they really secure?
I have executed a man-in-the-middle attack against a certain password management application.
Surprisingly, the password was exchanged in plain text between .exe and .dll, and it was very easy to steal it.
The program I created is generic and, under certain conditions, can steal information between all .exe and .dll in Windows.
In this talk, I will demonstrate the actual attack, and provide technical explanations to enable this attack. And finally, I suggest ways to protect other apps from this attack.
This document provides instructions for interpreting debug output on a Cisco router. The steps have a student configure debugging for IP routing on router R1. Interface Serial 0/0/0 between R1 and R2 is then configured with an IP address. Debug messages indicate the route is added but its state is initially false since the remote side is not yet configured. After fully configuring the local interface, debug output shows the interface state change to down until the remote side is also configured. The steps aim to demonstrate how debug output can provide insight into route states during router configuration.
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...CODE BLUE
In this talk, we are going to disclose two unconventional Use-after-free kernel bugs on Android we found last year, and introduce the new techniques we used to make these exploits 100% reliable.
The first bug is CVE-2017-0403, which we used to gain root privilege on almost all devices shipped with 3.10 or earlier Linux kernel last year. So far more than 14 million users have successfully rooted their smartphones with this exploit. With this vulnerability, an attacker only can overwrite the freed object at a fixed offset with a pointer to object itself. How to achieve kernel code execution with this bug can be very challenging.To solve the problem, we propose a new method which is using iovec to re-fill the freed object and compromising the pipe subsystem in kernel.In this way we can covert this unusual memory corruption to arbitrary kernel memory overwriting.
The second bug is CVE-2016-6787. The bug is an UAF due to race condition, may corrupt a critical kernel structure, and lead to the kernel crash when scheduler switched context back to attacker's process. So we'll introduce a way to freeze the attacker's process soon after UAF happened ,stop kernel from crashing, and make the exploit reliable.
In summary, this presentation gives out the new techniques of exploiting use-after-free bugs we just found in Android kernel. The ideas of exploitation are fresh, detail of bugs is also never discussed before.
The document discusses the uncertainties that come with cloud security due to unknown devices and applications running in cloud environments. It advocates for automating security monitoring and response to help reduce dwell times for attackers. Specific techniques recommended include using Linux auditing tools to monitor processes, logins and network activity across cloud instances and storing the data in a backend for analysis to detect anomalies. Monitoring APIs and authentications is also suggested to detect compromised credentials or suspicious activity. The document stresses the importance of automating security to keep pace with threats in cloud environments.
This document discusses Cisco IOS shellcoding and reverse engineering. It covers topics like Cisco IOS shellcodes that are image-independent by disassembling or interrupting hijacking. It also discusses Tcl shellcodes, Cisco IOS reverse engineering challenges including lack of modularity and APIs. The document details subsystems, registries, processes, command parser tree, debugging Cisco IOS, and magic numbers used in Cisco IOS.
The document discusses Monnappa, a security investigator at Cisco who focuses on threat intelligence and malware analysis. It provides an overview of static analysis, dynamic analysis, and memory analysis techniques for analyzing malware. It includes steps for each technique and screenshots demonstrating running analysis on a Zeus bot sample, including using tools like PEiD, Dependency Walker, Volatility, and VirusTotal. The analysis uncovered the malware creating registry runs keys for persistence and injecting itself into the explorer.exe process.
Powershella lubią admini, programiści, a najbardziej hakerzy. Będąc natywną powłoką systemów Windows nie rzuca się w oczy, jednocześnie dając ogromne możliwości ofensywne. Podczas prelekcji Paweł zaprezentuje zarówno skuteczne one-linery jak i wielolinijkowe skrypty, które mogą siać spustoszenie w nieprzygotowanej organizacji. Pojawią się ciekawe kanały C2, malware napisany w całości w Powershellu, wyszukiwanie i eksploitacja słabo skonfigurowanych serwerów MSSQL etc.100% mięsa.
This document discusses the Heartbleed bug in OpenSSL and the creation of LibreSSL as a more secure alternative. It notes that 17% of HTTPS servers were vulnerable to Heartbleed, which allowed attackers to steal passwords, credit cards, and other private data from server memory. LibreSSL was created to have fewer lines of code, modern coding practices, and fewer portability workarounds than OpenSSL to address bugs like Heartbleed. The document emphasizes fixing bugs quickly and not reinventing standard library functions.
This document discusses moving beyond just prevention of cyber attacks and instead assuming that networks will be breached. It argues that protective technologies will inevitably fail and the focus should shift to detection of breaches. Red team assessments are suggested to shift from just finding vulnerabilities to acting as training partners for blue teams by providing indicators of compromise, attack signatures, and use cases to help improve detection capabilities. A pyramid of pain model is presented to show moving up from just tools to full tactics, techniques and procedures used by attackers.
