SlideShare a Scribd company logo
Challenges and Solutions of Window
Remote Shellcode @若渴
2017.11.19
<ajblane0612@gmail.com>
AjMaChInE
Outline
• Overview of window remote shellcode
• Some challenges and solutions
– Antivirus
– EMET
– Firewall
– Intrusion-Detection System (IDS)/ Intrusion-
Prevention System (IPS)
• Reference
Remote Shellcode [0][1]
pipeprotocol process terminal process
command
sh
Windows Shellcode Skeleton in
Assembly [12]
• Getting EIP
• Decoder
• Getting addresses of required functions
• Setup socket
• Spawning a shell
Getting EIP – Why [12][13]
• What is the problem with such a hardcoded
address?
Compiler
move that code
to another
address space
????
Getting EIP [12]
Getting Addresses of Required
Functions [2]
Finding kernel32.dll
LoadLibraryA
GetProcAddress
System calls
not reliable
How to Finding kernel32.dll in ASLR?
[2][3][4]
Process Environment
Block(PEB)
fs:[0x30]
Structured Exception
Handling(SEH)
fs:[0]
Thread Environment Block
+0x4 TOPSTACK
fs:[0x18] not reliable
Finding kernel32.dll- PEB
“The process of determining the kernel32.dll base address
involves making use of the Process Environment Block (PEB). The
operating system allocates a structure for every running process
that can always be found at fs:[0x30] from within the process.
The PEB structure holds information about the process’ heaps,
binary image information, and, most importantly, three linked
lists regarding loaded modules that have been mapped into
process space. The linked lists themselves differ in purposes
from showing the order in which the modules were loaded to
the order in which the modules were initialized. The
initialization order linked list is of most interest as the order in
which kernel32.dll is initialized is always constant as the second
module to be initialized.” [2]
Finding kernel32.dll- SEH
“Windows NT based versions the top-most entry in the SEH list
can always be found at fs:[0] from within the process. With this
in mind, one can walk the list of installed exception handlers
until they reach the last one. When the last one is reached the
address of the function pointer can be used as a starting point
for walking down in increments of 64KB, or 16 × 4096 byte
pages. In Windows, DLL’s will only align on 64KB boundaries. At
each 64KB boundary a check can be performed to see if the two
characters at that point are ‘MZ’. These two characters mark the
MSDOS header that is prepended to portable executables.” [2]
Address Resolution of Required
Functions
• PEB parsing [5]
– This method uses the Process Environment Block(PEB)
data structure to locate the base addresses of loaded DLLs
and finding their function addresses with parsing the
Export Address Table(EAT)
• Hash API search [5]
– For quickly finding required functions
EAT
IAT
DLL
Required Functions
hash hash?=
Functions You maybe Want to [6]
• WinExec
• CreateProcessW
• CreateProcessA
• LoadLibraryExA
• LoadLibraryExW
• OpenFile
• CreateThread
• CreateRemoteThread
• GetProcAddress
• LoadModule
• CreateFileA
• CreateFileW
• _lopen
• _lcreat
• CopyFileA
• CopyFileW
• CopyFileExA
• CopyFileExW
• MoveFileA
• MoveFileExW
• LockFile
• GetModuleHandleA
• VirtualProtect
• OpenProcess
• GetModuleHandleW
• MoveFileWithProgressA
• MoveFileWithProgressW
• DeleteFileA
Challenges of Shellcode for Antivirus
[7][8]
• Static signature analysis
– Signature analysis is based on a blacklist method
– EX: YARA [9]
• Static heuristic analysis
– In this case the AV will check the code for patterns which are known
to be found in malwares. There are a lot of possible rules, which
depends on the vendor
• Dynamic analysis
– These days most AV will rely on a dynamic approach. When an
executable is scanned, it is launched in a virtual environment for a
short amount of time. Combining this with signature verification and
heuristic analysis allows detecting unknown malwares even those
relying on encryption. Indeed, the code is self-decrypted in AV
sandbox; then, analysis of the “new code” can trigger some suspicious
behavior.
Bypassing Challenges of Shellcode for
Antivirus [7][8]
• Bypassing static signature analysis/ static
heuristic analysis
– Decryption [10][11]
– Obfuscation [7]
– Non-standard languages for windows binaries
[25]
• Bypassing dynamic analysis
Obfuscation
The Veil-Framework [25]
• Obfuscated code
• Encrypted code
• Non-standard languages for windows binaries
– Python, Ruby, Perl, Go, etc.
Bypassing Dynamic Analysis [7][8]
• Allocate and fill 100M memory
• Hundred million increments
• Attempt to open a system
process
• Attempt to open a non-existing
URL
• Action which depends on local
username
• What the fuck is NUMA?
• What the fuck are FLS?
• Check process memory
• Time distortion
• What is my name?
• I am my own father
• First open a mutex
• Load fake library
• Is debugger present
• Number of Cores
• Trap flag manipulation
Bypassing Dynamic Analysis - Hundred
Million Increments [8]
AV detection
emulator
Proper Ways To Execute Shellcodes
[7][8]
• HeapCreate/HeapAlloc
• LoadLibrary/GetProcAddress
• GetModuleHandle/GetProcAddress
• Multi-Threading
Challenges of Shellcode for EMET
• Preventing EAT parsing techniques
Bypassing Challenges of Shellcode for
EMET
• IAT parsing [23]
– Also holding the WIN API function addresses by
the application
Challenges of Shellcode for Firewalls
• Inbound detection
• Outbound detection
• Usually, firewall allow connection to popular
services like port 25(SMTP), 53(DNS),
