SlideShare a Scribd company logo
Black Hat 2017之過去閱讀相關
整理@若渴計畫-未完
2017.4.16
<ajblane0612@gmail.com>
AJMachine
時間上來不及做完,等一個月之後補充,議題方向為自己覺得驚人的exploit技巧
Outline
• process injection
• post-exploitation tools
• cache-side channel attacks
• data orient attacks
• UEFI firmware rootkits
Reference of Process Injection
• Rattle, “Using Process Infection to Bypass Windows Software
Firewalls”, Phrack 2004
– http://phrack.org/issues/62/13.html
• Tal Liberman, “AtomBombing: Brand New Code Injection for
Windows”, 2016
– https://breakingmalware.com/injection-techniques/atombombing-
brand-new-code-injection-for-windows/
• Monnappa K A, “What Malware Authors Don’t Want You to Know -
Evasive Hollow Process Injection”, Black Hat 2017
– https://www.blackhat.com/docs/asia-17/materials/asia-17-KA-What-
Malware-Authors-Don%27t-Want-You-To-Know-Evasive-Hollow-
Process-Injection-wp.pdf
– https://drive.google.com/drive/folders/0B9qqqzOjzwW9Yi1RVzhWMX
BtNkU
Rattle, “Using Process Infection to
Bypass Windows Software Firewalls”,
Phrack 2004
• 實作問題: process A要把code inject至process B,
假設要inject的code被compiler編譯的資料或者
function call為hardcode offset會是如何?
-> process B那個位置並不是擺process A的資料或
者function call
Monnappa K A, “What Malware
Authors Don’t Want You to Know -
Evasive Hollow Process Injection”,
black hat 2017
• 其實作者說明他自己寫的hollowfind工具可
偵測Hollow Process Injection
https://github.com/monnappa22/HollowFind
Hollow Process Injection
寫惡意code至在process B配置的RWE
改寫suspended thread執行的address為惡意code
的entry pointer
Virtual Address Descriptor (VAD)
Process Environment Block
p.4 https://drive.google.com/drive/folders/0B9qqqzOjzwW9Yi1RVzhWMXBtNkU
p.17 https://drive.google.com/drive/folders/0B9qqqzOjzwW9Yi1RVzhWMXBtNkU
Detecting Process Hollowing using
Memory Forensics
• Detecting from Parent Child Process
Relationship. 固定由某parent呼叫
• Detecting by Comparing the PEB and the VAD
structure.
• Detecting using suspicious memory protection.
找到可疑RWE區塊,並把此塊送給VirusTotal
檢查是否是惡意程式。
Tal Liberman, “AtomBombing: Brand
New Code Injection for Windows”,
2016
打臉hollowfind偵測工具
Process B
Malware
(global atom tale)
知道unique value,可得字串
自動化設定字串與unique value的關係
文章寫作梗, GlobalAddAtom()
配置成null terminated buffer
(null string)
RW permission
GlobalGetAtomName()
?
!
Process B
Malware
(global atom tale)
文章寫作梗, GlobalAddAtom()
配置成null terminated buffer
(null string)
RW permission
QueueUserApc(GlobalGetAtomName(), GlobalGetAtomName參數?)
APC queue
GlobalGetAtomName()
QueueUserApc只能讓GlobalGetAtomName帶入一個參數,
但GlobalGetAtomName需要三個參數
Process B
Malware
(global atom tale)
文章寫作梗, GlobalAddAtom()
配置成null terminated buffer
(null string)
RW permission
NtQueueApcThread(GlobalGetAtomName(), GlobalGetAtomName參數)
APC queue
GlobalGetAtomName()
!!
要能使用NtQueueApcThread下,又能讓程式正常執行,
用反組譯軟體觀察CFG來帶入符合參數。
Process B
Malware
(global atom tale)
文章寫作梗, GlobalAddAtom()
配置成null terminated buffer
(null string) ?
RW permission
NtQueueApcThread(GlobalGetAtomName(), GlobalGetAtomName參數)
APC queue
GlobalGetAtomName()
Process B
Malware
(global atom tale)
GlobalAddAtom()配置成ROP
gadgets
RW permission
NtQueueApcThread(GlobalGetAtomName(), GlobalGetAtomName參數)
APC queue
GlobalGetAtomName()
!!!
*ROP gadgets
ROP gadgets
ROP:安排參數+函數位置
RWX
Shell code
*Shell code
ROP gadgets如何起動?
Shell code
ret gadget
memcpy
gadget
ZwAllocateVirtualMemory gadget
還需要push eax作為memcpy所使用的參數,可知他在x86_32架構下
Process B
Malware
(global atom tale)
GlobalAddAtom()配置成ROP
gadgets
RW permission
NtQueueApcThread(GlobalGetAtomName(), GlobalGetAtomName參數)
NtQueueApcThread(NtSetContextThread(), NtSetContextThread參數)
APC queue
GlobalGetAtomName()
!!!!
*ROP gadgets
ROP gadgets
RWX
Shell code
*Shell code
?
hThread -> target
lpContext -> 可設定ESP/EIP-> ESP設置至ROP chain/
EIP設置ZwAllocateVirtualMemory
Shell code
最後APC dispatcher 執行
Post-exploitation Tools
• Pierre-Alexandre, “Hack Microsoft Using
Microsoft Signed Binaries”, Black Hat 2017
– https://www.blackhat.com/docs/asia-
17/materials/asia-17-Braeken-Hack-Microsoft-
Using-Microsoft-Signed-Binaries-wp.pdf
– https://www.blackhat.com/docs/asia-
17/materials/asia-17-Braeken-Hack-Microsoft-
Using-Microsoft-Signed-Binaries.pdf
• argp, OR’LYEH? The Shadow over Firefox, 2015
Pierre-Alexandre, “Hack Microsoft
Using Microsoft Signed Binaries”, Black
Hat 2017
• PowerMemory uses Windows PowerShell and
Microsoft debuggers.
• 使用PowerMemory
– 從記憶體接露passwords
– 操作kernel object manipulation
– Injecting and executing a shellcode in a remote
process
• PowerMemory輔助exploit更容易成功或可靠
argp, OR’LYEH? The Shadow over
Firefox, 2015
• Shadow由 winDBG, gdb, LLDB基底,透過觀
察 記 憶 體 資 料 , 來 得 知 firefox heap
allocation行為,在某漏洞以之下,近而發
展exploitation。
Reference of Cache-side Channel
Attacks
• Gorka Irazoqui, etc., intel “Cache Side Channel Attack: Exploitability
& Countermeasures”, Black Hat 2017
– https://www.blackhat.com/docs/asia-17/materials/asia-17-Irazoqui-
Cache-Side-Channel-Attack-Exploitablity-And-Countermeasures.pdf
• Ferdinand Brasser, etc., “Software Grand Expose: SGX Cache Attacks
are Practical”
– https://arxiv.org/abs/1702.07521
• Stephan van Schaik, etc., “Reverse Engineering Hardware Page
Table Caches”
– http://www.cs.vu.nl/~herbertb/download/papers/revanc_ir-cs-77.pdf
• Ben Gras, etc., “ASLR on the Line: Practical Cache Attacks on the
MMU”
– http://www.cs.vu.nl/~herbertb/download/papers/anc_ndss17.pdf
Gorka Irazoqui, etc., intel “Cache Side
Channel Attack: Exploitability &
Countermeasures”, Black Hat 2017
• 此篇目的提出解決機制。
Cache Architecture
此cache可以裝很多page
Page table
Types of Cache-side Channel Attacks
假設條件
shared
memory
flushing instruction
exists in ISA
The Flush and Reload Attack
The Evict and Reload Attack
The Prime and Probe Attack
The Prime and Probe Attack
How to Mitigate Cache Attacks
• Cache Leakage Free Code Design
– Secret independent execution flow (盡量不要有
if …if …,如果有就會有timing attack風險 )
– Secret independent memory accesses (重要資料
實作加解密保護)
How to Mitigate Cache Attacks
• Page Coloring (OS ,hypervisor)
How to Mitigate Cache Attacks
• Intel Cache Allocation Technology
(OS/hypervisor + hardware)
Allows OS/hypervisor to mark cache lines as un-
evictable