This document discusses fileless attacks, which use existing software and authorized protocols to carry out malicious activities without downloading files. Fileless attacks can use things like PowerShell, WMI, browsers, and Office applications to connect to command and control servers and execute malicious scripts in memory only. Some behaviors and evidence of fileless attacks include unusual child processes starting, legitimate DLLs loading from unexpected parents, and applications like Word or Excel invoking PowerShell or making network connections. The document demonstrates detecting fileless attacks using Event IDs in Windows logs related to process creation and PowerShell pipeline execution details.
The document discusses volatility and memory forensics. It covers topics like how volatility works on different operating systems like Linux and Windows, acquiring memory dumps, analyzing memory structures like page tables and processes, dealing with semantic gaps in raw memory, plugin development, and investigating various artifacts in memory related to authentication, passwords, encryption, and applications. The document provides information on memory forensics techniques and how volatility is used as an open-source memory forensics framework.
Relayd is a daemon to relay and dynamically redirect incoming connections to a target host.
Its main purposes are to run as a load-balancer, application layer gateway, or transparent proxy.
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...MITRE ATT&CK
From ATT&CKcon 3.0
By Jonny Johnson, Red Canary and Olaf Hartong, FalconForce
As defenders, we often find ourselves wanting "more" data. But why? Will this new data provide a lot of value or is it for a very niche circumstance? How many attacks does it apply to? Are we leveraging previous data sources to their full capability? Within this talk, Olaf and Jonny will walk through different data sources they leverage more than most when analyzing data within environments, why they do, and what these data sources do and can provide in terms of value to a defender.
pf(4) is the OpenBSD packet filter that provides stateful packet filtering and network address translation (NAT). It is used in OpenBSD, FreeBSD, NetBSD, DragonflyBSD, and other systems. Some key features of pf include its flexible rule syntax, atomic ruleset updates, integrated traffic shaping, and ability to divert packets to userspace processes like spamd for inspection. It provides logging in tcpdump format and can integrate with CARP and other services. The pf code was developed for OpenBSD after the previous IPFilter code was removed due to licensing issues.
This document describes a malware analysis sandbox that executes suspicious files in a monitored and controlled virtual environment. It monitors the file system, registry, processes, and network activity of the sample to determine its purpose and behavior. The sandbox automates analysis using open source tools and outputs comprehensive reports, packet captures, artifacts, and screenshots for further examination. It takes samples as input, runs static and dynamic analysis, executes the sample in a clean virtual machine snapshot while monitoring for changes, analyzes memory dumps, and stores the results for later review.
This Java file defines a Hash class with integer and character attributes to represent a key and status. It includes multiple constructors to initialize the attributes in different ways. Methods are provided to get and set the key and status values.
Chromium Sandbox on Linux (NDC Security 2019)Patricia Aas
The Linux Security and Isolation APIs have become the basis of some of the most useful features server-side, providing the isolation required for efficient containers.
However, these APIs also form the basis of the Chromium Sandbox on Linux, and we will study them in that context in this talk.
When it comes to actual, real-world, active malware detection there are surprisingly few choices. Most companies invest in one anti-virus vendor and when they suspect a compromise they simply wait for them to issue signatures.
If a company thinks they may be compromised but there is no AV signature, then what?
What if we could use basic python scripting to identify malware based on signatures we produce in real time? There are plenty of python tools, scripts and frameworks for malware identification including yara, pefile, nsrl hash db, pyemu, hachoir, volatility and pyew.
What if we could integrate these together into a system for centrally issuing
indicators of compromise? What if hosts we suspect as being compromised used this system to check themselves for compromise? Lets find out...
This document discusses software obfuscation techniques using C++ metaprogramming. It presents several implementations of string obfuscation using templates to encrypt strings at compile-time. It also discusses obfuscating function calls using finite state machines generated with metaprogramming. Debugger detection is added to fight dynamic analysis. The techniques aim to make reverse engineering and static/dynamic analysis more difficult without changing program semantics.
The document discusses reverse engineering the firmware of Swisscom's Centro Grande modems. It identifies several vulnerabilities found, including a command overflow issue that allows complete control of the device by exceeding the input buffer, and multiple buffer overflow issues that can be exploited to execute code remotely by crafting specially formatted XML files. Details are provided on the exploitation techniques and timeline of coordination with Swisscom to address the vulnerabilities.
seccomp is a computer security facility in the Linux kernel, pledge is a similar security facility in the OpenBSD kernel. In this presentation Giovanni Bechis will review the development story and progress of both kernel interfaces and will analyze the main differences. There will be some examples of implementations of security patches made for some important open source projects.
