SlideShare a Scribd company logo

[若渴計畫] Black Hat 2017之過去閱讀相關整理

Download as PPTX, PDF
Aj MaChInE
Aj MaChInE

This document summarizes techniques discussed at Black Hat 2017 for process injection, post-exploitation tools, cache-side channel attacks, and data-oriented attacks. For process injection, it describes hollow process injection and references papers on atom bombing and evasive hollow process injection techniques. For post-exploitation, it summarizes talks on using signed binaries and the Shadow debugging tool. Regarding cache attacks, it outlines talks on exploitability/countermeasures and SGX attacks. Mitigation techniques like secret-independent code and page coloring are also briefly mentioned.

Technology
1 of 27
Black Hat 2017之過去閱讀相關 整理@若渴計畫-未完 2017.4.16 <ajblane0612@gmail.com> AJMachine 時間上來不及做完,等一個月之後補充,議題方向為自己覺得驚人的exploit技巧
Outline • process injection • post-exploitation tools • cache-side channel attacks • data orient attacks • UEFI firmware rootkits
Reference of Process Injection • Rattle, “Using Process Infection to Bypass Windows Software Firewalls”, Phrack 2004 – http://phrack.org/issues/62/13.html • Tal Liberman, “AtomBombing: Brand New Code Injection for Windows”, 2016 – https://breakingmalware.com/injection-techniques/atombombing- brand-new-code-injection-for-windows/ • Monnappa K A, “What Malware Authors Don’t Want You to Know - Evasive Hollow Process Injection”, Black Hat 2017 – https://www.blackhat.com/docs/asia-17/materials/asia-17-KA-What- Malware-Authors-Don%27t-Want-You-To-Know-Evasive-Hollow- Process-Injection-wp.pdf – https://drive.google.com/drive/folders/0B9qqqzOjzwW9Yi1RVzhWMX BtNkU
Rattle, “Using Process Infection to Bypass Windows Software Firewalls”, Phrack 2004 • 實作問題: process A要把code inject至process B, 假設要inject的code被compiler編譯的資料或者 function call為hardcode offset會是如何? -> process B那個位置並不是擺process A的資料或 者function call
Monnappa K A, “What Malware Authors Don’t Want You to Know - Evasive Hollow Process Injection”, black hat 2017 • 其實作者說明他自己寫的hollowfind工具可 偵測Hollow Process Injection https://github.com/monnappa22/HollowFind
Hollow Process Injection 寫惡意code至在process B配置的RWE 改寫suspended thread執行的address為惡意code 的entry pointer
Virtual Address Descriptor (VAD) Process Environment Block p.4 https://drive.google.com/drive/folders/0B9qqqzOjzwW9Yi1RVzhWMXBtNkU
p.17 https://drive.google.com/drive/folders/0B9qqqzOjzwW9Yi1RVzhWMXBtNkU
Detecting Process Hollowing using Memory Forensics • Detecting from Parent Child Process Relationship. 固定由某parent呼叫 • Detecting by Comparing the PEB and the VAD structure. • Detecting using suspicious memory protection. 找到可疑RWE區塊,並把此塊送給VirusTotal 檢查是否是惡意程式。
Tal Liberman, “AtomBombing: Brand New Code Injection for Windows”, 2016 打臉hollowfind偵測工具
Process B Malware (global atom tale) 知道unique value,可得字串 自動化設定字串與unique value的關係 文章寫作梗, GlobalAddAtom() 配置成null terminated buffer (null string) RW permission GlobalGetAtomName() ?
! Process B Malware (global atom tale) 文章寫作梗, GlobalAddAtom() 配置成null terminated buffer (null string) RW permission QueueUserApc(GlobalGetAtomName(), GlobalGetAtomName參數?) APC queue GlobalGetAtomName() QueueUserApc只能讓GlobalGetAtomName帶入一個參數, 但GlobalGetAtomName需要三個參數
Process B Malware (global atom tale) 文章寫作梗, GlobalAddAtom() 配置成null terminated buffer (null string) RW permission NtQueueApcThread(GlobalGetAtomName(), GlobalGetAtomName參數) APC queue GlobalGetAtomName() !! 要能使用NtQueueApcThread下,又能讓程式正常執行, 用反組譯軟體觀察CFG來帶入符合參數。
Process B Malware (global atom tale) 文章寫作梗, GlobalAddAtom() 配置成null terminated buffer (null string) ? RW permission NtQueueApcThread(GlobalGetAtomName(), GlobalGetAtomName參數) APC queue GlobalGetAtomName()
Process B Malware (global atom tale) GlobalAddAtom()配置成ROP gadgets RW permission NtQueueApcThread(GlobalGetAtomName(), GlobalGetAtomName參數) APC queue GlobalGetAtomName() !!! *ROP gadgets ROP gadgets ROP:安排參數+函數位置 RWX Shell code *Shell code ROP gadgets如何起動? Shell code ret gadget memcpy gadget ZwAllocateVirtualMemory gadget 還需要push eax作為memcpy所使用的參數,可知他在x86_32架構下
Process B Malware (global atom tale) GlobalAddAtom()配置成ROP gadgets RW permission NtQueueApcThread(GlobalGetAtomName(), GlobalGetAtomName參數) NtQueueApcThread(NtSetContextThread(), NtSetContextThread參數) APC queue GlobalGetAtomName() !!!! *ROP gadgets ROP gadgets RWX Shell code *Shell code ? hThread -> target lpContext -> 可設定ESP/EIP-> ESP設置至ROP chain/ EIP設置ZwAllocateVirtualMemory Shell code 最後APC dispatcher 執行
Post-exploitation Tools • Pierre-Alexandre, “Hack Microsoft Using Microsoft Signed Binaries”, Black Hat 2017 – https://www.blackhat.com/docs/asia- 17/materials/asia-17-Braeken-Hack-Microsoft- Using-Microsoft-Signed-Binaries-wp.pdf – https://www.blackhat.com/docs/asia- 17/materials/asia-17-Braeken-Hack-Microsoft- Using-Microsoft-Signed-Binaries.pdf • argp, OR’LYEH? The Shadow over Firefox, 2015
Pierre-Alexandre, “Hack Microsoft Using Microsoft Signed Binaries”, Black Hat 2017 • PowerMemory uses Windows PowerShell and Microsoft debuggers. • 使用PowerMemory – 從記憶體接露passwords – 操作kernel object manipulation – Injecting and executing a shellcode in a remote process • PowerMemory輔助exploit更容易成功或可靠
argp, OR’LYEH? The Shadow over Firefox, 2015 • Shadow由 winDBG, gdb, LLDB基底,透過觀 察 記 憶 體 資 料 , 來 得 知 firefox heap allocation行為,在某漏洞以之下,近而發 展exploitation。
Reference of Cache-side Channel Attacks • Gorka Irazoqui, etc., intel “Cache Side Channel Attack: Exploitability & Countermeasures”, Black Hat 2017 – https://www.blackhat.com/docs/asia-17/materials/asia-17-Irazoqui- Cache-Side-Channel-Attack-Exploitablity-And-Countermeasures.pdf • Ferdinand Brasser, etc., “Software Grand Expose: SGX Cache Attacks are Practical” – https://arxiv.org/abs/1702.07521 • Stephan van Schaik, etc., “Reverse Engineering Hardware Page Table Caches” – http://www.cs.vu.nl/~herbertb/download/papers/revanc_ir-cs-77.pdf • Ben Gras, etc., “ASLR on the Line: Practical Cache Attacks on the MMU” – http://www.cs.vu.nl/~herbertb/download/papers/anc_ndss17.pdf
Gorka Irazoqui, etc., intel “Cache Side Channel Attack: Exploitability & Countermeasures”, Black Hat 2017 • 此篇目的提出解決機制。
Cache Architecture 此cache可以裝很多page Page table
Types of Cache-side Channel Attacks 假設條件 shared memory flushing instruction exists in ISA The Flush and Reload Attack The Evict and Reload Attack The Prime and Probe Attack
The Prime and Probe Attack
How to Mitigate Cache Attacks • Cache Leakage Free Code Design – Secret independent execution flow (盡量不要有 if …if …,如果有就會有timing attack風險 ) – Secret independent memory accesses (重要資料 實作加解密保護)
How to Mitigate Cache Attacks • Page Coloring (OS ,hypervisor)
How to Mitigate Cache Attacks • Intel Cache Allocation Technology (OS/hypervisor + hardware) Allows OS/hypervisor to mark cache lines as un- evictable