More Related Content

What's hot

Csw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updatedCsw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updated
CanSecWest
 
CSW2017 Privilege escalation on high-end servers due to implementation gaps i...
CSW2017 Privilege escalation on high-end servers due to implementation gaps i...CSW2017 Privilege escalation on high-end servers due to implementation gaps i...
CSW2017 Privilege escalation on high-end servers due to implementation gaps i...
CanSecWest
 
Process injection - Malware style
Process injection - Malware styleProcess injection - Malware style
Process injection - Malware style
Sander Demeester
 
Fuzzing the Media Framework in Android
Fuzzing the Media Framework in AndroidFuzzing the Media Framework in Android
Fuzzing the Media Framework in Android
E Hacking
 
Code Injection in Windows
Code Injection in WindowsCode Injection in Windows
Code Injection in Windows
n|u - The Open Security Community
 
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
CODE BLUE
 
Power on, Powershell
Power on, PowershellPower on, Powershell
Power on, Powershell
Roo7break
 
Power of linked list
Power of linked listPower of linked list
Power of linked list
Peter Hlavaty
 
Attack on the Core
Attack on the CoreAttack on the Core
Attack on the Core
Peter Hlavaty
 
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
Peter Hlavaty
 
Fun With Dr Brown
Fun With Dr BrownFun With Dr Brown
Fun With Dr Brown
zeroSteiner
 
Larson Macaulay apt_malware_past_present_future_out_of_band_techniques
Larson Macaulay apt_malware_past_present_future_out_of_band_techniquesLarson Macaulay apt_malware_past_present_future_out_of_band_techniques
Larson Macaulay apt_malware_past_present_future_out_of_band_techniques
Scott K. Larson
 
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis SystemScalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
Tamas K Lengyel
 
When virtualization encounters afl blackhat eu2016--1.4
When virtualization encounters afl blackhat eu2016--1.4When virtualization encounters afl blackhat eu2016--1.4
When virtualization encounters afl blackhat eu2016--1.4
月锋 李
 
Owning computers without shell access dark
Owning computers without shell access darkOwning computers without shell access dark
Owning computers without shell access dark
Royce Davis
 
Back to the CORE
Back to the COREBack to the CORE
Back to the CORE
Peter Hlavaty
 
Owning computers without shell access 2
Owning computers without shell access 2Owning computers without shell access 2
Owning computers without shell access 2
Royce Davis
 
Hot potato Privilege Escalation
Hot potato Privilege EscalationHot potato Privilege Escalation
Hot potato Privilege Escalation
Sunny Neo
 
Vulnerability desing patterns
Vulnerability desing patternsVulnerability desing patterns
Vulnerability desing patterns
Peter Hlavaty
 
Workshop: PowerShell for Penetration Testers
Workshop: PowerShell for Penetration TestersWorkshop: PowerShell for Penetration Testers
Workshop: PowerShell for Penetration Testers
Nikhil Mittal
 

What's hot (20)

Csw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updatedCsw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updated
 
CSW2017 Privilege escalation on high-end servers due to implementation gaps i...
CSW2017 Privilege escalation on high-end servers due to implementation gaps i...CSW2017 Privilege escalation on high-end servers due to implementation gaps i...
CSW2017 Privilege escalation on high-end servers due to implementation gaps i...
 