An inconvenient truth: Evading the Ransomware Protection in windows 10 @ LeHackSoya Aoyama
How many sites do you use? Is the password long enough and secure? Do not tell me you reused it.
Unfortunately, we have not a memory good enough to remember so many passwords long and secure.
For this reason, there are several companies providing password management applications. However, are they really secure?
I have executed a man-in-the-middle attack against a certain password management application.
Surprisingly, the password was exchanged in plain text between .exe and .dll, and it was very easy to steal it.
The program I created is generic and, under certain conditions, can steal information between all .exe and .dll in Windows.
In this talk, I will demonstrate the actual attack, and provide technical explanations to enable this attack. And finally, I suggest ways to protect other apps from this attack.
This document provides instructions for interpreting debug output on a Cisco router. The steps have a student configure debugging for IP routing on router R1. Interface Serial 0/0/0 between R1 and R2 is then configured with an IP address. Debug messages indicate the route is added but its state is initially false since the remote side is not yet configured. After fully configuring the local interface, debug output shows the interface state change to down until the remote side is also configured. The steps aim to demonstrate how debug output can provide insight into route states during router configuration.
.NET MALWARE THREAT: INTERNALS AND REVERSING DEF CON USA 2019Alexandre Borges
.NET malware is well-known by security analysts, but even existing many tools such as dnSpy,.NET Reflector, de4dot and so on to make the analysis easier, most professionals have used them as a black box tool, without concerning to .NET internals, structures, MSIL coding and details. In critical cases, it is necessary have enough knowledge about internal mechanisms and to debug these .NET threats using WinDbg.
Unfortunately, .NET malware samples have become very challenger because it is so complicated to deobfuscated associated resources, as unpacking and dumping them from memory. Furthermore, most GUI debugging tools does an inside view of mechanisms such as CRL Loader, Managed Heap, Synchronization issues and Garbage Collection.
In the other side, .NET malware threats are incredibly interesting when analyzed from the MSIL instruction code, which allows to see code injections using .MSIL and attempts to compromise .NET Runtime keep being a real concern.
The purpose of this presentation is to help professionals to understand .NET malware threats and techniques by explaining concepts about .NET internals, mechanisms and few reversing techniques.
This document discusses hacking serverless runtime environments like AWS Lambda, Azure Functions, and Auth0 WebTask. It begins by introducing the presenters and what will be covered. The document then explores how different vendors implement sandbox isolation and common attack techniques like persistence and data exfiltration. It examines specific runtimes like AWS Lambda in depth, investigating how to profile the environment, persist code, and escalate privileges. The document emphasizes that detection is difficult in serverless environments and provides examples of potential indicators of compromise. Overall, the document provides an overview of attacking and defending serverless architectures.
How We Analyzed 1000 Dumps in One Day - Dina Goldshtein, Brightsource - DevOp...DevOpsDays Tel Aviv
The document describes BrightSource Energy's process for analyzing crash dumps from their solar power plant control software. Originally, crashes were analyzed manually using debuggers like Visual Studio, which could take 10 minutes per dump and there were often dozens of dumps per day. They developed an automatic analysis workflow using the ClrMD NuGet package to analyze dumps. The script uses ClrMD to find the exception, call stack, and faulty component in each dump. It then alerts the relevant owner and creates a ticket in Redmine. This reduced analysis time from hours to seconds and allowed them to analyze around 1000 dumps in a single day.
This document discusses dynamic analysis of PHP web applications. It begins by explaining what dynamic analysis is and its benefits and limitations. It then surveys the current state of tools for PHP dynamic analysis, including code instrumentation tools, patches and extensions for PHP interpreters, and external profiling tools. A key focus is on developing a PHP extension for dynamic analysis, as it allows full control and transparency. The document outlines the capabilities of a PHP extension, such as handling function entry and exit, working with opcodes, and hooking dynamically evaluated strings. It introduces PVT, a new PHP dynamic analysis tool implemented as a PHP extension, covering its features and providing statistics on its performance. It concludes with plans for further improving PVT and references.
Joxean Koret - Database Security Paradise [Rooted CON 2011]RootedCON
The document discusses vulnerabilities found in various database software products through analyzing their code and installation directories. Local privilege escalation bugs were found in IBM DB2 and Informix by exploiting how environment variables and shared libraries were handled. Remote code execution bugs were also discovered in UniData and Informix through fuzzing protocols and by exploiting unsafe functions. The document encourages searching for more bugs in database software.
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...CODE BLUE
The document discusses methods for identifying and investigating lateral movement by attackers during security incidents. It describes common tools and techniques used by attackers during different stages of an advanced persistent threat (APT) incident, including initial investigation, internal reconnaissance, spreading infection, and deleting evidence. The document analyzes logs and commands from past APT attacks to identify patterns in attacker behavior that can help with incident response. It notes that default system logs often do not provide enough information, so additional logging of events, processes, and network connections may be needed to fully trace attacker activities within a target network.