Recommended

DeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows KernelDeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows Kernel
Peter Hlavaty
 
Injection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniquesInjection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniques
enSilo
 
Practical Windows Kernel Exploitation
Practical Windows Kernel ExploitationPractical Windows Kernel Exploitation
Practical Windows Kernel Exploitation
zeroSteiner
 
Mem forensic
Mem forensicMem forensic
Mem forensic
Chong-Kuan Chen
 
Is That A Penguin In My Windows?
Is That A Penguin In My Windows?Is That A Penguin In My Windows?
Is That A Penguin In My Windows?
zeroSteiner
 
Captain Hook: Pirating AVs to Bypass Exploit Mitigations
Captain Hook: Pirating AVs to Bypass Exploit MitigationsCaptain Hook: Pirating AVs to Bypass Exploit Mitigations
Captain Hook: Pirating AVs to Bypass Exploit Mitigations
enSilo
 
BlueHat v18 || First strontium uefi rootkit unveiled
BlueHat v18 || First strontium uefi rootkit unveiledBlueHat v18 || First strontium uefi rootkit unveiled
BlueHat v18 || First strontium uefi rootkit unveiled
BlueHat Security Conference
 
Common technique in Bypassing Stuff in Python.
Common technique in Bypassing Stuff in Python.Common technique in Bypassing Stuff in Python.
Common technique in Bypassing Stuff in Python.
Shahriman .
 

Recommended

DeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows KernelDeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows Kernel
Peter Hlavaty
 
Injection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniquesInjection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniques
enSilo
 
Practical Windows Kernel Exploitation
Practical Windows Kernel ExploitationPractical Windows Kernel Exploitation
Practical Windows Kernel Exploitation
zeroSteiner
 
Mem forensic
Mem forensicMem forensic
Mem forensic
Chong-Kuan Chen
 
Is That A Penguin In My Windows?
Is That A Penguin In My Windows?Is That A Penguin In My Windows?
Is That A Penguin In My Windows?
zeroSteiner
 
Captain Hook: Pirating AVs to Bypass Exploit Mitigations
Captain Hook: Pirating AVs to Bypass Exploit MitigationsCaptain Hook: Pirating AVs to Bypass Exploit Mitigations
Captain Hook: Pirating AVs to Bypass Exploit Mitigations
enSilo
 
BlueHat v18 || First strontium uefi rootkit unveiled
BlueHat v18 || First strontium uefi rootkit unveiledBlueHat v18 || First strontium uefi rootkit unveiled
BlueHat v18 || First strontium uefi rootkit unveiled
BlueHat Security Conference
 
Common technique in Bypassing Stuff in Python.
Common technique in Bypassing Stuff in Python.Common technique in Bypassing Stuff in Python.
Common technique in Bypassing Stuff in Python.
Shahriman .
 