Process injection - Malware style
Process injection - Malware styleProcess injection - Malware style
Process injection - Malware style
 
Fuzzing the Media Framework in Android
Fuzzing the Media Framework in AndroidFuzzing the Media Framework in Android
Fuzzing the Media Framework in Android
 
Code Injection in Windows
Code Injection in WindowsCode Injection in Windows
Code Injection in Windows
 
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
 
Power on, Powershell
Power on, PowershellPower on, Powershell
Power on, Powershell
 
Power of linked list
Power of linked listPower of linked list
Power of linked list
 
Attack on the Core
Attack on the CoreAttack on the Core
Attack on the Core
 
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
 
Fun With Dr Brown
Fun With Dr BrownFun With Dr Brown
Fun With Dr Brown
 
Larson Macaulay apt_malware_past_present_future_out_of_band_techniques
Larson Macaulay apt_malware_past_present_future_out_of_band_techniquesLarson Macaulay apt_malware_past_present_future_out_of_band_techniques
Larson Macaulay apt_malware_past_present_future_out_of_band_techniques
 
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis SystemScalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
 
When virtualization encounters afl blackhat eu2016--1.4
When virtualization encounters afl blackhat eu2016--1.4When virtualization encounters afl blackhat eu2016--1.4
When virtualization encounters afl blackhat eu2016--1.4
 
Owning computers without shell access dark
Owning computers without shell access darkOwning computers without shell access dark
Owning computers without shell access dark
 
Back to the CORE
Back to the COREBack to the CORE
Back to the CORE
 
Owning computers without shell access 2
Owning computers without shell access 2Owning computers without shell access 2
Owning computers without shell access 2
 
Hot potato Privilege Escalation
Hot potato Privilege EscalationHot potato Privilege Escalation
Hot potato Privilege Escalation
 
Vulnerability desing patterns
Vulnerability desing patternsVulnerability desing patterns
Vulnerability desing patterns
 
Workshop: PowerShell for Penetration Testers
Workshop: PowerShell for Penetration TestersWorkshop: PowerShell for Penetration Testers
Workshop: PowerShell for Penetration Testers
 

Similar to [若渴計畫] Black Hat 2017之過去閱讀相關整理

Power shell 악성코드 동향 20161118_차민석_디지털 포렌식 기술특강 공개판
Power shell 악성코드 동향 20161118_차민석_디지털 포렌식 기술특강 공개판Power shell 악성코드 동향 20161118_차민석_디지털 포렌식 기술특강 공개판
Power shell 악성코드 동향 20161118_차민석_디지털 포렌식 기술특강 공개판
Minseok(Jacky) Cha
 
EMBA - Firmware analysis - Black Hat Arsenal USA 2022
EMBA - Firmware analysis - Black Hat Arsenal USA 2022EMBA - Firmware analysis - Black Hat Arsenal USA 2022
EMBA - Firmware analysis - Black Hat Arsenal USA 2022
MichaelM85042
 
Modern Reconnaissance Phase on APT - protection layer
Modern Reconnaissance Phase on APT - protection layerModern Reconnaissance Phase on APT - protection layer
Modern Reconnaissance Phase on APT - protection layer
Shakacon
 
OSX/Pirrit: The blue balls of OS X adware
OSX/Pirrit: The blue balls of OS X adwareOSX/Pirrit: The blue balls of OS X adware
OSX/Pirrit: The blue balls of OS X adware
Amit Serper
 
EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22
MichaelM85042
 
You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0
Michael Gough
 
JavaOne 2014 Security Testing for Developers using OWASP ZAP
JavaOne 2014 Security Testing for Developers using OWASP ZAPJavaOne 2014 Security Testing for Developers using OWASP ZAP
JavaOne 2014 Security Testing for Developers using OWASP ZAP
Simon Bennetts
 
EMBA - Firmware analysis DEFCON30 demolabs USA 2022
EMBA - Firmware analysis DEFCON30 demolabs USA 2022EMBA - Firmware analysis DEFCON30 demolabs USA 2022
EMBA - Firmware analysis DEFCON30 demolabs USA 2022
MichaelM85042
 
Building your Open Source Security stack
Building your Open Source Security stackBuilding your Open Source Security stack
Building your Open Source Security stack
Héctor Eryx Paredes Camacho
 
DefCamp 2013 - MSF Into The Worm Hole
DefCamp 2013 - MSF Into The Worm HoleDefCamp 2013 - MSF Into The Worm Hole
DefCamp 2013 - MSF Into The Worm Hole
DefCamp
 
Construye tu stack de ciberseguridad con open source
Construye tu stack de ciberseguridad con open sourceConstruye tu stack de ciberseguridad con open source
Construye tu stack de ciberseguridad con open source
Software Guru
 
Javascript Security - Three main methods of defending your MEAN stack
Javascript Security - Three main methods of defending your MEAN stackJavascript Security - Three main methods of defending your MEAN stack
Javascript Security - Three main methods of defending your MEAN stack
Ran Bar-Zik
 
Beginners guide on how to start exploring IoT 2nd session
Beginners  guide on how to start exploring IoT 2nd sessionBeginners  guide on how to start exploring IoT 2nd session
Beginners guide on how to start exploring IoT 2nd session
veerababu penugonda(Mr-IoT)
 
Test & Tea : ITSEC testing, manual vs automated
Test & Tea : ITSEC testing, manual vs automatedTest & Tea : ITSEC testing, manual vs automated
Test & Tea : ITSEC testing, manual vs automated
Zoltan Balazs
 
OSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ InfosectrainOSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ Infosectrain
InfosecTrain
 
2600 av evasion_deuce
2600 av evasion_deuce2600 av evasion_deuce
2600 av evasion_deuce
Db Cooper
 
Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...
B.A.
 