80(HTTP), etc.
Bypassing Challenges of Shellcode for
Firewalls
• Bypassing inbound detection
– Reverse remote shellcode
• Bypassing outbound detection (進去了要怎出
來),EX [12] :
Bypassing Outbound Detection
• DLL/PE Injection to iexplore.exe, telnet, ftp,
SSH and alike [13]
• One-way shellcode [2][12]
• Meterpreter HTTP, HTTPS and DNS stagers [21]
DLL Injection Overview – Step 1/2 [17]
DLL Injection Overview – Step 3/4 [17]
Execution Methods of DLL Injection
[15]
• CreateRemoteThread()
• NtCreateThreadEx()
• QueueUserAPC()
• SetWindowsHookEx()
• RtlCreateUserThread()
• Code cave via SetThreadContext()
• Reflective DLL
DLL/PE Injection to iexplore.exe [13]
• Querying the register key, rather than referring to
“c:...iexplore.exe”
• CreateProcess() to open and keep browser
windows hidden
• WaitForInputIdle() to give processes time for
initialization
• WaitProcessMemory() to copy networking code
• CreateRemoteThread() to run code
• The injected procedure connects the web site and
sends HTTP request
Reflective DLL Injection [16][18]
Reflective DLL (= DLL-format PE file loader)
reflective DLL
is loaded by
reflective DLL
DLL/PE/Process Hollowing
Injection[19][20]
One-way Shellcode – Find Socket [12]
(using anonymous pipe)
One-way Shellcode – Reuse Socket [12]
The problem of the “Find Socket” method:
• If the socket already been closed
(the SO_REUSEADDR socket option)
One-way Shellcode – Rebind Socket
[12]
The problem of the “Rebind Socket” method:
• using SO_EXCLUSIVEADDRUSE, thus reusing
the address is not possible
The Meterpreter:
a stager, and and
stage [21][22][24]
An Up-to-Standards Secure Corporate Environment
with the meterpreter/reverse_winhttp Payload [14][22]
Bypassing An Up-to-Standards Secure Corporate
Environment with the meterpreter/reverse_winhttp
Payload [14][22]
Thread 1Thread 2
local proxy with port 8080
reverse_winhttp
LHOST=127.0.0.1
LPORT=8080
NTLM authentication
+ HTTP requests
trust local proxy and go
through the corporate
proxy
Reference
• [0] How To Make A Reverse TCP Backdoor In Python - Part 1
– https://0x00sec.org/t/how-to-make-a-reverse-tcp-backdoor-in-python-part-1/1038
• [1] How To Make A Reverse TCP Backdoor In Python - Part 2
– https://0x00sec.org/t/how-to-make-a-reverse-tcp-backdoor-in-python-part-2/1040
• [2] Understanding Windows Shellcode
– http://www.hick.org/code/skape/papers/win32-shellcode.pdf
• [3] Windows Reverse Shell Shellcode I.
– http://sh3llc0d3r.com/windows-reverse-shell-shellcode-i/
• [4] Windows Reverse Shell Shellcode II.
– http://sh3llc0d3r.com/windows-reverse-shell-shellcode-ii/
• [5] Art of Anti Detection 3 – Shellcode Alchemy
– https://pentest.blog/art-of-anti-detection-3-shellcode-alchemy/
• [6] NT shellcodes prevrntion Demystified
– http://www.phrack.org/issues/63/15.html#article
• [7] Art of Anti Detection – 1 Introduction to AV and Detection Techniques
– https://www.exploit-db.com/docs/40900.pdf
• [8] Bypass Antivirus Dynamic Analysis - Limitations of the AV Model and How to Exploit Them
– https://wikileaks.org/ciav7p1/cms/files/BypassAVDynamics.pdf
• [9] YARA
– http://virustotal.github.io/yara/
• [10] Code Segment Encryption
– http://blog.sevagas.com/?Code-segment-encryption
• [11] Hide Meterpreter Shellcode in Executable
– http://blog.sevagas.com/Hide-meterpreter-shellcode-in-executable
• [12] History and Advances in Windows Shellcode
– http://phrack.org/issues/62/7.html
– https://www.blackhat.com/presentations/bh-asia-03/bh-asia-03-chong.pdf
• [13] Using Process Infection to Bypass Windows Software Firewalls
– http://phrack.org/issues/62/7.html
• [14] Evade Egress Restrictions with Staged Payloads
– https://blog.cobaltstrike.com/2013/11/15/evade-egress-restrictions-with-staged-payloads/
• [15] Inject All the Things
– http://blog.deniable.org/blog/2017/07/16/inject-all-the-things/
– https://github.com/fdiskyou/injectAllTheThings/
– Microsoft Visual Studio Express 2013 for Windows Desktop
• [16] Reflective DLL Injection
– https://www.dc414.org/wp-content/uploads/2011/01/242.pdf
– https://github.com/stephenfewer/ReflectiveDLLInjection
• [17] Windows DLL Injection Basics
– http://blog.opensecurityresearch.com/2013/01/windows-dll-injection-basics.html
• [18] DOUBLEPULSAR Usermode Analysis: Generic Reflective DLL Loader
– https://countercept.com/our-thinking/doublepulsar-usermode-analysis-generic-reflective-dll-
loader/
• [19] Ten Process Injection Techniques: A Technical Survey Of Common And Trending Process
Injection Techniques
– https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-
common-and-trending-process
– https://github.com/secrary/InjectProc
• [20] Process Hollowing
– https://github.com/m0n0ph1/Process-Hollowing
• [21] Metasploit - The Exploit Learning Tree
– https://www.exploit-db.com/docs/27935.pdf
• [22] Meterpreter Stage AV/IDS Evasion with Powershell
– https://arno0x0x.wordpress.com/2016/04/13/meterpreter-av-ids-evasion-powershell/
– https://github.com/Arno0x/PowerShellScripts/blob/master/proxyMeterpreterHideout.ps1
• [23] Teaching Old Shellcode New Tricks
– https://recon.cx/2018/brussels/resources/slides/RECON-BRX-2017-
Teaching_Old_Shellcode_New_Tricks.pdf
– https://github.com/secretsquirrel/fido
• [24] Deep Dive Into Stageless Meterpreter Payloads
– https://blog.rapid7.com/2015/03/25/stageless-meterpreter-payloads/
• [25] The Art of AV Evasion - or Lack Thereof
– https://www.slideshare.net/CTruncer/the-art-of-av-evasion-or-lack-thereof
– https://github.com/Veil-Framework/Veil