Csw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updatedCsw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updated
CanSecWest
 
CSW2017 Privilege escalation on high-end servers due to implementation gaps i...
CSW2017 Privilege escalation on high-end servers due to implementation gaps i...CSW2017 Privilege escalation on high-end servers due to implementation gaps i...
CSW2017 Privilege escalation on high-end servers due to implementation gaps i...
CanSecWest
 
Process injection - Malware style
Process injection - Malware styleProcess injection - Malware style
Process injection - Malware style
Sander Demeester
 
Fuzzing the Media Framework in Android
Fuzzing the Media Framework in AndroidFuzzing the Media Framework in Android
Fuzzing the Media Framework in Android
E Hacking
 
Code Injection in Windows
Code Injection in WindowsCode Injection in Windows
Code Injection in Windows
n|u - The Open Security Community
 
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
CODE BLUE
 
Power on, Powershell
Power on, PowershellPower on, Powershell
Power on, Powershell
Roo7break
 
Power of linked list
Power of linked listPower of linked list
Power of linked list
Peter Hlavaty
 
Attack on the Core
Attack on the CoreAttack on the Core
Attack on the Core
Peter Hlavaty
 
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
Peter Hlavaty
 
Fun With Dr Brown
Fun With Dr BrownFun With Dr Brown
Fun With Dr Brown
zeroSteiner
 
Larson Macaulay apt_malware_past_present_future_out_of_band_techniques
Larson Macaulay apt_malware_past_present_future_out_of_band_techniquesLarson Macaulay apt_malware_past_present_future_out_of_band_techniques
Larson Macaulay apt_malware_past_present_future_out_of_band_techniques
Scott K. Larson
 
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis SystemScalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
Tamas K Lengyel
 
When virtualization encounters afl blackhat eu2016--1.4
When virtualization encounters afl blackhat eu2016--1.4When virtualization encounters afl blackhat eu2016--1.4
When virtualization encounters afl blackhat eu2016--1.4
月锋 李
 
Owning computers without shell access dark
Owning computers without shell access darkOwning computers without shell access dark
Owning computers without shell access dark
Royce Davis
 
Back to the CORE
Back to the COREBack to the CORE
Back to the CORE
Peter Hlavaty
 
Owning computers without shell access 2
Owning computers without shell access 2Owning computers without shell access 2
Owning computers without shell access 2
Royce Davis
 
Hot potato Privilege Escalation
Hot potato Privilege EscalationHot potato Privilege Escalation
Hot potato Privilege Escalation
Sunny Neo
 
Vulnerability desing patterns
Vulnerability desing patternsVulnerability desing patterns
Vulnerability desing patterns
Peter Hlavaty
 
Workshop: PowerShell for Penetration Testers
Workshop: PowerShell for Penetration TestersWorkshop: PowerShell for Penetration Testers
Workshop: PowerShell for Penetration Testers
Nikhil Mittal
 
Power shell 악성코드 동향 20161118_차민석_디지털 포렌식 기술특강 공개판
Power shell 악성코드 동향 20161118_차민석_디지털 포렌식 기술특강 공개판Power shell 악성코드 동향 20161118_차민석_디지털 포렌식 기술특강 공개판
Power shell 악성코드 동향 20161118_차민석_디지털 포렌식 기술특강 공개판
Minseok(Jacky) Cha
 
EMBA - Firmware analysis - Black Hat Arsenal USA 2022
EMBA - Firmware analysis - Black Hat Arsenal USA 2022EMBA - Firmware analysis - Black Hat Arsenal USA 2022
EMBA - Firmware analysis - Black Hat Arsenal USA 2022
MichaelM85042
 

More Related Content

What's hot

Csw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updatedCsw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updated
CanSecWest
 
CSW2017 Privilege escalation on high-end servers due to implementation gaps i...
CSW2017 Privilege escalation on high-end servers due to implementation gaps i...CSW2017 Privilege escalation on high-end servers due to implementation gaps i...
CSW2017 Privilege escalation on high-end servers due to implementation gaps i...
CanSecWest
 
Process injection - Malware style
Process injection - Malware styleProcess injection - Malware style
Process injection - Malware style
Sander Demeester
 
Fuzzing the Media Framework in Android
Fuzzing the Media Framework in AndroidFuzzing the Media Framework in Android
Fuzzing the Media Framework in Android
E Hacking
 
Code Injection in Windows
Code Injection in WindowsCode Injection in Windows
Code Injection in Windows
n|u - The Open Security Community
 
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
CODE BLUE
 
Power on, Powershell
Power on, PowershellPower on, Powershell
Power on, Powershell
Roo7break
 
Power of linked list
Power of linked listPower of linked list
Power of linked list
Peter Hlavaty
 
Attack on the Core
Attack on the CoreAttack on the Core
Attack on the Core
Peter Hlavaty
 
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
Peter Hlavaty
 
Fun With Dr Brown
Fun With Dr BrownFun With Dr Brown
Fun With Dr Brown
zeroSteiner
 
Larson Macaulay apt_malware_past_present_future_out_of_band_techniques
Larson Macaulay apt_malware_past_present_future_out_of_band_techniquesLarson Macaulay apt_malware_past_present_future_out_of_band_techniques
Larson Macaulay apt_malware_past_present_future_out_of_band_techniques
Scott K. Larson
 
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis SystemScalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
Tamas K Lengyel
 
When virtualization encounters afl blackhat eu2016--1.4
When virtualization encounters afl blackhat eu2016--1.4When virtualization encounters afl blackhat eu2016--1.4
When virtualization encounters afl blackhat eu2016--1.4
月锋 李
 
Owning computers without shell access dark
Owning computers without shell access darkOwning computers without shell access dark
Owning computers without shell access dark
Royce Davis
 
Back to the CORE
Back to the COREBack to the CORE
Back to the CORE
Peter Hlavaty
 
Owning computers without shell access 2
Owning computers without shell access 2Owning computers without shell access 2
Owning computers without shell access 2
Royce Davis
 
Hot potato Privilege Escalation
Hot potato Privilege EscalationHot potato Privilege Escalation
Hot potato Privilege Escalation
Sunny Neo
 
Vulnerability desing patterns
Vulnerability desing patternsVulnerability desing patterns
Vulnerability desing patterns
Peter Hlavaty
 
Workshop: PowerShell for Penetration Testers
Workshop: PowerShell for Penetration TestersWorkshop: PowerShell for Penetration Testers
Workshop: PowerShell for Penetration Testers
Nikhil Mittal
 

What's hot (20)

Csw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updatedCsw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updated
 
CSW2017 Privilege escalation on high-end servers due to implementation gaps i...
CSW2017 Privilege escalation on high-end servers due to implementation gaps i...CSW2017 Privilege escalation on high-end servers due to implementation gaps i...
CSW2017 Privilege escalation on high-end servers due to implementation gaps i...
 