Malware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence MoroccoMalware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence Morocco
Touhami Kasbaoui
 
Vulnerability, exploit to metasploit
Vulnerability, exploit to metasploitVulnerability, exploit to metasploit
Vulnerability, exploit to metasploit
Tiago Henriques
 
Pro Tips for Power Users – Palo Alto Networks Live Community and Fuel User Gr...
Pro Tips for Power Users – Palo Alto Networks Live Community and Fuel User Gr...Pro Tips for Power Users – Palo Alto Networks Live Community and Fuel User Gr...
Pro Tips for Power Users – Palo Alto Networks Live Community and Fuel User Gr...
PaloAltoNetworks
 

Similar to [若渴計畫] Black Hat 2017之過去閱讀相關整理 (20)

Power shell 악성코드 동향 20161118_차민석_디지털 포렌식 기술특강 공개판
Power shell 악성코드 동향 20161118_차민석_디지털 포렌식 기술특강 공개판Power shell 악성코드 동향 20161118_차민석_디지털 포렌식 기술특강 공개판
Power shell 악성코드 동향 20161118_차민석_디지털 포렌식 기술특강 공개판
 
EMBA - Firmware analysis - Black Hat Arsenal USA 2022
EMBA - Firmware analysis - Black Hat Arsenal USA 2022EMBA - Firmware analysis - Black Hat Arsenal USA 2022
EMBA - Firmware analysis - Black Hat Arsenal USA 2022
 
Modern Reconnaissance Phase on APT - protection layer
Modern Reconnaissance Phase on APT - protection layerModern Reconnaissance Phase on APT - protection layer
Modern Reconnaissance Phase on APT - protection layer
 
OSX/Pirrit: The blue balls of OS X adware
OSX/Pirrit: The blue balls of OS X adwareOSX/Pirrit: The blue balls of OS X adware
OSX/Pirrit: The blue balls of OS X adware
 
EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22
 
You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0
 
JavaOne 2014 Security Testing for Developers using OWASP ZAP
JavaOne 2014 Security Testing for Developers using OWASP ZAPJavaOne 2014 Security Testing for Developers using OWASP ZAP
JavaOne 2014 Security Testing for Developers using OWASP ZAP
 
EMBA - Firmware analysis DEFCON30 demolabs USA 2022
EMBA - Firmware analysis DEFCON30 demolabs USA 2022EMBA - Firmware analysis DEFCON30 demolabs USA 2022
EMBA - Firmware analysis DEFCON30 demolabs USA 2022
 
Building your Open Source Security stack
Building your Open Source Security stackBuilding your Open Source Security stack
Building your Open Source Security stack
 
DefCamp 2013 - MSF Into The Worm Hole
DefCamp 2013 - MSF Into The Worm HoleDefCamp 2013 - MSF Into The Worm Hole
DefCamp 2013 - MSF Into The Worm Hole
 
Construye tu stack de ciberseguridad con open source
Construye tu stack de ciberseguridad con open sourceConstruye tu stack de ciberseguridad con open source
Construye tu stack de ciberseguridad con open source
 
Javascript Security - Three main methods of defending your MEAN stack
Javascript Security - Three main methods of defending your MEAN stackJavascript Security - Three main methods of defending your MEAN stack
Javascript Security - Three main methods of defending your MEAN stack
 
Beginners guide on how to start exploring IoT 2nd session
Beginners  guide on how to start exploring IoT 2nd sessionBeginners  guide on how to start exploring IoT 2nd session
Beginners guide on how to start exploring IoT 2nd session
 
Test & Tea : ITSEC testing, manual vs automated
Test & Tea : ITSEC testing, manual vs automatedTest & Tea : ITSEC testing, manual vs automated
Test & Tea : ITSEC testing, manual vs automated
 
OSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ InfosectrainOSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ Infosectrain
 
2600 av evasion_deuce
2600 av evasion_deuce2600 av evasion_deuce
2600 av evasion_deuce
 
Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...
 
Malware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence MoroccoMalware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence Morocco
 
Vulnerability, exploit to metasploit
Vulnerability, exploit to metasploitVulnerability, exploit to metasploit
Vulnerability, exploit to metasploit
 
Pro Tips for Power Users – Palo Alto Networks Live Community and Fuel User Gr...
Pro Tips for Power Users – Palo Alto Networks Live Community and Fuel User Gr...Pro Tips for Power Users – Palo Alto Networks Live Community and Fuel User Gr...
Pro Tips for Power Users – Palo Alto Networks Live Community and Fuel User Gr...
 

More from Aj MaChInE

An Intro on Data-oriented Attacks
An Intro on Data-oriented AttacksAn Intro on Data-oriented Attacks
An Intro on Data-oriented Attacks
Aj MaChInE
 
A Study on .NET Framework for Red Team - Part I
A Study on .NET Framework for Red Team - Part IA Study on .NET Framework for Red Team - Part I
A Study on .NET Framework for Red Team - Part I
Aj MaChInE
 
A study on NetSpectre
A study on NetSpectreA study on NetSpectre
A study on NetSpectre
Aj MaChInE
 
Introduction to Adversary Evaluation Tools
Introduction to Adversary Evaluation ToolsIntroduction to Adversary Evaluation Tools
Introduction to Adversary Evaluation Tools
Aj MaChInE
 
[若渴] A preliminary study on attacks against consensus in bitcoin
[若渴] A preliminary study on attacks against consensus in bitcoin[若渴] A preliminary study on attacks against consensus in bitcoin
[若渴] A preliminary study on attacks against consensus in bitcoin
Aj MaChInE
 
[RAT資安小聚] Study on Automatically Evading Malware Detection
[RAT資安小聚] Study on Automatically Evading Malware Detection[RAT資安小聚] Study on Automatically Evading Malware Detection
[RAT資安小聚] Study on Automatically Evading Malware Detection
Aj MaChInE
 
[若渴] Preliminary Study on Design and Exploitation of Trustzone
[若渴] Preliminary Study on Design and Exploitation of Trustzone[若渴] Preliminary Study on Design and Exploitation of Trustzone
[若渴] Preliminary Study on Design and Exploitation of Trustzone
Aj MaChInE
 
[若渴]Study on Side Channel Attacks and Countermeasures
[若渴]Study on Side Channel Attacks and Countermeasures [若渴]Study on Side Channel Attacks and Countermeasures
[若渴]Study on Side Channel Attacks and Countermeasures
Aj MaChInE
 