The document is a slide deck for a presentation on analyzing .NET malware. It discusses how malware authors manipulate .NET internals and metadata to attack systems and the runtime. It also covers common techniques used in .NET malware like reflection, loading encrypted payloads, and injecting managed code into other processes. The presentation aims to help analysts better understand .NET internals when reversing malicious .NET samples.
I prepared it when i started learning linux at KBFS. It explains why linux is less prone to virus and what kind of viruses affect linux. (final edit pending)
Formbook is a malware that steals passwords and harvests credentials by injecting code into targeted applications like web browsers, mail clients, and IM apps. It uses various anti-analysis techniques like manually mapping ntdll.dll and checking for debuggers. Formbook employs process hollowing to inject its code into explorer.exe and other processes, then sets up inline userland hooks to intercept function calls and harvest passwords.
* What are Embedded Systems?
* C for Embedded Systems vs. Embedded C.
* Code Compilation process.
* Error types.
* Code Compilation using command line.
An Inconvenient Truth: Evading the Ransomware Protection in Windows 10Soya Aoyama
The WannaCry cyber-attack all over the world in May, 2017 is still fresh in our minds. The malware encrypted and rendered useless hundreds of thousands of computers in over 150 countries. As a measure against ransomware, Microsoft introduced the function "Ransomware protection" in "Windows 10 Fall Creators Update". How does this function work? Is it really effective? In this talk, I will explain the operation principles of "Controlled folder access" of "Ransomware protection" through demonstration video. Then I show the requirements to avoid this function, and describe that this function can be avoided very easily. And I will ask you that we may have to reconsider the definition of vulnerability.
The document discusses several techniques for modifying and injecting code into running processes on Linux and Solaris systems, including:
1) InjLib, a technique for injecting DLLs into Windows processes by allocating memory, copying code, and creating threads.
2) Binary patching, which statically modifies executable files by adding new code segments and linking to existing code.
3) In-core patching, which dynamically modifies a running process's memory image using ptrace or procfs.
4) Leveraging the dynamic linker's symbol resolution to intercept function calls and inject code.
The document provides an agenda for an embedded C programming lecture that includes the following topics: definitions of embedded systems and the differences between C for embedded systems and embedded C, the code compilation process and types of errors, code compilation using the command line, and a quick revision of C language syntax. It concludes with assigning a task for students.
Possibility of arbitrary code execution by Step-Oriented Programming by Hiroa...CODE BLUE
An embedded system has a stub to connect with a host PC and debug a program on the system remotely. A stub is an independent control program that controls a main program to enable debugging by a debugger. A stub is simplified by only processing the simple controls such as reading or writing of the register or of a memory, and a debugger processes a complicated analysis on the host PC.
Communication with a debugger on the host PC and a stub on the embedded system is performed by a protocol called Remote Serial Protocol (RSP) over a serial communication or TCP/IP communication. If this communication is taken away, it becomes possible to operate a stub arbitrarily. We considered what kind of attack possibility there was in that case, and identified that execution of arbitrary code constructed from pieces of machine code, combined with (SOP: Step-Oriented Programming) is possible by repeating step execution while changing the value of the program counter. Therefore it is possible to construct an arbitrary code and execute it from existing machine code, even if execution of the injected machine code is impossible because execution on data area is prevented by DEP or only machine code on the flash ROM are allowed execution.
I will explain about an attack principle by SOP and the results from constructed attack code and actual inspection.
PowerShell is often considered a threat vector by security tools like Carbon Black due to its powerful capabilities. However, the presentation argues that PowerShell is not dead and outlines ways attackers have evolved their PowerShell techniques to avoid detection. It demonstrates a C# PowerShell implant that uses reflection to bypass detection and discusses exploiting COM objects and Junction folders to migrate between processes like Internet Explorer."
Bruh! Do you even diff?—Diffing Microsoft Patches to Find VulnerabilitiesPriyanka Aash
Ever wondered how to find bug fixes residing in Microsoft patches? In this presentation we will take a look at the tools and techniques used to reverse engineer Microsoft security patches. Many organizations take weeks to push out patches to their domains. If an attacker can locate the fix and get a working exploit going, they can use it to compromise your organization.
(Source: RSA USA 2016-San Francisco)
Дмитрий Демчук. Кроссплатформенный краш-репортSergey Platonov
Доклад будет посвящен возможностям библиотеки Google Breakpad по созданию краш-репорта. Посмотрим как это работает изнутри.
На примерах будут рассмотрены способы интеграции библиотеки на разных платформах Windows, Linux, Max OS.