Process injection - Malware style
Process injection - Malware styleProcess injection - Malware style
Process injection - Malware style
 
Fuzzing the Media Framework in Android
Fuzzing the Media Framework in AndroidFuzzing the Media Framework in Android
Fuzzing the Media Framework in Android
 
Code Injection in Windows
Code Injection in WindowsCode Injection in Windows
Code Injection in Windows
 
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
 
Power on, Powershell
Power on, PowershellPower on, Powershell
Power on, Powershell
 
Power of linked list
Power of linked listPower of linked list
Power of linked list
 
Attack on the Core
Attack on the CoreAttack on the Core
Attack on the Core
 
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
 
Fun With Dr Brown
Fun With Dr BrownFun With Dr Brown
Fun With Dr Brown
 
Larson Macaulay apt_malware_past_present_future_out_of_band_techniques
Larson Macaulay apt_malware_past_present_future_out_of_band_techniquesLarson Macaulay apt_malware_past_present_future_out_of_band_techniques
Larson Macaulay apt_malware_past_present_future_out_of_band_techniques
 
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis SystemScalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
 
When virtualization encounters afl blackhat eu2016--1.4
When virtualization encounters afl blackhat eu2016--1.4When virtualization encounters afl blackhat eu2016--1.4
When virtualization encounters afl blackhat eu2016--1.4
 
Owning computers without shell access dark
Owning computers without shell access darkOwning computers without shell access dark
Owning computers without shell access dark
 
Back to the CORE
Back to the COREBack to the CORE
Back to the CORE
 
Owning computers without shell access 2
Owning computers without shell access 2Owning computers without shell access 2
Owning computers without shell access 2
 
Hot potato Privilege Escalation
Hot potato Privilege EscalationHot potato Privilege Escalation
Hot potato Privilege Escalation
 
Vulnerability desing patterns
Vulnerability desing patternsVulnerability desing patterns
Vulnerability desing patterns
 
Workshop: PowerShell for Penetration Testers
Workshop: PowerShell for Penetration TestersWorkshop: PowerShell for Penetration Testers
Workshop: PowerShell for Penetration Testers
 

Similar to [若渴計畫] Black Hat 2017之過去閱讀相關整理

Power shell 악성코드 동향 20161118_차민석_디지털 포렌식 기술특강 공개판
Power shell 악성코드 동향 20161118_차민석_디지털 포렌식 기술특강 공개판Power shell 악성코드 동향 20161118_차민석_디지털 포렌식 기술특강 공개판
Power shell 악성코드 동향 20161118_차민석_디지털 포렌식 기술특강 공개판
Minseok(Jacky) Cha
 
EMBA - Firmware analysis - Black Hat Arsenal USA 2022
EMBA - Firmware analysis - Black Hat Arsenal USA 2022EMBA - Firmware analysis - Black Hat Arsenal USA 2022
EMBA - Firmware analysis - Black Hat Arsenal USA 2022
MichaelM85042
 
Modern Reconnaissance Phase on APT - protection layer
Modern Reconnaissance Phase on APT - protection layerModern Reconnaissance Phase on APT - protection layer
Modern Reconnaissance Phase on APT - protection layer
Shakacon
 
OSX/Pirrit: The blue balls of OS X adware
OSX/Pirrit: The blue balls of OS X adwareOSX/Pirrit: The blue balls of OS X adware
OSX/Pirrit: The blue balls of OS X adware
Amit Serper
 
EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22
MichaelM85042
 
You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0
Michael Gough
 
JavaOne 2014 Security Testing for Developers using OWASP ZAP
JavaOne 2014 Security Testing for Developers using OWASP ZAPJavaOne 2014 Security Testing for Developers using OWASP ZAP
JavaOne 2014 Security Testing for Developers using OWASP ZAP
Simon Bennetts
 
EMBA - Firmware analysis DEFCON30 demolabs USA 2022
EMBA - Firmware analysis DEFCON30 demolabs USA 2022EMBA - Firmware analysis DEFCON30 demolabs USA 2022
EMBA - Firmware analysis DEFCON30 demolabs USA 2022
MichaelM85042
 
Building your Open Source Security stack
Building your Open Source Security stackBuilding your Open Source Security stack
Building your Open Source Security stack
Héctor Eryx Paredes Camacho
 
DefCamp 2013 - MSF Into The Worm Hole
DefCamp 2013 - MSF Into The Worm HoleDefCamp 2013 - MSF Into The Worm Hole
DefCamp 2013 - MSF Into The Worm Hole
DefCamp
 
Construye tu stack de ciberseguridad con open source
Construye tu stack de ciberseguridad con open sourceConstruye tu stack de ciberseguridad con open source
Construye tu stack de ciberseguridad con open source
Software Guru
 
Javascript Security - Three main methods of defending your MEAN stack
Javascript Security - Three main methods of defending your MEAN stackJavascript Security - Three main methods of defending your MEAN stack
Javascript Security - Three main methods of defending your MEAN stack
Ran Bar-Zik
 
Beginners guide on how to start exploring IoT 2nd session
Beginners guide on how to start exploring IoT 2nd sessionBeginners guide on how to start exploring IoT 2nd session
Beginners guide on how to start exploring IoT 2nd session
veerababu penugonda(Mr-IoT)
 
Test & Tea : ITSEC testing, manual vs automated
Test & Tea : ITSEC testing, manual vs automatedTest & Tea : ITSEC testing, manual vs automated
Test & Tea : ITSEC testing, manual vs automated
Zoltan Balazs
 
OSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ InfosectrainOSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ Infosectrain
InfosecTrain
 
2600 av evasion_deuce
2600 av evasion_deuce2600 av evasion_deuce
2600 av evasion_deuce
Db Cooper
 
Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...
B.A.
 