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
Aj MaChInE
 
[若渴計畫] Introduction: Formal Verification for Code
[若渴計畫] Introduction: Formal Verification for Code[若渴計畫] Introduction: Formal Verification for Code
[若渴計畫] Introduction: Formal Verification for Code
Aj MaChInE
 
[若渴計畫] Studying ASLR^cache
[若渴計畫] Studying ASLR^cache[若渴計畫] Studying ASLR^cache
[若渴計畫] Studying ASLR^cache
Aj MaChInE
 
[若渴計畫] Studying Concurrency
[若渴計畫] Studying Concurrency[若渴計畫] Studying Concurrency
[若渴計畫] Studying Concurrency
Aj MaChInE
 
閱讀文章分享@若渴 2016.1.24
閱讀文章分享@若渴 2016.1.24閱讀文章分享@若渴 2016.1.24
閱讀文章分享@若渴 2016.1.24
Aj MaChInE
 
[若渴計畫2015.8.18] SMACK
[若渴計畫2015.8.18] SMACK[若渴計畫2015.8.18] SMACK
[若渴計畫2015.8.18] SMACK
Aj MaChInE
 
[SITCON2015] 自己的異質多核心平台自己幹
[SITCON2015] 自己的異質多核心平台自己幹[SITCON2015] 自己的異質多核心平台自己幹
[SITCON2015] 自己的異質多核心平台自己幹
Aj MaChInE
 
[MOSUT20150131] Linux Runs on SoCKit Board with the GPGPU
[MOSUT20150131] Linux Runs on SoCKit Board with the GPGPU[MOSUT20150131] Linux Runs on SoCKit Board with the GPGPU
[MOSUT20150131] Linux Runs on SoCKit Board with the GPGPU
Aj MaChInE
 
[若渴計畫]由GPU硬體概念到coding CUDA
[若渴計畫]由GPU硬體概念到coding CUDA[若渴計畫]由GPU硬體概念到coding CUDA
[若渴計畫]由GPU硬體概念到coding CUDA
Aj MaChInE
 
[若渴計畫]64-bit Linux Return-Oriented Programming
[若渴計畫]64-bit Linux Return-Oriented Programming[若渴計畫]64-bit Linux Return-Oriented Programming
[若渴計畫]64-bit Linux Return-Oriented Programming
Aj MaChInE
 
[MOSUT] Format String Attacks
[MOSUT] Format String Attacks[MOSUT] Format String Attacks
[MOSUT] Format String Attacks
Aj MaChInE
 

More from Aj MaChInE (19)

An Intro on Data-oriented Attacks
An Intro on Data-oriented AttacksAn Intro on Data-oriented Attacks
An Intro on Data-oriented Attacks
 
A Study on .NET Framework for Red Team - Part I
A Study on .NET Framework for Red Team - Part IA Study on .NET Framework for Red Team - Part I
A Study on .NET Framework for Red Team - Part I
 
A study on NetSpectre
A study on NetSpectreA study on NetSpectre
A study on NetSpectre
 
Introduction to Adversary Evaluation Tools
Introduction to Adversary Evaluation ToolsIntroduction to Adversary Evaluation Tools
Introduction to Adversary Evaluation Tools
 
[若渴] A preliminary study on attacks against consensus in bitcoin
[若渴] A preliminary study on attacks against consensus in bitcoin[若渴] A preliminary study on attacks against consensus in bitcoin
[若渴] A preliminary study on attacks against consensus in bitcoin
 
[RAT資安小聚] Study on Automatically Evading Malware Detection
[RAT資安小聚] Study on Automatically Evading Malware Detection[RAT資安小聚] Study on Automatically Evading Malware Detection
[RAT資安小聚] Study on Automatically Evading Malware Detection
 
[若渴] Preliminary Study on Design and Exploitation of Trustzone
[若渴] Preliminary Study on Design and Exploitation of Trustzone[若渴] Preliminary Study on Design and Exploitation of Trustzone
[若渴] Preliminary Study on Design and Exploitation of Trustzone
 
[若渴]Study on Side Channel Attacks and Countermeasures
[若渴]Study on Side Channel Attacks and Countermeasures [若渴]Study on Side Channel Attacks and Countermeasures
[若渴]Study on Side Channel Attacks and Countermeasures
 
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
 
[若渴計畫] Introduction: Formal Verification for Code
[若渴計畫] Introduction: Formal Verification for Code[若渴計畫] Introduction: Formal Verification for Code
[若渴計畫] Introduction: Formal Verification for Code
 
[若渴計畫] Studying ASLR^cache
[若渴計畫] Studying ASLR^cache[若渴計畫] Studying ASLR^cache
[若渴計畫] Studying ASLR^cache
 
[若渴計畫] Studying Concurrency
[若渴計畫] Studying Concurrency[若渴計畫] Studying Concurrency
[若渴計畫] Studying Concurrency
 
閱讀文章分享@若渴 2016.1.24
閱讀文章分享@若渴 2016.1.24閱讀文章分享@若渴 2016.1.24
閱讀文章分享@若渴 2016.1.24
 
[若渴計畫2015.8.18] SMACK
[若渴計畫2015.8.18] SMACK[若渴計畫2015.8.18] SMACK
[若渴計畫2015.8.18] SMACK
 
[SITCON2015] 自己的異質多核心平台自己幹
[SITCON2015] 自己的異質多核心平台自己幹[SITCON2015] 自己的異質多核心平台自己幹
[SITCON2015] 自己的異質多核心平台自己幹
 
[MOSUT20150131] Linux Runs on SoCKit Board with the GPGPU
[MOSUT20150131] Linux Runs on SoCKit Board with the GPGPU[MOSUT20150131] Linux Runs on SoCKit Board with the GPGPU
[MOSUT20150131] Linux Runs on SoCKit Board with the GPGPU
 
[若渴計畫]由GPU硬體概念到coding CUDA
[若渴計畫]由GPU硬體概念到coding CUDA[若渴計畫]由GPU硬體概念到coding CUDA
[若渴計畫]由GPU硬體概念到coding CUDA
 