More Related Content

What's hot

QEMU Disk IO Which performs Better: Native or threads?
QEMU Disk IO Which performs Better: Native or threads?QEMU Disk IO Which performs Better: Native or threads?
QEMU Disk IO Which performs Better: Native or threads?
Pradeep Kumar
 
Tools for Solving Performance Issues
Tools for Solving Performance IssuesTools for Solving Performance Issues
Tools for Solving Performance Issues
Odoo
 
如何使用 Xhprof 分析網站效能 (真實案例2)
如何使用 Xhprof 分析網站效能 (真實案例2)如何使用 Xhprof 分析網站效能 (真實案例2)
如何使用 Xhprof 分析網站效能 (真實案例2)
Cyril Wang
 
Introduction to API Security - Intergalactic
Introduction to API Security - IntergalacticIntroduction to API Security - Intergalactic
Introduction to API Security - Intergalactic
Postman
 
How Functions Work
How Functions WorkHow Functions Work
How Functions Work
Saumil Shah
 
스프링 부트와 로깅
스프링 부트와 로깅스프링 부트와 로깅
스프링 부트와 로깅
Keesun Baik
 
Configuring wifi in open embedded builds
Configuring wifi in open embedded buildsConfiguring wifi in open embedded builds
Configuring wifi in open embedded builds
Mender.io
 
Java Deserialization Vulnerabilities - The Forgotten Bug Class
Java Deserialization Vulnerabilities - The Forgotten Bug ClassJava Deserialization Vulnerabilities - The Forgotten Bug Class
Java Deserialization Vulnerabilities - The Forgotten Bug Class
CODE WHITE GmbH
 
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
Garage4hackers.com
 
Using runbot to test all your developments automatically
Using runbot to test all your developments automaticallyUsing runbot to test all your developments automatically
Using runbot to test all your developments automatically
Odoo
 
Performance Wins with eBPF: Getting Started (2021)
Performance Wins with eBPF: Getting Started (2021)Performance Wins with eBPF: Getting Started (2021)
Performance Wins with eBPF: Getting Started (2021)
Brendan Gregg
 
Staring into the eBPF Abyss
Staring into the eBPF AbyssStaring into the eBPF Abyss
Staring into the eBPF Abyss
Sasha Goldshtein
 
Apache Flink Crash Course by Slim Baltagi and Srini Palthepu
Apache Flink Crash Course by Slim Baltagi and Srini PalthepuApache Flink Crash Course by Slim Baltagi and Srini Palthepu
Apache Flink Crash Course by Slim Baltagi and Srini Palthepu
Slim Baltagi
 
Bug-hunter's Sorrow
Bug-hunter's SorrowBug-hunter's Sorrow
Bug-hunter's Sorrow
Masato Kinugawa
 
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.
Mikhail Egorov
 
Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)
CODE WHITE GmbH
 
Java Performance Analysis on Linux with Flame Graphs
Java Performance Analysis on Linux with Flame GraphsJava Performance Analysis on Linux with Flame Graphs
Java Performance Analysis on Linux with Flame Graphs
Brendan Gregg
 
Kernel Recipes 2017: Using Linux perf at Netflix
Kernel Recipes 2017: Using Linux perf at NetflixKernel Recipes 2017: Using Linux perf at Netflix
Kernel Recipes 2017: Using Linux perf at Netflix
Brendan Gregg
 
OWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesOWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling Pickles
Christopher Frohoff
 
A whirlwind tour of the LLVM optimizer
A whirlwind tour of the LLVM optimizerA whirlwind tour of the LLVM optimizer
A whirlwind tour of the LLVM optimizer
Nikita Popov
 

What's hot (20)

QEMU Disk IO Which performs Better: Native or threads?
QEMU Disk IO Which performs Better: Native or threads?QEMU Disk IO Which performs Better: Native or threads?
QEMU Disk IO Which performs Better: Native or threads?
 
Tools for Solving Performance Issues
Tools for Solving Performance IssuesTools for Solving Performance Issues
Tools for Solving Performance Issues
 
如何使用 Xhprof 分析網站效能 (真實案例2)
如何使用 Xhprof 分析網站效能 (真實案例2)如何使用 Xhprof 分析網站效能 (真實案例2)
如何使用 Xhprof 分析網站效能 (真實案例2)
 
Introduction to API Security - Intergalactic
Introduction to API Security - IntergalacticIntroduction to API Security - Intergalactic
Introduction to API Security - Intergalactic
 
How Functions Work
How Functions WorkHow Functions Work
How Functions Work
 
스프링 부트와 로깅
스프링 부트와 로깅스프링 부트와 로깅
스프링 부트와 로깅
 
Configuring wifi in open embedded builds
Configuring wifi in open embedded buildsConfiguring wifi in open embedded builds
Configuring wifi in open embedded builds
 
Java Deserialization Vulnerabilities - The Forgotten Bug Class
Java Deserialization Vulnerabilities - The Forgotten Bug ClassJava Deserialization Vulnerabilities - The Forgotten Bug Class
Java Deserialization Vulnerabilities - The Forgotten Bug Class
 
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
 
Using runbot to test all your developments automatically
Using runbot to test all your developments automaticallyUsing runbot to test all your developments automatically
Using runbot to test all your developments automatically
 
Performance Wins with eBPF: Getting Started (2021)
Performance Wins with eBPF: Getting Started (2021)Performance Wins with eBPF: Getting Started (2021)
Performance Wins with eBPF: Getting Started (2021)
 
Staring into the eBPF Abyss
Staring into the eBPF AbyssStaring into the eBPF Abyss
Staring into the eBPF Abyss
 
Apache Flink Crash Course by Slim Baltagi and Srini Palthepu
Apache Flink Crash Course by Slim Baltagi and Srini PalthepuApache Flink Crash Course by Slim Baltagi and Srini Palthepu
Apache Flink Crash Course by Slim Baltagi and Srini Palthepu
 
Bug-hunter's Sorrow
Bug-hunter's SorrowBug-hunter's Sorrow
Bug-hunter's Sorrow
 
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.
What’s wrong with WebSocket APIs? Unveiling vulnerabilities in WebSocket APIs.
 
Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)
Java Deserialization Vulnerabilities - The Forgotten Bug Class (DeepSec Edition)
 
Java Performance Analysis on Linux with Flame Graphs
Java Performance Analysis on Linux with Flame GraphsJava Performance Analysis on Linux with Flame Graphs
Java Performance Analysis on Linux with Flame Graphs
 
Kernel Recipes 2017: Using Linux perf at Netflix
Kernel Recipes 2017: Using Linux perf at NetflixKernel Recipes 2017: Using Linux perf at Netflix
Kernel Recipes 2017: Using Linux perf at Netflix
 
OWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesOWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling Pickles
 
A whirlwind tour of the LLVM optimizer
A whirlwind tour of the LLVM optimizerA whirlwind tour of the LLVM optimizer
A whirlwind tour of the LLVM optimizer
 

Viewers also liked

Docker Networking
Docker NetworkingDocker Networking
Docker Networking
Kingston Smiler
 
Walk through an enterprise Linux migration
Walk through an enterprise Linux migrationWalk through an enterprise Linux migration
Walk through an enterprise Linux migration
Rogue Wave Software
 
Scale Up with Lock-Free Algorithms @ JavaOne
Scale Up with Lock-Free Algorithms @ JavaOneScale Up with Lock-Free Algorithms @ JavaOne
Scale Up with Lock-Free Algorithms @ JavaOne
Roman Elizarov
 
Advanced memory allocation
Advanced memory allocationAdvanced memory allocation
Advanced memory allocation
Joris Bonnefoy
 
Linux Security APIs and the Chromium Sandbox (SwedenCpp Meetup 2017)
Linux Security APIs and the Chromium Sandbox (SwedenCpp Meetup 2017)Linux Security APIs and the Chromium Sandbox (SwedenCpp Meetup 2017)
Linux Security APIs and the Chromium Sandbox (SwedenCpp Meetup 2017)
Patricia Aas
 
numPYNQ @ NGCLE@e-Novia 15.11.2017
numPYNQ @ NGCLE@e-Novia 15.11.2017numPYNQ @ NGCLE@e-Novia 15.11.2017
numPYNQ @ NGCLE@e-Novia 15.11.2017
NECST Lab @ Politecnico di Milano
 
OCCIware, an extensible, standard-based XaaS consumer platform to manage ever...
OCCIware, an extensible, standard-based XaaS consumer platform to manage ever...OCCIware, an extensible, standard-based XaaS consumer platform to manage ever...
OCCIware, an extensible, standard-based XaaS consumer platform to manage ever...
OCCIware
 
Graduating To Go - A Jumpstart into the Go Programming Language
Graduating To Go - A Jumpstart into the Go Programming LanguageGraduating To Go - A Jumpstart into the Go Programming Language
Graduating To Go - A Jumpstart into the Go Programming Language
Kaylyn Gibilterra
 
Communication hardware
Communication hardwareCommunication hardware
Communication hardware
Hans Mallen
 
DevRomagna / Golang Intro
DevRomagna / Golang IntroDevRomagna / Golang Intro
DevRomagna / Golang Intro
Simone Gentili
 
In-Memory Computing Essentials for Architects and Engineers
In-Memory Computing Essentials for Architects and EngineersIn-Memory Computing Essentials for Architects and Engineers
In-Memory Computing Essentials for Architects and Engineers
Denis Magda
 
What in the World is Going on at The Linux Foundation?
What in the World is Going on at The Linux Foundation?What in the World is Going on at The Linux Foundation?
What in the World is Going on at The Linux Foundation?
Black Duck by Synopsys
 
Go Execution Tracer
Go Execution TracerGo Execution Tracer
Go Execution Tracer
André Carvalho
 
Server virtualization
Server virtualizationServer virtualization
Server virtualization
Kingston Smiler
 
Virtualization
VirtualizationVirtualization
Virtualization
Kingston Smiler
 
SDN Architecture & Ecosystem
SDN Architecture & EcosystemSDN Architecture & Ecosystem
SDN Architecture & Ecosystem
Kingston Smiler
 
In-depth forensic analysis of Windows registry files
In-depth forensic analysis of Windows registry filesIn-depth forensic analysis of Windows registry files
In-depth forensic analysis of Windows registry files
Maxim Suhanov
 
OpenFlow
OpenFlowOpenFlow
OpenFlow
Kingston Smiler
 
Deep dive into Coroutines on JVM @ KotlinConf 2017
Deep dive into Coroutines on JVM @ KotlinConf 2017Deep dive into Coroutines on JVM @ KotlinConf 2017
Deep dive into Coroutines on JVM @ KotlinConf 2017
Roman Elizarov
 
Network Virtualization
Network VirtualizationNetwork Virtualization
Network Virtualization
Kingston Smiler
 

Viewers also liked (20)

Docker Networking
Docker NetworkingDocker Networking
Docker Networking
 
Walk through an enterprise Linux migration
Walk through an enterprise Linux migrationWalk through an enterprise Linux migration
Walk through an enterprise Linux migration
 
Scale Up with Lock-Free Algorithms @ JavaOne
Scale Up with Lock-Free Algorithms @ JavaOneScale Up with Lock-Free Algorithms @ JavaOne
Scale Up with Lock-Free Algorithms @ JavaOne
 
Advanced memory allocation
Advanced memory allocationAdvanced memory allocation
Advanced memory allocation
 
Linux Security APIs and the Chromium Sandbox (SwedenCpp Meetup 2017)
Linux Security APIs and the Chromium Sandbox (SwedenCpp Meetup 2017)Linux Security APIs and the Chromium Sandbox (SwedenCpp Meetup 2017)
Linux Security APIs and the Chromium Sandbox (SwedenCpp Meetup 2017)
 
numPYNQ @ NGCLE@e-Novia 15.11.2017
numPYNQ @ NGCLE@e-Novia 15.11.2017numPYNQ @ NGCLE@e-Novia 15.11.2017
numPYNQ @ NGCLE@e-Novia 15.11.2017
 
OCCIware, an extensible, standard-based XaaS consumer platform to manage ever...
OCCIware, an extensible, standard-based XaaS consumer platform to manage ever...OCCIware, an extensible, standard-based XaaS consumer platform to manage ever...
OCCIware, an extensible, standard-based XaaS consumer platform to manage ever...
 
Graduating To Go - A Jumpstart into the Go Programming Language
Graduating To Go - A Jumpstart into the Go Programming LanguageGraduating To Go - A Jumpstart into the Go Programming Language
Graduating To Go - A Jumpstart into the Go Programming Language
 
Communication hardware
Communication hardwareCommunication hardware
Communication hardware
 
DevRomagna / Golang Intro
DevRomagna / Golang IntroDevRomagna / Golang Intro
DevRomagna / Golang Intro
 
In-Memory Computing Essentials for Architects and Engineers
In-Memory Computing Essentials for Architects and EngineersIn-Memory Computing Essentials for Architects and Engineers
In-Memory Computing Essentials for Architects and Engineers
 
What in the World is Going on at The Linux Foundation?
What in the World is Going on at The Linux Foundation?What in the World is Going on at The Linux Foundation?
What in the World is Going on at The Linux Foundation?
 