The document discusses Node.js and provides instructions for installing Node.js via different methods:
1) Homebrew can be used to install Node.js on OSX by running "brew install node.js".
2) nDistro allows creating and installing Node.js distributions within seconds by specifying module and Node binary version dependencies in a .ndistro file.
3) Node.js can be compiled from source by cloning the Node.js repository via git or downloading the source, running configuration, make, and make install commands.
Similar to 2019: A Local Hacking Odyssey - MITM attack against password manager @ BSides Singapore (20)
Use PyCharm for remote debugging of WSL on a Windo cf5c162d672e4e58b4dde5d797...shadow0702a
This document serves as a comprehensive step-by-step guide on how to effectively use PyCharm for remote debugging of the Windows Subsystem for Linux (WSL) on a local Windows machine. It meticulously outlines several critical steps in the process, starting with the crucial task of enabling permissions, followed by the installation and configuration of WSL.
The guide then proceeds to explain how to set up the SSH service within the WSL environment, an integral part of the process. Alongside this, it also provides detailed instructions on how to modify the inbound rules of the Windows firewall to facilitate the process, ensuring that there are no connectivity issues that could potentially hinder the debugging process.
The document further emphasizes on the importance of checking the connection between the Windows and WSL environments, providing instructions on how to ensure that the connection is optimal and ready for remote debugging.
It also offers an in-depth guide on how to configure the WSL interpreter and files within the PyCharm environment. This is essential for ensuring that the debugging process is set up correctly and that the program can be run effectively within the WSL terminal.
Additionally, the document provides guidance on how to set up breakpoints for debugging, a fundamental aspect of the debugging process which allows the developer to stop the execution of their code at certain points and inspect their program at those stages.
Finally, the document concludes by providing a link to a reference blog. This blog offers additional information and guidance on configuring the remote Python interpreter in PyCharm, providing the reader with a well-rounded understanding of the process.
Batteries -Introduction – Types of Batteries – discharging and charging of battery - characteristics of battery –battery rating- various tests on battery- – Primary battery: silver button cell- Secondary battery :Ni-Cd battery-modern battery: lithium ion battery-maintenance of batteries-choices of batteries for electric vehicle applications.
Fuel Cells: Introduction- importance and classification of fuel cells - description, principle, components, applications of fuel cells: H2-O2 fuel cell, alkaline fuel cell, molten carbonate fuel cell and direct methanol fuel cells.
Optimizing Gradle Builds - Gradle DPE Tour Berlin 2024Sinan KOZAK
Sinan from the Delivery Hero mobile infrastructure engineering team shares a deep dive into performance acceleration with Gradle build cache optimizations. Sinan shares their journey into solving complex build-cache problems that affect Gradle builds. By understanding the challenges and solutions found in our journey, we aim to demonstrate the possibilities for faster builds. The case study reveals how overlapping outputs and cache misconfigurations led to significant increases in build times, especially as the project scaled up with numerous modules using Paparazzi tests. The journey from diagnosing to defeating cache issues offers invaluable lessons on maintaining cache integrity without sacrificing functionality.
Embedded machine learning-based road conditions and driving behavior monitoringIJECEIAES
Car accident rates have increased in recent years, resulting in losses in human lives, properties, and other financial costs. An embedded machine learning-based system is developed to address this critical issue. The system can monitor road conditions, detect driving patterns, and identify aggressive driving behaviors. The system is based on neural networks trained on a comprehensive dataset of driving events, driving styles, and road conditions. The system effectively detects potential risks and helps mitigate the frequency and impact of accidents. The primary goal is to ensure the safety of drivers and vehicles. Collecting data involved gathering information on three key road events: normal street and normal drive, speed bumps, circular yellow speed bumps, and three aggressive driving actions: sudden start, sudden stop, and sudden entry. The gathered data is processed and analyzed using a machine learning system designed for limited power and memory devices. The developed system resulted in 91.9% accuracy, 93.6% precision, and 92% recall. The achieved inference time on an Arduino Nano 33 BLE Sense with a 32-bit CPU running at 64 MHz is 34 ms and requires 2.6 kB peak RAM and 139.9 kB program flash memory, making it suitable for resource-constrained embedded systems.
Introduction- e - waste – definition - sources of e-waste– hazardous substances in e-waste - effects of e-waste on environment and human health- need for e-waste management– e-waste handling rules - waste minimization techniques for managing e-waste – recycling of e-waste - disposal treatment methods of e- waste – mechanism of extraction of precious metal from leaching solution-global Scenario of E-waste – E-waste in India- case studies.
artificial intelligence and data science contents.pptxGauravCar
What is artificial intelligence? Artificial intelligence is the ability of a computer or computer-controlled robot to perform tasks that are commonly associated with the intellectual processes characteristic of humans, such as the ability to reason.
› ...