[若渴計畫]64-bit Linux Return-Oriented Programming
[若渴計畫]64-bit Linux Return-Oriented Programming[若渴計畫]64-bit Linux Return-Oriented Programming
[若渴計畫]64-bit Linux Return-Oriented Programming
 
[MOSUT] Format String Attacks
[MOSUT] Format String Attacks[MOSUT] Format String Attacks
[MOSUT] Format String Attacks
 

Recently uploaded

The Path to General-Purpose Robots - Coatue
The Path to General-Purpose Robots - CoatueThe Path to General-Purpose Robots - Coatue
The Path to General-Purpose Robots - Coatue
Razin Mustafiz
 
Google I/O Extended Harare Merged Slides
Google I/O Extended Harare Merged SlidesGoogle I/O Extended Harare Merged Slides
Google I/O Extended Harare Merged Slides
Google Developer Group - Harare
 
It's your unstructured data: How to get your GenAI app to production (and spe...
It's your unstructured data: How to get your GenAI app to production (and spe...It's your unstructured data: How to get your GenAI app to production (and spe...
It's your unstructured data: How to get your GenAI app to production (and spe...
Zilliz
 
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
alexjohnson7307
 
Intel Unveils Core Ultra 200V Lunar chip .pdf
Intel Unveils Core Ultra 200V Lunar chip .pdfIntel Unveils Core Ultra 200V Lunar chip .pdf
Intel Unveils Core Ultra 200V Lunar chip .pdf
Tech Guru
 
Camunda Chapter NY Meetup July 2024.pptx
Camunda Chapter NY Meetup July 2024.pptxCamunda Chapter NY Meetup July 2024.pptx
Camunda Chapter NY Meetup July 2024.pptx
ZachWylie3
 
kk vathada _digital transformation frameworks_2024.pdf
kk vathada _digital transformation frameworks_2024.pdfkk vathada _digital transformation frameworks_2024.pdf
kk vathada _digital transformation frameworks_2024.pdf
KIRAN KV
 
Types of Weaving loom machine & it's technology
Types of Weaving loom machine & it's technologyTypes of Weaving loom machine & it's technology
Types of Weaving loom machine & it's technology
ldtexsolbl
 
Generative AI Reasoning Tech Talk - July 2024
Generative AI Reasoning Tech Talk - July 2024Generative AI Reasoning Tech Talk - July 2024
Generative AI Reasoning Tech Talk - July 2024
siddu769252
 
Opencast Summit 2024 — Opencast @ University of Münster
Opencast Summit 2024 — Opencast @ University of MünsterOpencast Summit 2024 — Opencast @ University of Münster
Opencast Summit 2024 — Opencast @ University of Münster
Matthias Neugebauer
 
MAKE MONEY ONLINE Unlock Your Income Potential Today.pptx
MAKE MONEY ONLINE Unlock Your Income Potential Today.pptxMAKE MONEY ONLINE Unlock Your Income Potential Today.pptx
MAKE MONEY ONLINE Unlock Your Income Potential Today.pptx
janagijoythi
 
Sonkoloniya documentation - ONEprojukti.pdf
Sonkoloniya documentation - ONEprojukti.pdfSonkoloniya documentation - ONEprojukti.pdf
Sonkoloniya documentation - ONEprojukti.pdf
SubhamMandal40
 
LeadMagnet IQ Review: Unlock the Secret to Effortless Traffic and Leads.pdf
LeadMagnet IQ Review:  Unlock the Secret to Effortless Traffic and Leads.pdfLeadMagnet IQ Review:  Unlock the Secret to Effortless Traffic and Leads.pdf
LeadMagnet IQ Review: Unlock the Secret to Effortless Traffic and Leads.pdf
SelfMade bd
 
UX Webinar Series: Aligning Authentication Experiences with Business Goals
UX Webinar Series: Aligning Authentication Experiences with Business GoalsUX Webinar Series: Aligning Authentication Experiences with Business Goals
UX Webinar Series: Aligning Authentication Experiences with Business Goals
FIDO Alliance
 
Mule Experience Hub and Release Channel with Java 17
Mule Experience Hub and Release Channel with Java 17Mule Experience Hub and Release Channel with Java 17
Mule Experience Hub and Release Channel with Java 17
Bhajan Mehta
 
Acumatica vs. Sage Intacct _Construction_July (1).pptx
Acumatica vs. Sage Intacct _Construction_July (1).pptxAcumatica vs. Sage Intacct _Construction_July (1).pptx
Acumatica vs. Sage Intacct _Construction_July (1).pptx
BrainSell Technologies
 
BLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
BLOCKCHAIN TECHNOLOGY - Advantages and DisadvantagesBLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
BLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
SAI KAILASH R
 
UX Webinar Series: Essentials for Adopting Passkeys as the Foundation of your...
UX Webinar Series: Essentials for Adopting Passkeys as the Foundation of your...UX Webinar Series: Essentials for Adopting Passkeys as the Foundation of your...
UX Webinar Series: Essentials for Adopting Passkeys as the Foundation of your...
FIDO Alliance
 
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
shanihomely
 
Mastering OnlyFans Clone App Development: Key Strategies for Success
Mastering OnlyFans Clone App Development: Key Strategies for SuccessMastering OnlyFans Clone App Development: Key Strategies for Success
Mastering OnlyFans Clone App Development: Key Strategies for Success
David Wilson
 

Recently uploaded (20)

The Path to General-Purpose Robots - Coatue
The Path to General-Purpose Robots - CoatueThe Path to General-Purpose Robots - Coatue
The Path to General-Purpose Robots - Coatue
 
Google I/O Extended Harare Merged Slides
Google I/O Extended Harare Merged SlidesGoogle I/O Extended Harare Merged Slides
Google I/O Extended Harare Merged Slides
 
It's your unstructured data: How to get your GenAI app to production (and spe...
It's your unstructured data: How to get your GenAI app to production (and spe...It's your unstructured data: How to get your GenAI app to production (and spe...
It's your unstructured data: How to get your GenAI app to production (and spe...
 