Go Execution Tracer
Go Execution TracerGo Execution Tracer
Go Execution Tracer
 
Server virtualization
Server virtualizationServer virtualization
Server virtualization
 
Virtualization
VirtualizationVirtualization
Virtualization
 
SDN Architecture & Ecosystem
SDN Architecture & EcosystemSDN Architecture & Ecosystem
SDN Architecture & Ecosystem
 
In-depth forensic analysis of Windows registry files
In-depth forensic analysis of Windows registry filesIn-depth forensic analysis of Windows registry files
In-depth forensic analysis of Windows registry files
 
OpenFlow
OpenFlowOpenFlow
OpenFlow
 
Deep dive into Coroutines on JVM @ KotlinConf 2017
Deep dive into Coroutines on JVM @ KotlinConf 2017Deep dive into Coroutines on JVM @ KotlinConf 2017
Deep dive into Coroutines on JVM @ KotlinConf 2017
 
Network Virtualization
Network VirtualizationNetwork Virtualization
Network Virtualization
 

Similar to [若渴計畫] Challenges and Solutions of Window Remote Shellcode

openioc_scan - IOC scanner for memory forensics
openioc_scan - IOC scanner for memory forensicsopenioc_scan - IOC scanner for memory forensics
openioc_scan - IOC scanner for memory forensics
Takahiro Haruyama
 
Typhoon Managed Execution Toolkit
Typhoon Managed Execution ToolkitTyphoon Managed Execution Toolkit
Typhoon Managed Execution Toolkit
Dimitry Snezhkov
 
Docker interview Questions-3.pdf
Docker interview Questions-3.pdfDocker interview Questions-3.pdf
Docker interview Questions-3.pdf
Yogeshwaran R
 
Uncloaking IP Addresses on IRC
Uncloaking IP Addresses on IRCUncloaking IP Addresses on IRC
Uncloaking IP Addresses on IRC
Derek Callaway
 
Formbook - In-depth malware analysis (Botconf 2018)
Formbook - In-depth malware analysis (Botconf 2018)Formbook - In-depth malware analysis (Botconf 2018)
Formbook - In-depth malware analysis (Botconf 2018)
Rémi Jullian
 
Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...
Black Duck by Synopsys
 
Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...
Tim Mackey
 
Security research over Windows #defcon china
Security research over Windows #defcon chinaSecurity research over Windows #defcon china
Security research over Windows #defcon china
Peter Hlavaty
 
Powering up on PowerShell - BSides Greenville 2019
Powering up on PowerShell  - BSides Greenville 2019Powering up on PowerShell  - BSides Greenville 2019
Powering up on PowerShell - BSides Greenville 2019
Fernando Tomlinson, CISSP, MBA
 
Windows internals
Windows internalsWindows internals
Windows internals
Piyush Jain
 
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
CODE BLUE
 
Lateral Movement - Hacker Halted 2016
Lateral Movement - Hacker Halted 2016Lateral Movement - Hacker Halted 2016
Lateral Movement - Hacker Halted 2016
Xavier Ashe
 
Lateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkLateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your Network
EC-Council
 
Ch 6: The Wild World of Windows
Ch 6: The Wild World of WindowsCh 6: The Wild World of Windows
Ch 6: The Wild World of Windows
Sam Bowne
 
Discovering Vulnerabilities For Fun and Profit
Discovering Vulnerabilities For Fun and ProfitDiscovering Vulnerabilities For Fun and Profit
Discovering Vulnerabilities For Fun and Profit
Abhisek Datta
 
Owning computers without shell access 2
Owning computers without shell access 2Owning computers without shell access 2
Owning computers without shell access 2
Royce Davis
 
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
Felipe Prado
 
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...
CODE BLUE
 
CNIT 127 Ch 6: The Wild World of Windows
CNIT 127 Ch 6: The Wild World of WindowsCNIT 127 Ch 6: The Wild World of Windows
CNIT 127 Ch 6: The Wild World of Windows
Sam Bowne
 
Remote code execution in restricted windows environments
Remote code execution in restricted windows environmentsRemote code execution in restricted windows environments
Remote code execution in restricted windows environments
Borja Merino
 

Similar to [若渴計畫] Challenges and Solutions of Window Remote Shellcode (20)

openioc_scan - IOC scanner for memory forensics
openioc_scan - IOC scanner for memory forensicsopenioc_scan - IOC scanner for memory forensics
openioc_scan - IOC scanner for memory forensics
 
Typhoon Managed Execution Toolkit
Typhoon Managed Execution ToolkitTyphoon Managed Execution Toolkit
Typhoon Managed Execution Toolkit
 
Docker interview Questions-3.pdf
Docker interview Questions-3.pdfDocker interview Questions-3.pdf
Docker interview Questions-3.pdf
 
Uncloaking IP Addresses on IRC
Uncloaking IP Addresses on IRCUncloaking IP Addresses on IRC
Uncloaking IP Addresses on IRC
 
Formbook - In-depth malware analysis (Botconf 2018)
Formbook - In-depth malware analysis (Botconf 2018)Formbook - In-depth malware analysis (Botconf 2018)
Formbook - In-depth malware analysis (Botconf 2018)
 
Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...
 
Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...Using hypervisor and container technology to increase datacenter security pos...
Using hypervisor and container technology to increase datacenter security pos...
 