Artificial intelligence (AI) | Definitio
Electric vehicle and photovoltaic advanced roles in enhancing the financial p...IJECEIAES
Climate change's impact on the planet forced the United Nations and governments to promote green energies and electric transportation. The deployments of photovoltaic (PV) and electric vehicle (EV) systems gained stronger momentum due to their numerous advantages over fossil fuel types. The advantages go beyond sustainability to reach financial support and stability. The work in this paper introduces the hybrid system between PV and EV to support industrial and commercial plants. This paper covers the theoretical framework of the proposed hybrid system including the required equation to complete the cost analysis when PV and EV are present. In addition, the proposed design diagram which sets the priorities and requirements of the system is presented. The proposed approach allows setup to advance their power stability, especially during power outages. The presented information supports researchers and plant owners to complete the necessary analysis while promoting the deployment of clean energy. The result of a case study that represents a dairy milk farmer supports the theoretical works and highlights its advanced benefits to existing plants. The short return on investment of the proposed approach supports the paper's novelty approach for the sustainable electrical system. In addition, the proposed system allows for an isolated power setup without the need for a transmission line which enhances the safety of the electrical network
The CBC machine is a common diagnostic tool used by doctors to measure a patient's red blood cell count, white blood cell count and platelet count. The machine uses a small sample of the patient's blood, which is then placed into special tubes and analyzed. The results of the analysis are then displayed on a screen for the doctor to review. The CBC machine is an important tool for diagnosing various conditions, such as anemia, infection and leukemia. It can also help to monitor a patient's response to treatment.
Advanced control scheme of doubly fed induction generator for wind turbine us...IJECEIAES
This paper describes a speed control device for generating electrical energy on an electricity network based on the doubly fed induction generator (DFIG) used for wind power conversion systems. At first, a double-fed induction generator model was constructed. A control law is formulated to govern the flow of energy between the stator of a DFIG and the energy network using three types of controllers: proportional integral (PI), sliding mode controller (SMC) and second order sliding mode controller (SOSMC). Their different results in terms of power reference tracking, reaction to unexpected speed fluctuations, sensitivity to perturbations, and resilience against machine parameter alterations are compared. MATLAB/Simulink was used to conduct the simulations for the preceding study. Multiple simulations have shown very satisfying results, and the investigations demonstrate the efficacy and power-enhancing capabilities of the suggested control system.
Redefining brain tumor segmentation: a cutting-edge convolutional neural netw...IJECEIAES
Medical image analysis has witnessed significant advancements with deep learning techniques. In the domain of brain tumor segmentation, the ability to
precisely delineate tumor boundaries from magnetic resonance imaging (MRI)
scans holds profound implications for diagnosis. This study presents an ensemble convolutional neural network (CNN) with transfer learning, integrating
the state-of-the-art Deeplabv3+ architecture with the ResNet18 backbone. The
model is rigorously trained and evaluated, exhibiting remarkable performance
metrics, including an impressive global accuracy of 99.286%, a high-class accuracy of 82.191%, a mean intersection over union (IoU) of 79.900%, a weighted
IoU of 98.620%, and a Boundary F1 (BF) score of 83.303%. Notably, a detailed comparative analysis with existing methods showcases the superiority of
our proposed model. These findings underscore the model’s competence in precise brain tumor localization, underscoring its potential to revolutionize medical
image analysis and enhance healthcare outcomes. This research paves the way
for future exploration and optimization of advanced CNN models in medical
imaging, emphasizing addressing false positives and resource efficiency.
Mechanical Engineering on AAI Summer Training Report-003.pdf
2019: A Local Hacking Odyssey - MITM attack against password manager @ BSides Singapore
1. COPYRIGHT FUJITSU SYSTEM INTEGRATION LABORATORIES LIMITED 2019
Fujitsu System Integration Laboratories Limited
Security Meister - High Master
Soya Aoyama
2. My Profile
SOYA AOYAMA
Security Researcher @ Fujitsu System Integration Laboratories Ltd
Organizer @ BSides Tokyo
1992 ~ 2015
software developer of Windows.
2015 ~
security researcher
- 2016 AVTOKYO
- 2017 BSides Las Vegas
- 2018 GrrCON / ToorCon / DerbyCon / AVTOKYO
- 2019 HackMiami / LeHack
2018 ~
BSides Tokyo Organizer
- 2018 first BSides in East Asia
3. • Attacks that
– after breaking into local PC
– without regard administrator privileges
What is a Local Hacking?
4. My research history
2016 2017 2018 2019
Jump the AirGap
Way to escalate privileges
to administrator
- BSides Las Vegas
Way to evading the
ransomware protection
- GrrCON
- ToorCon
- DerbyCon
- Hack Miami
- LeHack
5. How to escalate privileges
to administrator in latest Windows”
• Basic Concept
• Detail
7. – does not display the UAC screen
– executes with administrator privileges
– loads 3rd Party dll (in Program Files Folder)
What processes can access programmer's folder?