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
 
Intel Unveils Core Ultra 200V Lunar chip .pdf
Intel Unveils Core Ultra 200V Lunar chip .pdfIntel Unveils Core Ultra 200V Lunar chip .pdf
Intel Unveils Core Ultra 200V Lunar chip .pdf
 
Camunda Chapter NY Meetup July 2024.pptx
Camunda Chapter NY Meetup July 2024.pptxCamunda Chapter NY Meetup July 2024.pptx
Camunda Chapter NY Meetup July 2024.pptx
 
kk vathada _digital transformation frameworks_2024.pdf
kk vathada _digital transformation frameworks_2024.pdfkk vathada _digital transformation frameworks_2024.pdf
kk vathada _digital transformation frameworks_2024.pdf
 
Types of Weaving loom machine & it's technology
Types of Weaving loom machine & it's technologyTypes of Weaving loom machine & it's technology
Types of Weaving loom machine & it's technology
 
Generative AI Reasoning Tech Talk - July 2024
Generative AI Reasoning Tech Talk - July 2024Generative AI Reasoning Tech Talk - July 2024
Generative AI Reasoning Tech Talk - July 2024
 
Opencast Summit 2024 — Opencast @ University of Münster
Opencast Summit 2024 — Opencast @ University of MünsterOpencast Summit 2024 — Opencast @ University of Münster
Opencast Summit 2024 — Opencast @ University of Münster
 
MAKE MONEY ONLINE Unlock Your Income Potential Today.pptx
MAKE MONEY ONLINE Unlock Your Income Potential Today.pptxMAKE MONEY ONLINE Unlock Your Income Potential Today.pptx
MAKE MONEY ONLINE Unlock Your Income Potential Today.pptx
 
Sonkoloniya documentation - ONEprojukti.pdf
Sonkoloniya documentation - ONEprojukti.pdfSonkoloniya documentation - ONEprojukti.pdf
Sonkoloniya documentation - ONEprojukti.pdf
 
LeadMagnet IQ Review: Unlock the Secret to Effortless Traffic and Leads.pdf
LeadMagnet IQ Review:  Unlock the Secret to Effortless Traffic and Leads.pdfLeadMagnet IQ Review:  Unlock the Secret to Effortless Traffic and Leads.pdf
LeadMagnet IQ Review: Unlock the Secret to Effortless Traffic and Leads.pdf
 
UX Webinar Series: Aligning Authentication Experiences with Business Goals
UX Webinar Series: Aligning Authentication Experiences with Business GoalsUX Webinar Series: Aligning Authentication Experiences with Business Goals
UX Webinar Series: Aligning Authentication Experiences with Business Goals
 
Mule Experience Hub and Release Channel with Java 17
Mule Experience Hub and Release Channel with Java 17Mule Experience Hub and Release Channel with Java 17
Mule Experience Hub and Release Channel with Java 17
 
Acumatica vs. Sage Intacct _Construction_July (1).pptx
Acumatica vs. Sage Intacct _Construction_July (1).pptxAcumatica vs. Sage Intacct _Construction_July (1).pptx
Acumatica vs. Sage Intacct _Construction_July (1).pptx
 
BLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
BLOCKCHAIN TECHNOLOGY - Advantages and DisadvantagesBLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
BLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
 
UX Webinar Series: Essentials for Adopting Passkeys as the Foundation of your...
UX Webinar Series: Essentials for Adopting Passkeys as the Foundation of your...UX Webinar Series: Essentials for Adopting Passkeys as the Foundation of your...
UX Webinar Series: Essentials for Adopting Passkeys as the Foundation of your...
 
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
 
Mastering OnlyFans Clone App Development: Key Strategies for Success
Mastering OnlyFans Clone App Development: Key Strategies for SuccessMastering OnlyFans Clone App Development: Key Strategies for Success
Mastering OnlyFans Clone App Development: Key Strategies for Success
 