Security research over Windows #defcon china
Security research over Windows #defcon chinaSecurity research over Windows #defcon china
Security research over Windows #defcon china
 
Powering up on PowerShell - BSides Greenville 2019
Powering up on PowerShell  - BSides Greenville 2019Powering up on PowerShell  - BSides Greenville 2019
Powering up on PowerShell - BSides Greenville 2019
 
Windows internals
Windows internalsWindows internals
Windows internals
 
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
 
Lateral Movement - Hacker Halted 2016
Lateral Movement - Hacker Halted 2016Lateral Movement - Hacker Halted 2016
Lateral Movement - Hacker Halted 2016
 
Lateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your NetworkLateral Movement: How attackers quietly traverse your Network
Lateral Movement: How attackers quietly traverse your Network
 
Ch 6: The Wild World of Windows
Ch 6: The Wild World of WindowsCh 6: The Wild World of Windows
Ch 6: The Wild World of Windows
 
Discovering Vulnerabilities For Fun and Profit
Discovering Vulnerabilities For Fun and ProfitDiscovering Vulnerabilities For Fun and Profit
Discovering Vulnerabilities For Fun and Profit
 
Owning computers without shell access 2
Owning computers without shell access 2Owning computers without shell access 2
Owning computers without shell access 2
 
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
 
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...
 
CNIT 127 Ch 6: The Wild World of Windows
CNIT 127 Ch 6: The Wild World of WindowsCNIT 127 Ch 6: The Wild World of Windows
CNIT 127 Ch 6: The Wild World of Windows
 
Remote code execution in restricted windows environments
Remote code execution in restricted windows environmentsRemote code execution in restricted windows environments
Remote code execution in restricted windows environments
 

More from Aj MaChInE

An Intro on Data-oriented Attacks
An Intro on Data-oriented AttacksAn Intro on Data-oriented Attacks
An Intro on Data-oriented Attacks
Aj MaChInE
 
A Study on .NET Framework for Red Team - Part I
A Study on .NET Framework for Red Team - Part IA Study on .NET Framework for Red Team - Part I
A Study on .NET Framework for Red Team - Part I
Aj MaChInE
 
A study on NetSpectre
A study on NetSpectreA study on NetSpectre
A study on NetSpectre
Aj MaChInE
 
Introduction to Adversary Evaluation Tools
Introduction to Adversary Evaluation ToolsIntroduction to Adversary Evaluation Tools
Introduction to Adversary Evaluation Tools
Aj MaChInE
 
[若渴] A preliminary study on attacks against consensus in bitcoin
[若渴] A preliminary study on attacks against consensus in bitcoin[若渴] A preliminary study on attacks against consensus in bitcoin
[若渴] A preliminary study on attacks against consensus in bitcoin
Aj MaChInE
 
[RAT資安小聚] Study on Automatically Evading Malware Detection
[RAT資安小聚] Study on Automatically Evading Malware Detection[RAT資安小聚] Study on Automatically Evading Malware Detection
[RAT資安小聚] Study on Automatically Evading Malware Detection
Aj MaChInE
 
[若渴] Preliminary Study on Design and Exploitation of Trustzone
[若渴] Preliminary Study on Design and Exploitation of Trustzone[若渴] Preliminary Study on Design and Exploitation of Trustzone
[若渴] Preliminary Study on Design and Exploitation of Trustzone
Aj MaChInE
 
[若渴]Study on Side Channel Attacks and Countermeasures
[若渴]Study on Side Channel Attacks and Countermeasures [若渴]Study on Side Channel Attacks and Countermeasures
[若渴]Study on Side Channel Attacks and Countermeasures
Aj MaChInE
 
[若渴計畫] Introduction: Formal Verification for Code
[若渴計畫] Introduction: Formal Verification for Code[若渴計畫] Introduction: Formal Verification for Code
[若渴計畫] Introduction: Formal Verification for Code
Aj MaChInE
 
[若渴計畫] Studying ASLR^cache
[若渴計畫] Studying ASLR^cache[若渴計畫] Studying ASLR^cache
[若渴計畫] Studying ASLR^cache
Aj MaChInE
 
[若渴計畫] Black Hat 2017之過去閱讀相關整理
[若渴計畫] Black Hat 2017之過去閱讀相關整理[若渴計畫] Black Hat 2017之過去閱讀相關整理
[若渴計畫] Black Hat 2017之過去閱讀相關整理
Aj MaChInE
 
[若渴計畫] Studying Concurrency
[若渴計畫] Studying Concurrency[若渴計畫] Studying Concurrency
[若渴計畫] Studying Concurrency
Aj MaChInE
 
閱讀文章分享@若渴 2016.1.24
閱讀文章分享@若渴 2016.1.24閱讀文章分享@若渴 2016.1.24
閱讀文章分享@若渴 2016.1.24
Aj MaChInE
 
[若渴計畫2015.8.18] SMACK
[若渴計畫2015.8.18] SMACK[若渴計畫2015.8.18] SMACK
[若渴計畫2015.8.18] SMACK
Aj MaChInE
 
[SITCON2015] 自己的異質多核心平台自己幹
[SITCON2015] 自己的異質多核心平台自己幹[SITCON2015] 自己的異質多核心平台自己幹
[SITCON2015] 自己的異質多核心平台自己幹
Aj MaChInE
 
[MOSUT20150131] Linux Runs on SoCKit Board with the GPGPU
[MOSUT20150131] Linux Runs on SoCKit Board with the GPGPU[MOSUT20150131] Linux Runs on SoCKit Board with the GPGPU
[MOSUT20150131] Linux Runs on SoCKit Board with the GPGPU
Aj MaChInE
 
[若渴計畫]由GPU硬體概念到coding CUDA
[若渴計畫]由GPU硬體概念到coding CUDA[若渴計畫]由GPU硬體概念到coding CUDA
[若渴計畫]由GPU硬體概念到coding CUDA
Aj MaChInE
 
[若渴計畫]64-bit Linux Return-Oriented Programming
[若渴計畫]64-bit Linux Return-Oriented Programming[若渴計畫]64-bit Linux Return-Oriented Programming
[若渴計畫]64-bit Linux Return-Oriented Programming
Aj MaChInE
 
[MOSUT] Format String Attacks
[MOSUT] Format String Attacks[MOSUT] Format String Attacks
[MOSUT] Format String Attacks
Aj MaChInE
 

More from Aj MaChInE (19)

An Intro on Data-oriented Attacks
An Intro on Data-oriented AttacksAn Intro on Data-oriented Attacks
An Intro on Data-oriented Attacks
 
A Study on .NET Framework for Red Team - Part I
A Study on .NET Framework for Red Team - Part IA Study on .NET Framework for Red Team - Part I
A Study on .NET Framework for Red Team - Part I
 
A study on NetSpectre
A study on NetSpectreA study on NetSpectre
A study on NetSpectre
 