– Explorer.exe?
CompMgmtLauncher.exe
9. I found a way to get administrator privileges
Which means...
Microsoft
Process
3rd
Party
File
Explorer
Process
OneDrive
File
loadreplaceload
malware malware
replace
malware malware malware malware
Administrator
Privileges
10. DLL
Func_A()
DLL
Func_A()
Basic Concept
Replace the correct dll with malicious one
Pass through the function to the correct dll
EXE DLLMalicious DLL
Call Func_A()
EXE
Call Func_A()
Malicious DLL
Call Func_A()
Func_A()
Func_A()?
11. I used the dumpbin command
What functions the dll has
12. The four functions API
Describe on Microsoft web site.
– HRESULT DllCanUnloadNow(void);
– HRESULT DllGetClassObject(REFCLSID rclsid, REFIID riid, LPVOID
*ppv);
– HRESULT DllRegisterServer(void);
– HRESULT DllUnregisterServer (void);
https://docs.microsoft.com/en-us/windows/desktop/api/_com/
14. To realize concept
the implementation necessary
1. Load the correct DLL and get its handle
hModule = LoadLibraryEx(lpLibFileName, hFile, dwFlags);
2. Get address of each function using handle
Address = GetProcAddress(hModule, lpProcName);
3. When called from EXE, call the corresponding
function with the correct arguments
return Address(arg1, arg2, …);
17. File Process
Low Integrity Level
High Integrity Level
System Integrity Level
Medium Integrity Level
Malicious. bat
Any Folder
Malicious.dllMalicious.dll
Malicious. batMalicious. bat
Any Folder
Mechanism
User executes malicious program
19. File Process
Low Integrity Level
Medium Integrity Level
High Integrity Level
System Integrity Level
Explorer.exe
%UserProfile%...OneDrive
FileSyncShell64.dll
FileSyncShell64.dll_
Any Folder
Malicious.dllMalicious.dll
Malicious.bat
Any Folder
FileSyncShell64.dllFileSyncShell64.dll
Mechanism
Explorer loads malicious dll
27. • Little change in what an attacker can do
• A lot of data locally
How important is administrator privilege?
Attacks that do not require
administrator privileges
The Local Hacking
31. It was found in HKEY_CLASSES_ROOT
I searched in the registry
32. HKCR is that merges HKLM with HKCU
What HKEY_CLASSES_ROOT?
https://docs.microsoft.com/en-us/windows/desktop/sysinfo/merged-view-of-hkey-classes-root
37. File Process
Low Integrity Level
Medium Integrity Level
High Integrity Level
System Integrity Level
Malicious. bat
Any Folder
Malicious.dllMalicious.dll
Malicious. bat
Any Folder
Malicious. bat
Mechanism
User executes malicious program
38. Process
Low Integrity Level
Medium Integrity Level
High Integrity Level
System Integrity Level
Malicious. bat
Registry
Malicious.bat
HKCR
Malicious.bat
HKCUSoftwareClasses
Malicious.bat
HKLMSoftwareClasses
%SysteRoot%system32shell32.dll
Any FolderMalicious.dll
%SysteRoot%system32shell32.dllAny FolderMalicious.dll
Mechanism
Malicious program writes malicious path to HKCU
53. Does not have following export functions
• DllCanUnloadNow()
• DllGetClassObject()
• DllRegisterServer()
• DllUnregisterServer()
xxxx.dll
54. EXE
Call LoadLibraryEx()
Call Func_A()
Call Func_B()
Call Func_C()
Malicious DLL
Call LoadLibraryEx()
Call Func_A()
Call Func_B()
Call Func_C()
DllMain()
Func_A()
Func_B()
Func_C()
DLL
DllMain()
Func_A()
Func_B()
Func_C()
Can steal the information of Functions
Implementation of all functions is impossible
55. EXE
Call LoadLibraryEx()
Call Func_A()
Call Func_B()
Call Func_C()
Malicious DLL
Call LoadLibraryEx()
Call Func_xxx()
DllMain()
DummyFunc()
DLL
DllMain()
Func_A()
Func_B()
Func_C()
Need a generic DLL
Does not depend on
• number of export functions
• number of arguments