Malware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence MoroccoMalware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence Morocco
Touhami Kasbaoui
 
Vulnerability, exploit to metasploit
Vulnerability, exploit to metasploitVulnerability, exploit to metasploit
Vulnerability, exploit to metasploit
Tiago Henriques
 
Pro Tips for Power Users – Palo Alto Networks Live Community and Fuel User Gr...
Pro Tips for Power Users – Palo Alto Networks Live Community and Fuel User Gr...Pro Tips for Power Users – Palo Alto Networks Live Community and Fuel User Gr...
Pro Tips for Power Users – Palo Alto Networks Live Community and Fuel User Gr...
PaloAltoNetworks
 

Similar to [若渴計畫] Black Hat 2017之過去閱讀相關整理 (20)

Power shell 악성코드 동향 20161118_차민석_디지털 포렌식 기술특강 공개판
Power shell 악성코드 동향 20161118_차민석_디지털 포렌식 기술특강 공개판Power shell 악성코드 동향 20161118_차민석_디지털 포렌식 기술특강 공개판
Power shell 악성코드 동향 20161118_차민석_디지털 포렌식 기술특강 공개판
 
EMBA - Firmware analysis - Black Hat Arsenal USA 2022
EMBA - Firmware analysis - Black Hat Arsenal USA 2022EMBA - Firmware analysis - Black Hat Arsenal USA 2022
EMBA - Firmware analysis - Black Hat Arsenal USA 2022
 
Modern Reconnaissance Phase on APT - protection layer
Modern Reconnaissance Phase on APT - protection layerModern Reconnaissance Phase on APT - protection layer
Modern Reconnaissance Phase on APT - protection layer
 
OSX/Pirrit: The blue balls of OS X adware
OSX/Pirrit: The blue balls of OS X adwareOSX/Pirrit: The blue balls of OS X adware
OSX/Pirrit: The blue balls of OS X adware
 
EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22
 
You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0
 
JavaOne 2014 Security Testing for Developers using OWASP ZAP
JavaOne 2014 Security Testing for Developers using OWASP ZAPJavaOne 2014 Security Testing for Developers using OWASP ZAP
JavaOne 2014 Security Testing for Developers using OWASP ZAP
 
EMBA - Firmware analysis DEFCON30 demolabs USA 2022
EMBA - Firmware analysis DEFCON30 demolabs USA 2022EMBA - Firmware analysis DEFCON30 demolabs USA 2022
EMBA - Firmware analysis DEFCON30 demolabs USA 2022
 
Building your Open Source Security stack
Building your Open Source Security stackBuilding your Open Source Security stack
Building your Open Source Security stack
 
DefCamp 2013 - MSF Into The Worm Hole
DefCamp 2013 - MSF Into The Worm HoleDefCamp 2013 - MSF Into The Worm Hole
DefCamp 2013 - MSF Into The Worm Hole
 
Construye tu stack de ciberseguridad con open source
Construye tu stack de ciberseguridad con open sourceConstruye tu stack de ciberseguridad con open source
Construye tu stack de ciberseguridad con open source
 
Javascript Security - Three main methods of defending your MEAN stack
Javascript Security - Three main methods of defending your MEAN stackJavascript Security - Three main methods of defending your MEAN stack
Javascript Security - Three main methods of defending your MEAN stack
 
Beginners guide on how to start exploring IoT 2nd session
Beginners guide on how to start exploring IoT 2nd sessionBeginners guide on how to start exploring IoT 2nd session
Beginners guide on how to start exploring IoT 2nd session
 
Test & Tea : ITSEC testing, manual vs automated
Test & Tea : ITSEC testing, manual vs automatedTest & Tea : ITSEC testing, manual vs automated
Test & Tea : ITSEC testing, manual vs automated
 
OSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ InfosectrainOSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ Infosectrain
 
2600 av evasion_deuce
2600 av evasion_deuce2600 av evasion_deuce
2600 av evasion_deuce
 
Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...
 
Malware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence MoroccoMalware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence Morocco
 
Vulnerability, exploit to metasploit
Vulnerability, exploit to metasploitVulnerability, exploit to metasploit
Vulnerability, exploit to metasploit
 
Pro Tips for Power Users – Palo Alto Networks Live Community and Fuel User Gr...
Pro Tips for Power Users – Palo Alto Networks Live Community and Fuel User Gr...Pro Tips for Power Users – Palo Alto Networks Live Community and Fuel User Gr...
Pro Tips for Power Users – Palo Alto Networks Live Community and Fuel User Gr...
 

More from Aj MaChInE

An Intro on Data-oriented Attacks
An Intro on Data-oriented AttacksAn Intro on Data-oriented Attacks
An Intro on Data-oriented Attacks
Aj MaChInE
 
A Study on .NET Framework for Red Team - Part I
A Study on .NET Framework for Red Team - Part IA Study on .NET Framework for Red Team - Part I
A Study on .NET Framework for Red Team - Part I
Aj MaChInE
 
A study on NetSpectre
A study on NetSpectreA study on NetSpectre
A study on NetSpectre
Aj MaChInE
 
Introduction to Adversary Evaluation Tools
Introduction to Adversary Evaluation ToolsIntroduction to Adversary Evaluation Tools
Introduction to Adversary Evaluation Tools
Aj MaChInE
 
[若渴] A preliminary study on attacks against consensus in bitcoin
[若渴] A preliminary study on attacks against consensus in bitcoin[若渴] A preliminary study on attacks against consensus in bitcoin
[若渴] A preliminary study on attacks against consensus in bitcoin
Aj MaChInE
 
[RAT資安小聚] Study on Automatically Evading Malware Detection
[RAT資安小聚] Study on Automatically Evading Malware Detection[RAT資安小聚] Study on Automatically Evading Malware Detection
[RAT資安小聚] Study on Automatically Evading Malware Detection
Aj MaChInE
 
[若渴] Preliminary Study on Design and Exploitation of Trustzone
[若渴] Preliminary Study on Design and Exploitation of Trustzone[若渴] Preliminary Study on Design and Exploitation of Trustzone
[若渴] Preliminary Study on Design and Exploitation of Trustzone
Aj MaChInE
 