Introduction to Adversary Evaluation Tools
Introduction to Adversary Evaluation ToolsIntroduction to Adversary Evaluation Tools
Introduction to Adversary Evaluation Tools
 
[若渴] A preliminary study on attacks against consensus in bitcoin
[若渴] A preliminary study on attacks against consensus in bitcoin[若渴] A preliminary study on attacks against consensus in bitcoin
[若渴] A preliminary study on attacks against consensus in bitcoin
 
[RAT資安小聚] Study on Automatically Evading Malware Detection
[RAT資安小聚] Study on Automatically Evading Malware Detection[RAT資安小聚] Study on Automatically Evading Malware Detection
[RAT資安小聚] Study on Automatically Evading Malware Detection
 
[若渴] Preliminary Study on Design and Exploitation of Trustzone
[若渴] Preliminary Study on Design and Exploitation of Trustzone[若渴] Preliminary Study on Design and Exploitation of Trustzone
[若渴] Preliminary Study on Design and Exploitation of Trustzone
 
[若渴]Study on Side Channel Attacks and Countermeasures
[若渴]Study on Side Channel Attacks and Countermeasures [若渴]Study on Side Channel Attacks and Countermeasures
[若渴]Study on Side Channel Attacks and Countermeasures
 
[若渴計畫] Introduction: Formal Verification for Code
[若渴計畫] Introduction: Formal Verification for Code[若渴計畫] Introduction: Formal Verification for Code
[若渴計畫] Introduction: Formal Verification for Code
 
[若渴計畫] Studying ASLR^cache
[若渴計畫] Studying ASLR^cache[若渴計畫] Studying ASLR^cache
[若渴計畫] Studying ASLR^cache
 
[若渴計畫] Black Hat 2017之過去閱讀相關整理
[若渴計畫] Black Hat 2017之過去閱讀相關整理[若渴計畫] Black Hat 2017之過去閱讀相關整理
[若渴計畫] Black Hat 2017之過去閱讀相關整理
 
[若渴計畫] Studying Concurrency
[若渴計畫] Studying Concurrency[若渴計畫] Studying Concurrency
[若渴計畫] Studying Concurrency
 
閱讀文章分享@若渴 2016.1.24
閱讀文章分享@若渴 2016.1.24閱讀文章分享@若渴 2016.1.24
閱讀文章分享@若渴 2016.1.24
 
[若渴計畫2015.8.18] SMACK
[若渴計畫2015.8.18] SMACK[若渴計畫2015.8.18] SMACK
[若渴計畫2015.8.18] SMACK
 
[SITCON2015] 自己的異質多核心平台自己幹
[SITCON2015] 自己的異質多核心平台自己幹[SITCON2015] 自己的異質多核心平台自己幹
[SITCON2015] 自己的異質多核心平台自己幹
 
[MOSUT20150131] Linux Runs on SoCKit Board with the GPGPU
[MOSUT20150131] Linux Runs on SoCKit Board with the GPGPU[MOSUT20150131] Linux Runs on SoCKit Board with the GPGPU
[MOSUT20150131] Linux Runs on SoCKit Board with the GPGPU
 
[若渴計畫]由GPU硬體概念到coding CUDA
[若渴計畫]由GPU硬體概念到coding CUDA[若渴計畫]由GPU硬體概念到coding CUDA
[若渴計畫]由GPU硬體概念到coding CUDA
 
[若渴計畫]64-bit Linux Return-Oriented Programming
[若渴計畫]64-bit Linux Return-Oriented Programming[若渴計畫]64-bit Linux Return-Oriented Programming
[若渴計畫]64-bit Linux Return-Oriented Programming
 
[MOSUT] Format String Attacks
[MOSUT] Format String Attacks[MOSUT] Format String Attacks
[MOSUT] Format String Attacks
 

Recently uploaded

matatag curriculum education for Kindergarten
matatag curriculum education for Kindergartenmatatag curriculum education for Kindergarten
matatag curriculum education for Kindergarten
SarahAlie1
 
modul ajar kelas x bahasa inggris 24/254
modul ajar kelas x bahasa inggris 24/254modul ajar kelas x bahasa inggris 24/254
modul ajar kelas x bahasa inggris 24/254
NurFitriah45
 
"DANH SÁCH THÍ SINH XÉT TUYỂN SỚM ĐỦ ĐIỀU KIỆN TRÚNG TUYỂN ĐẠI HỌC CHÍNH QUY ...
"DANH SÁCH THÍ SINH XÉT TUYỂN SỚM ĐỦ ĐIỀU KIỆN TRÚNG TUYỂN ĐẠI HỌC CHÍNH QUY ..."DANH SÁCH THÍ SINH XÉT TUYỂN SỚM ĐỦ ĐIỀU KIỆN TRÚNG TUYỂN ĐẠI HỌC CHÍNH QUY ...
"DANH SÁCH THÍ SINH XÉT TUYỂN SỚM ĐỦ ĐIỀU KIỆN TRÚNG TUYỂN ĐẠI HỌC CHÍNH QUY ...
thanhluan21
 
How to Manage Large Scrollbar in Odoo 17 POS
How to Manage Large Scrollbar in Odoo 17 POSHow to Manage Large Scrollbar in Odoo 17 POS
How to Manage Large Scrollbar in Odoo 17 POS
Celine George
 
NAEYC Code of Ethical Conduct Resource Book
NAEYC Code of Ethical Conduct Resource BookNAEYC Code of Ethical Conduct Resource Book
NAEYC Code of Ethical Conduct Resource Book
lakitawilson
 
How to Empty a One2Many Field in Odoo 17
How to Empty a One2Many Field in Odoo 17How to Empty a One2Many Field in Odoo 17
How to Empty a One2Many Field in Odoo 17
Celine George
 
How To Update One2many Field From OnChange of Field in Odoo 17
How To Update One2many Field From OnChange of Field in Odoo 17How To Update One2many Field From OnChange of Field in Odoo 17
How To Update One2many Field From OnChange of Field in Odoo 17
Celine George
 
New Features in Odoo 17 Sign - Odoo 17 Slides
New Features in Odoo 17 Sign - Odoo 17 SlidesNew Features in Odoo 17 Sign - Odoo 17 Slides
New Features in Odoo 17 Sign - Odoo 17 Slides
Celine George
 