[若渴計畫] Black Hat 2017之過去閱讀相關整理

  • 2. Outline • process injection • post-exploitation tools • cache-side channel attacks • data orient attacks • UEFI firmware rootkits
  • 3. Reference of Process Injection • Rattle, “Using Process Infection to Bypass Windows Software Firewalls”, Phrack 2004 – http://phrack.org/issues/62/13.html • Tal Liberman, “AtomBombing: Brand New Code Injection for Windows”, 2016 – https://breakingmalware.com/injection-techniques/atombombing- brand-new-code-injection-for-windows/ • Monnappa K A, “What Malware Authors Don’t Want You to Know - Evasive Hollow Process Injection”, Black Hat 2017 – https://www.blackhat.com/docs/asia-17/materials/asia-17-KA-What- Malware-Authors-Don%27t-Want-You-To-Know-Evasive-Hollow- Process-Injection-wp.pdf – https://drive.google.com/drive/folders/0B9qqqzOjzwW9Yi1RVzhWMX BtNkU
  • 4. Rattle, “Using Process Infection to Bypass Windows Software Firewalls”, Phrack 2004 • 實作問題: process A要把code inject至process B, 假設要inject的code被compiler編譯的資料或者 function call為hardcode offset會是如何? -> process B那個位置並不是擺process A的資料或 者function call
  • 5. Monnappa K A, “What Malware Authors Don’t Want You to Know - Evasive Hollow Process Injection”, black hat 2017 • 其實作者說明他自己寫的hollowfind工具可 偵測Hollow Process Injection https://github.com/monnappa22/HollowFind
  • 6. Hollow Process Injection 寫惡意code至在process B配置的RWE 改寫suspended thread執行的address為惡意code 的entry pointer
  • 7. Virtual Address Descriptor (VAD) Process Environment Block p.4 https://drive.google.com/drive/folders/0B9qqqzOjzwW9Yi1RVzhWMXBtNkU
  • 9. Detecting Process Hollowing using Memory Forensics • Detecting from Parent Child Process Relationship. 固定由某parent呼叫 • Detecting by Comparing the PEB and the VAD structure. • Detecting using suspicious memory protection. 找到可疑RWE區塊,並把此塊送給VirusTotal 檢查是否是惡意程式。
  • 10. Tal Liberman, “AtomBombing: Brand New Code Injection for Windows”, 2016 打臉hollowfind偵測工具
  • 11. Process B Malware (global atom tale) 知道unique value,可得字串 自動化設定字串與unique value的關係 文章寫作梗, GlobalAddAtom() 配置成null terminated buffer (null string) RW permission GlobalGetAtomName() ?
  • 12. ! Process B Malware (global atom tale) 文章寫作梗, GlobalAddAtom() 配置成null terminated buffer (null string) RW permission QueueUserApc(GlobalGetAtomName(), GlobalGetAtomName參數?) APC queue GlobalGetAtomName() QueueUserApc只能讓GlobalGetAtomName帶入一個參數, 但GlobalGetAtomName需要三個參數
  • 13. Process B Malware (global atom tale) 文章寫作梗, GlobalAddAtom() 配置成null terminated buffer (null string) RW permission NtQueueApcThread(GlobalGetAtomName(), GlobalGetAtomName參數) APC queue GlobalGetAtomName() !! 要能使用NtQueueApcThread下,又能讓程式正常執行, 用反組譯軟體觀察CFG來帶入符合參數。
  • 14. Process B Malware (global atom tale) 文章寫作梗, GlobalAddAtom() 配置成null terminated buffer (null string) ? RW permission NtQueueApcThread(GlobalGetAtomName(), GlobalGetAtomName參數) APC queue GlobalGetAtomName()
  • 15. Process B Malware (global atom tale) GlobalAddAtom()配置成ROP gadgets RW permission NtQueueApcThread(GlobalGetAtomName(), GlobalGetAtomName參數) APC queue GlobalGetAtomName() !!! *ROP gadgets ROP gadgets ROP:安排參數+函數位置 RWX Shell code *Shell code ROP gadgets如何起動? Shell code ret gadget memcpy gadget ZwAllocateVirtualMemory gadget 還需要push eax作為memcpy所使用的參數,可知他在x86_32架構下
  • 16. Process B Malware (global atom tale) GlobalAddAtom()配置成ROP gadgets RW permission NtQueueApcThread(GlobalGetAtomName(), GlobalGetAtomName參數) NtQueueApcThread(NtSetContextThread(), NtSetContextThread參數) APC queue GlobalGetAtomName() !!!! *ROP gadgets ROP gadgets RWX Shell code *Shell code ? hThread -> target lpContext -> 可設定ESP/EIP-> ESP設置至ROP chain/ EIP設置ZwAllocateVirtualMemory Shell code 最後APC dispatcher 執行
  • 17. Post-exploitation Tools • Pierre-Alexandre, “Hack Microsoft Using Microsoft Signed Binaries”, Black Hat 2017 – https://www.blackhat.com/docs/asia- 17/materials/asia-17-Braeken-Hack-Microsoft- Using-Microsoft-Signed-Binaries-wp.pdf – https://www.blackhat.com/docs/asia- 17/materials/asia-17-Braeken-Hack-Microsoft- Using-Microsoft-Signed-Binaries.pdf • argp, OR’LYEH? The Shadow over Firefox, 2015
  • 18. Pierre-Alexandre, “Hack Microsoft Using Microsoft Signed Binaries”, Black Hat 2017 • PowerMemory uses Windows PowerShell and Microsoft debuggers. • 使用PowerMemory – 從記憶體接露passwords – 操作kernel object manipulation – Injecting and executing a shellcode in a remote process • PowerMemory輔助exploit更容易成功或可靠
  • 19. argp, OR’LYEH? The Shadow over Firefox, 2015 • Shadow由 winDBG, gdb, LLDB基底,透過觀 察 記 憶 體 資 料 , 來 得 知 firefox heap allocation行為,在某漏洞以之下,近而發 展exploitation。
  • 20. Reference of Cache-side Channel Attacks • Gorka Irazoqui, etc., intel “Cache Side Channel Attack: Exploitability & Countermeasures”, Black Hat 2017 – https://www.blackhat.com/docs/asia-17/materials/asia-17-Irazoqui- Cache-Side-Channel-Attack-Exploitablity-And-Countermeasures.pdf • Ferdinand Brasser, etc., “Software Grand Expose: SGX Cache Attacks are Practical” – https://arxiv.org/abs/1702.07521 • Stephan van Schaik, etc., “Reverse Engineering Hardware Page Table Caches” – http://www.cs.vu.nl/~herbertb/download/papers/revanc_ir-cs-77.pdf • Ben Gras, etc., “ASLR on the Line: Practical Cache Attacks on the MMU” – http://www.cs.vu.nl/~herbertb/download/papers/anc_ndss17.pdf
  • 21. Gorka Irazoqui, etc., intel “Cache Side Channel Attack: Exploitability & Countermeasures”, Black Hat 2017 • 此篇目的提出解決機制。
  • 23. Types of Cache-side Channel Attacks 假設條件 shared memory flushing instruction exists in ISA The Flush and Reload Attack The Evict and Reload Attack The Prime and Probe Attack
  • 24. The Prime and Probe Attack
  • 25. How to Mitigate Cache Attacks • Cache Leakage Free Code Design – Secret independent execution flow (盡量不要有 if …if …,如果有就會有timing attack風險 ) – Secret independent memory accesses (重要資料 實作加解密保護)
  • 26. How to Mitigate Cache Attacks • Page Coloring (OS ,hypervisor)
  • 27. How to Mitigate Cache Attacks • Intel Cache Allocation Technology (OS/hypervisor + hardware) Allows OS/hypervisor to mark cache lines as un- evictable