[若渴]Study on Side Channel Attacks and Countermeasures
[若渴]Study on Side Channel Attacks and Countermeasures [若渴]Study on Side Channel Attacks and Countermeasures
[若渴]Study on Side Channel Attacks and Countermeasures
Aj MaChInE
 
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
Aj MaChInE
 
[若渴計畫] Introduction: Formal Verification for Code
[若渴計畫] Introduction: Formal Verification for Code[若渴計畫] Introduction: Formal Verification for Code
[若渴計畫] Introduction: Formal Verification for Code
Aj MaChInE
 
[若渴計畫] Studying ASLR^cache
[若渴計畫] Studying ASLR^cache[若渴計畫] Studying ASLR^cache
[若渴計畫] Studying ASLR^cache
Aj MaChInE
 
[若渴計畫] Studying Concurrency
[若渴計畫] Studying Concurrency[若渴計畫] Studying Concurrency
[若渴計畫] Studying Concurrency
Aj MaChInE
 
閱讀文章分享@若渴 2016.1.24
閱讀文章分享@若渴 2016.1.24閱讀文章分享@若渴 2016.1.24
閱讀文章分享@若渴 2016.1.24
Aj MaChInE
 
[若渴計畫2015.8.18] SMACK
[若渴計畫2015.8.18] SMACK[若渴計畫2015.8.18] SMACK
[若渴計畫2015.8.18] SMACK
Aj MaChInE
 
[SITCON2015] 自己的異質多核心平台自己幹
[SITCON2015] 自己的異質多核心平台自己幹[SITCON2015] 自己的異質多核心平台自己幹
[SITCON2015] 自己的異質多核心平台自己幹
Aj MaChInE
 
[MOSUT20150131] Linux Runs on SoCKit Board with the GPGPU
[MOSUT20150131] Linux Runs on SoCKit Board with the GPGPU[MOSUT20150131] Linux Runs on SoCKit Board with the GPGPU
[MOSUT20150131] Linux Runs on SoCKit Board with the GPGPU
Aj MaChInE
 
[若渴計畫]由GPU硬體概念到coding CUDA
[若渴計畫]由GPU硬體概念到coding CUDA[若渴計畫]由GPU硬體概念到coding CUDA
[若渴計畫]由GPU硬體概念到coding CUDA
Aj MaChInE
 
[若渴計畫]64-bit Linux Return-Oriented Programming
[若渴計畫]64-bit Linux Return-Oriented Programming[若渴計畫]64-bit Linux Return-Oriented Programming
[若渴計畫]64-bit Linux Return-Oriented Programming
Aj MaChInE
 
[MOSUT] Format String Attacks
[MOSUT] Format String Attacks[MOSUT] Format String Attacks
[MOSUT] Format String Attacks
Aj MaChInE
 

More from Aj MaChInE (19)

An Intro on Data-oriented Attacks
An Intro on Data-oriented AttacksAn Intro on Data-oriented Attacks
An Intro on Data-oriented Attacks
 
A Study on .NET Framework for Red Team - Part I
A Study on .NET Framework for Red Team - Part IA Study on .NET Framework for Red Team - Part I
A Study on .NET Framework for Red Team - Part I
 
A study on NetSpectre
A study on NetSpectreA study on NetSpectre
A study on NetSpectre
 
Introduction to Adversary Evaluation Tools
Introduction to Adversary Evaluation ToolsIntroduction to Adversary Evaluation Tools
Introduction to Adversary Evaluation Tools
 
[若渴] A preliminary study on attacks against consensus in bitcoin
[若渴] A preliminary study on attacks against consensus in bitcoin[若渴] A preliminary study on attacks against consensus in bitcoin
[若渴] A preliminary study on attacks against consensus in bitcoin
 
[RAT資安小聚] Study on Automatically Evading Malware Detection
[RAT資安小聚] Study on Automatically Evading Malware Detection[RAT資安小聚] Study on Automatically Evading Malware Detection
[RAT資安小聚] Study on Automatically Evading Malware Detection
 
[若渴] Preliminary Study on Design and Exploitation of Trustzone
[若渴] Preliminary Study on Design and Exploitation of Trustzone[若渴] Preliminary Study on Design and Exploitation of Trustzone
[若渴] Preliminary Study on Design and Exploitation of Trustzone
 
[若渴]Study on Side Channel Attacks and Countermeasures
[若渴]Study on Side Channel Attacks and Countermeasures [若渴]Study on Side Channel Attacks and Countermeasures
[若渴]Study on Side Channel Attacks and Countermeasures
 
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
 
[若渴計畫] Introduction: Formal Verification for Code
[若渴計畫] Introduction: Formal Verification for Code[若渴計畫] Introduction: Formal Verification for Code
[若渴計畫] Introduction: Formal Verification for Code
 
[若渴計畫] Studying ASLR^cache
[若渴計畫] Studying ASLR^cache[若渴計畫] Studying ASLR^cache
[若渴計畫] Studying ASLR^cache
 
[若渴計畫] Studying Concurrency
[若渴計畫] Studying Concurrency[若渴計畫] Studying Concurrency
[若渴計畫] Studying Concurrency
 
閱讀文章分享@若渴 2016.1.24
閱讀文章分享@若渴 2016.1.24閱讀文章分享@若渴 2016.1.24
閱讀文章分享@若渴 2016.1.24
 
[若渴計畫2015.8.18] SMACK
[若渴計畫2015.8.18] SMACK[若渴計畫2015.8.18] SMACK
[若渴計畫2015.8.18] SMACK
 
[SITCON2015] 自己的異質多核心平台自己幹
[SITCON2015] 自己的異質多核心平台自己幹[SITCON2015] 自己的異質多核心平台自己幹
[SITCON2015] 自己的異質多核心平台自己幹
 