56. Generate export table dynamically
DLLEXE
Func()
GetProcAddress(hDllInstance, “Func_C");
Func_C();
<RVA> <RVA> <RVA>
0 12
Func_A Func_B Func_C Member
Name
Value
Base
NumberOfFunctions
NumberOfNames
AddressOfFunctions
AddressOfNames
AddressOfNameOrdinals
<RVA>
<RVA>
<RVA>
<RVA>
1
4
3
Func_C()
Func_B()
Func_A()
Exe gets address of function via GetProcAddress
57. DLL
<RVA> <RVA> <RVA>
0 12
Func_A Func_B Func_C
Func_C()
Func_B()
Func_A()
Member
Name
Value
Base
NumberOfFunctions
NumberOfNames
AddressOfFunctions
AddressOfNames
AddressOfNameOrdinals
<RVA>
<RVA>
<RVA>
<RVA>
1
4
3
EXE
Func()
GetProcAddress(hDllInstance, “Func_C");
Func_C();
Generate export table dynamically
Malicious DLL
Member
Name
Value
Base
NumberOfFunctions
NumberOfNames
AddressOfFunctions
AddressOfNames
AddressOfNameOrdinals
<RVA>
<RVA>
<RVA>
<RVA>
1
4
3
Func[0] Func[1] Func[2]
0xXXXX 0xXXXX 0xXXXX
DummyFunc()
0xXXXXXXXX movzx eax, word ptr[n]
0xXXXXXXXX inc ax
0xXXXXXXXX mov word ptr[n], ax
0xXXXXXXXX movzx eax, word ptr[n]
0xXXXXXXXX inc ax
0xXXXXXXXX mov word ptr[n], ax
0xXXXXXXXX JMP Func[n]
<RVA> <RVA> <RVA>
0 12
Func_A Func_B Func_C
Copy export table from correct dll
58. Generate export table dynamically
EXE
Func()
GetProcAddress(hDllInstance, “Func_C");
Func_C();
Malicious DLL
Member
Name
Value
Base
NumberOfFunctions
NumberOfNames
AddressOfFunctions
AddressOfNames
AddressOfNameOrdinals
<RVA>
<RVA>
<RVA>
<RVA>
1
4
3
Func[0] Func[1] Func[2]
0xXXXX 0xXXXX 0xXXXX
DummyFunc()
0xXXXXXXXX movzx eax, word ptr[n]
0xXXXXXXXX inc ax
0xXXXXXXXX mov word ptr[n], ax
0xXXXXXXXX movzx eax, word ptr[n]
0xXXXXXXXX inc ax
0xXXXXXXXX mov word ptr[n], ax
0xXXXXXXXX JMP Func[n]
<RVA> <RVA> <RVA>
0 12
Func_A Func_B Func_C
EXE
Func()
GetProcAddress(hDllInstance, “Func_C");
Func_C();
Exe gets incorrect address from malicious dll
59. Generate export table dynamically
EXE
Func()
GetProcAddress(hDllInstance, “Func_C");
Func_C();
Malicious DLL
Member
Name
Value
Base
NumberOfFunctions
NumberOfNames
AddressOfFunctions
AddressOfNames
AddressOfNameOrdinals
<RVA>
<RVA>
<RVA>
<RVA>
1
4
3
Func[0] Func[1] Func[2]
0xXXXX 0xXXXX 0xXXXX
DummyFunc()
0xXXXXXXXX movzx eax, word ptr[n]
0xXXXXXXXX inc ax
0xXXXXXXXX mov word ptr[n], ax
0xXXXXXXXX movzx eax, word ptr[n]
0xXXXXXXXX inc ax
0xXXXXXXXX mov word ptr[n], ax
0xXXXXXXXX JMP Func[n]
<RVA> <RVA> <RVA>
0 12
Func_A Func_B Func_C
DLL
<RVA> <RVA> <RVA>
0 12
Func_A Func_B Func_C Member
Name
Value
Base
NumberOfFunctions
NumberOfNames
AddressOfFunctions
AddressOfNames
AddressOfNameOrdinals
<RVA>
<RVA>
<RVA>
<RVA>
1
4
3
Func_C()
Func_B()
Func_A()
61. File Process
Low Integrity Level
Medium Integrity Level
High Integrity Level
System Integrity Level
Malicious. bat
Any Folder
Malicious.dllMalicious.dll
Malicious. batMalicious. bat
Any Folder
Mechanism
User executes malicious program
63. Process
High Integrity Level
System Integrity Level
Medium Integrity Level
File
%UserProfile%...1passwordapp7
1password.dll
1password.dll_1password.dll_
Any Folder
Malicious.dllMalicious.dll
Malicious.bat
Any Folder
1password.dll_
1password.dll
Mechanism
1Password loads malicious dll
1password.exe
1password.dll
71. security impact
• Does not require administrator privileges
• Remote impersonation is possible
72. • Because, you got already hacked.
Why is local hacking neglected?
Are there nothing to consider
after such an invasion?
73. • A lot of important data
• Many things attackers can do without
becoming administrator
In Local
You would take local hacking after
intrusion into account