[MOSUT20150131] Linux Runs on SoCKit Board with the GPGPU
[MOSUT20150131] Linux Runs on SoCKit Board with the GPGPU[MOSUT20150131] Linux Runs on SoCKit Board with the GPGPU
[MOSUT20150131] Linux Runs on SoCKit Board with the GPGPU
 
[若渴計畫]由GPU硬體概念到coding CUDA
[若渴計畫]由GPU硬體概念到coding CUDA[若渴計畫]由GPU硬體概念到coding CUDA
[若渴計畫]由GPU硬體概念到coding CUDA
 
[若渴計畫]64-bit Linux Return-Oriented Programming
[若渴計畫]64-bit Linux Return-Oriented Programming[若渴計畫]64-bit Linux Return-Oriented Programming
[若渴計畫]64-bit Linux Return-Oriented Programming
 
[MOSUT] Format String Attacks
[MOSUT] Format String Attacks[MOSUT] Format String Attacks
[MOSUT] Format String Attacks
 

Recently uploaded

Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Safe Software
 
9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...
9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...
9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...
saastr
 
Generating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and MilvusGenerating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and Milvus
Zilliz
 
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge GraphGraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
Neo4j
 
Choosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptxChoosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptx
Brandon Minnick, MBA
 
AppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSFAppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSF
Ajin Abraham
 
Leveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and StandardsLeveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and Standards
Neo4j
 
Fueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte WebinarFueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte Webinar
Zilliz
 
What is an RPA CoE? Session 1 – CoE Vision
What is an RPA CoE? Session 1 – CoE VisionWhat is an RPA CoE? Session 1 – CoE Vision
What is an RPA CoE? Session 1 – CoE Vision
DianaGray10
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
panagenda
 
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
Edge AI and Vision Alliance
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
Zilliz
 
Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024
Jason Packer
 
Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024
Hiroshi SHIBATA
 
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectorsConnector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
DianaGray10
 
Digital Banking in the Cloud: How Citizens Bank Unlocked Their Mainframe
Digital Banking in the Cloud: How Citizens Bank Unlocked Their MainframeDigital Banking in the Cloud: How Citizens Bank Unlocked Their Mainframe
Digital Banking in the Cloud: How Citizens Bank Unlocked Their Mainframe
Precisely
 
Y-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PPY-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PP
c5vrf27qcz
 
Harnessing the Power of NLP and Knowledge Graphs for Opioid Research
Harnessing the Power of NLP and Knowledge Graphs for Opioid ResearchHarnessing the Power of NLP and Knowledge Graphs for Opioid Research
Harnessing the Power of NLP and Knowledge Graphs for Opioid Research
Neo4j
 
Apps Break Data
Apps Break DataApps Break Data
Apps Break Data
Ivo Velitchkov
 
Taking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdfTaking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdf
ssuserfac0301
 

Recently uploaded (20)

Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
 
9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...
9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...
9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...
 
Generating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and MilvusGenerating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and Milvus
 
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge GraphGraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
 
Choosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptxChoosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptx
 
AppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSFAppSec PNW: Android and iOS Application Security with MobSF
AppSec PNW: Android and iOS Application Security with MobSF
 
Leveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and StandardsLeveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and Standards
 
Fueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte WebinarFueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte Webinar
 
What is an RPA CoE? Session 1 – CoE Vision
What is an RPA CoE? Session 1 – CoE VisionWhat is an RPA CoE? Session 1 – CoE Vision
What is an RPA CoE? Session 1 – CoE Vision
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
 
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
 
Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024
 
Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024
 
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectorsConnector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
 
Digital Banking in the Cloud: How Citizens Bank Unlocked Their Mainframe
Digital Banking in the Cloud: How Citizens Bank Unlocked Their MainframeDigital Banking in the Cloud: How Citizens Bank Unlocked Their Mainframe
Digital Banking in the Cloud: How Citizens Bank Unlocked Their Mainframe
 
Y-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PPY-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PP
 
Harnessing the Power of NLP and Knowledge Graphs for Opioid Research
Harnessing the Power of NLP and Knowledge Graphs for Opioid ResearchHarnessing the Power of NLP and Knowledge Graphs for Opioid Research
Harnessing the Power of NLP and Knowledge Graphs for Opioid Research
 
Apps Break Data
Apps Break DataApps Break Data
Apps Break Data
 
Taking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdfTaking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdf
 

[若渴計畫] Black Hat 2017之過去閱讀相關整理

  • 2. Outline • process injection • post-exploitation tools • cache-side channel attacks • data orient attacks • UEFI firmware rootkits
  • 3. Reference of Process Injection • Rattle, “Using Process Infection to Bypass Windows Software Firewalls”, Phrack 2004 – http://phrack.org/issues/62/13.html • Tal Liberman, “AtomBombing: Brand New Code Injection for Windows”, 2016 – https://breakingmalware.com/injection-techniques/atombombing- brand-new-code-injection-for-windows/ • Monnappa K A, “What Malware Authors Don’t Want You to Know - Evasive Hollow Process Injection”, Black Hat 2017 – https://www.blackhat.com/docs/asia-17/materials/asia-17-KA-What- Malware-Authors-Don%27t-Want-You-To-Know-Evasive-Hollow- Process-Injection-wp.pdf – https://drive.google.com/drive/folders/0B9qqqzOjzwW9Yi1RVzhWMX BtNkU
  • 4. Rattle, “Using Process Infection to Bypass Windows Software Firewalls”, Phrack 2004 • 實作問題: process A要把code inject至process B, 假設要inject的code被compiler編譯的資料或者 function call為hardcode offset會是如何? -> process B那個位置並不是擺process A的資料或 者function call
  • 5. Monnappa K A, “What Malware Authors Don’t Want You to Know - Evasive Hollow Process Injection”, black hat 2017 • 其實作者說明他自己寫的hollowfind工具可 偵測Hollow Process Injection https://github.com/monnappa22/HollowFind
  • 6. Hollow Process Injection 寫惡意code至在process B配置的RWE 改寫suspended thread執行的address為惡意code 的entry pointer
  • 7. Virtual Address Descriptor (VAD) Process Environment Block p.4 https://drive.google.com/drive/folders/0B9qqqzOjzwW9Yi1RVzhWMXBtNkU
  • 9. Detecting Process Hollowing using Memory Forensics • Detecting from Parent Child Process Relationship. 固定由某parent呼叫 • Detecting by Comparing the PEB and the VAD structure. • Detecting using suspicious memory protection. 找到可疑RWE區塊,並把此塊送給VirusTotal 檢查是否是惡意程式。
  • 10. Tal Liberman, “AtomBombing: Brand New Code Injection for Windows”, 2016 打臉hollowfind偵測工具
  • 11. Process B Malware (global atom tale) 知道unique value,可得字串 自動化設定字串與unique value的關係 文章寫作梗, GlobalAddAtom() 配置成null terminated buffer (null string) RW permission GlobalGetAtomName() ?
  • 12. ! Process B Malware (global atom tale) 文章寫作梗, GlobalAddAtom() 配置成null terminated buffer (null string) RW permission QueueUserApc(GlobalGetAtomName(), GlobalGetAtomName參數?) APC queue GlobalGetAtomName() QueueUserApc只能讓GlobalGetAtomName帶入一個參數, 但GlobalGetAtomName需要三個參數
  • 13. Process B Malware (global atom tale) 文章寫作梗, GlobalAddAtom() 配置成null terminated buffer (null string) RW permission NtQueueApcThread(GlobalGetAtomName(), GlobalGetAtomName參數) APC queue GlobalGetAtomName() !! 要能使用NtQueueApcThread下,又能讓程式正常執行, 用反組譯軟體觀察CFG來帶入符合參數。
  • 14. Process B Malware (global atom tale) 文章寫作梗, GlobalAddAtom() 配置成null terminated buffer (null string) ? RW permission NtQueueApcThread(GlobalGetAtomName(), GlobalGetAtomName參數) APC queue GlobalGetAtomName()
  • 15. Process B Malware (global atom tale) GlobalAddAtom()配置成ROP gadgets RW permission NtQueueApcThread(GlobalGetAtomName(), GlobalGetAtomName參數) APC queue GlobalGetAtomName() !!! *ROP gadgets ROP gadgets ROP:安排參數+函數位置 RWX Shell code *Shell code ROP gadgets如何起動? Shell code ret gadget memcpy gadget ZwAllocateVirtualMemory gadget 還需要push eax作為memcpy所使用的參數,可知他在x86_32架構下
  • 16. Process B Malware (global atom tale) GlobalAddAtom()配置成ROP gadgets RW permission NtQueueApcThread(GlobalGetAtomName(), GlobalGetAtomName參數) NtQueueApcThread(NtSetContextThread(), NtSetContextThread參數) APC queue GlobalGetAtomName() !!!! *ROP gadgets ROP gadgets RWX Shell code *Shell code ? hThread -> target lpContext -> 可設定ESP/EIP-> ESP設置至ROP chain/ EIP設置ZwAllocateVirtualMemory Shell code 最後APC dispatcher 執行
  • 17. Post-exploitation Tools • Pierre-Alexandre, “Hack Microsoft Using Microsoft Signed Binaries”, Black Hat 2017 – https://www.blackhat.com/docs/asia- 17/materials/asia-17-Braeken-Hack-Microsoft- Using-Microsoft-Signed-Binaries-wp.pdf – https://www.blackhat.com/docs/asia- 17/materials/asia-17-Braeken-Hack-Microsoft- Using-Microsoft-Signed-Binaries.pdf • argp, OR’LYEH? The Shadow over Firefox, 2015
  • 18. Pierre-Alexandre, “Hack Microsoft Using Microsoft Signed Binaries”, Black Hat 2017 • PowerMemory uses Windows PowerShell and Microsoft debuggers. • 使用PowerMemory – 從記憶體接露passwords – 操作kernel object manipulation – Injecting and executing a shellcode in a remote process • PowerMemory輔助exploit更容易成功或可靠
  • 19. argp, OR’LYEH? The Shadow over Firefox, 2015 • Shadow由 winDBG, gdb, LLDB基底,透過觀 察 記 憶 體 資 料 , 來 得 知 firefox heap allocation行為,在某漏洞以之下,近而發 展exploitation。
  • 20. Reference of Cache-side Channel Attacks • Gorka Irazoqui, etc., intel “Cache Side Channel Attack: Exploitability & Countermeasures”, Black Hat 2017 – https://www.blackhat.com/docs/asia-17/materials/asia-17-Irazoqui- Cache-Side-Channel-Attack-Exploitablity-And-Countermeasures.pdf • Ferdinand Brasser, etc., “Software Grand Expose: SGX Cache Attacks are Practical” – https://arxiv.org/abs/1702.07521 • Stephan van Schaik, etc., “Reverse Engineering Hardware Page Table Caches” – http://www.cs.vu.nl/~herbertb/download/papers/revanc_ir-cs-77.pdf • Ben Gras, etc., “ASLR on the Line: Practical Cache Attacks on the MMU” – http://www.cs.vu.nl/~herbertb/download/papers/anc_ndss17.pdf
  • 21. Gorka Irazoqui, etc., intel “Cache Side Channel Attack: Exploitability & Countermeasures”, Black Hat 2017 • 此篇目的提出解決機制。
  • 23. Types of Cache-side Channel Attacks 假設條件 shared memory flushing instruction exists in ISA The Flush and Reload Attack The Evict and Reload Attack The Prime and Probe Attack
  • 24. The Prime and Probe Attack
  • 25. How to Mitigate Cache Attacks • Cache Leakage Free Code Design – Secret independent execution flow (盡量不要有 if …if …,如果有就會有timing attack風險 ) – Secret independent memory accesses (重要資料 實作加解密保護)
  • 26. How to Mitigate Cache Attacks • Page Coloring (OS ,hypervisor)
  • 27. How to Mitigate Cache Attacks • Intel Cache Allocation Technology (OS/hypervisor + hardware) Allows OS/hypervisor to mark cache lines as un- evictable