How To Create a Transient Model in Odoo 17
How To Create a Transient Model in Odoo 17How To Create a Transient Model in Odoo 17
How To Create a Transient Model in Odoo 17
Celine George
 
C# Interview Questions PDF By ScholarHat.pdf
C# Interview Questions PDF By ScholarHat.pdfC# Interview Questions PDF By ScholarHat.pdf
C# Interview Questions PDF By ScholarHat.pdf
Scholarhat
 
View Inheritance in Odoo 17 - Odoo 17 Slides
View Inheritance in Odoo 17 - Odoo 17  SlidesView Inheritance in Odoo 17 - Odoo 17  Slides
View Inheritance in Odoo 17 - Odoo 17 Slides
Celine George
 
C Interview Questions PDF By Scholarhat.pdf
C Interview Questions PDF By Scholarhat.pdfC Interview Questions PDF By Scholarhat.pdf
C Interview Questions PDF By Scholarhat.pdf
Scholarhat
 
RDBMS Lecture Notes Unit4 chapter12 VIEW
RDBMS Lecture Notes Unit4 chapter12 VIEWRDBMS Lecture Notes Unit4 chapter12 VIEW
RDBMS Lecture Notes Unit4 chapter12 VIEW
Murugan Solaiyappan
 
Cómo crear video-tutoriales con ScreenPal (2 de julio de 2024)
Cómo crear video-tutoriales con ScreenPal (2 de julio de 2024)Cómo crear video-tutoriales con ScreenPal (2 de julio de 2024)
Cómo crear video-tutoriales con ScreenPal (2 de julio de 2024)
Cátedra Banco Santander
 
What is Packaging of Products in Odoo 17
What is Packaging of Products in Odoo 17What is Packaging of Products in Odoo 17
What is Packaging of Products in Odoo 17
Celine George
 
formative Evaluation By Dr.Kshirsagar R.V
formative Evaluation By Dr.Kshirsagar R.Vformative Evaluation By Dr.Kshirsagar R.V
formative Evaluation By Dr.Kshirsagar R.V
DrRavindrakshirsagar1
 
How to Manage Early Receipt Printing in Odoo 17 POS
How to Manage Early Receipt Printing in Odoo 17 POSHow to Manage Early Receipt Printing in Odoo 17 POS
How to Manage Early Receipt Printing in Odoo 17 POS
Celine George
 
Lecture_Notes_Unit4_Chapter_8_9_10_RDBMS for the students affiliated by alaga...
Lecture_Notes_Unit4_Chapter_8_9_10_RDBMS for the students affiliated by alaga...Lecture_Notes_Unit4_Chapter_8_9_10_RDBMS for the students affiliated by alaga...
Lecture_Notes_Unit4_Chapter_8_9_10_RDBMS for the students affiliated by alaga...
Murugan Solaiyappan
 
Kesadaran_Berbangsa_dan_Bernegara_Nasion.pptx
Kesadaran_Berbangsa_dan_Bernegara_Nasion.pptxKesadaran_Berbangsa_dan_Bernegara_Nasion.pptx
Kesadaran_Berbangsa_dan_Bernegara_Nasion.pptx
artenzmartenkai
 
The Cruelty of Animal Testing in the Industry.pdf
The Cruelty of Animal Testing in the Industry.pdfThe Cruelty of Animal Testing in the Industry.pdf
The Cruelty of Animal Testing in the Industry.pdf
luzmilaglez334
 

Recently uploaded (20)

matatag curriculum education for Kindergarten
matatag curriculum education for Kindergartenmatatag curriculum education for Kindergarten
matatag curriculum education for Kindergarten
 
modul ajar kelas x bahasa inggris 24/254
modul ajar kelas x bahasa inggris 24/254modul ajar kelas x bahasa inggris 24/254
modul ajar kelas x bahasa inggris 24/254
 
"DANH SÁCH THÍ SINH XÉT TUYỂN SỚM ĐỦ ĐIỀU KIỆN TRÚNG TUYỂN ĐẠI HỌC CHÍNH QUY ...
"DANH SÁCH THÍ SINH XÉT TUYỂN SỚM ĐỦ ĐIỀU KIỆN TRÚNG TUYỂN ĐẠI HỌC CHÍNH QUY ..."DANH SÁCH THÍ SINH XÉT TUYỂN SỚM ĐỦ ĐIỀU KIỆN TRÚNG TUYỂN ĐẠI HỌC CHÍNH QUY ...
"DANH SÁCH THÍ SINH XÉT TUYỂN SỚM ĐỦ ĐIỀU KIỆN TRÚNG TUYỂN ĐẠI HỌC CHÍNH QUY ...
 
How to Manage Large Scrollbar in Odoo 17 POS
How to Manage Large Scrollbar in Odoo 17 POSHow to Manage Large Scrollbar in Odoo 17 POS
How to Manage Large Scrollbar in Odoo 17 POS
 
NAEYC Code of Ethical Conduct Resource Book
NAEYC Code of Ethical Conduct Resource BookNAEYC Code of Ethical Conduct Resource Book
NAEYC Code of Ethical Conduct Resource Book
 
How to Empty a One2Many Field in Odoo 17
How to Empty a One2Many Field in Odoo 17How to Empty a One2Many Field in Odoo 17
How to Empty a One2Many Field in Odoo 17
 
How To Update One2many Field From OnChange of Field in Odoo 17
How To Update One2many Field From OnChange of Field in Odoo 17How To Update One2many Field From OnChange of Field in Odoo 17
How To Update One2many Field From OnChange of Field in Odoo 17
 
New Features in Odoo 17 Sign - Odoo 17 Slides
New Features in Odoo 17 Sign - Odoo 17 SlidesNew Features in Odoo 17 Sign - Odoo 17 Slides
New Features in Odoo 17 Sign - Odoo 17 Slides
 
How To Create a Transient Model in Odoo 17
How To Create a Transient Model in Odoo 17How To Create a Transient Model in Odoo 17
How To Create a Transient Model in Odoo 17
 
C# Interview Questions PDF By ScholarHat.pdf
C# Interview Questions PDF By ScholarHat.pdfC# Interview Questions PDF By ScholarHat.pdf
C# Interview Questions PDF By ScholarHat.pdf
 
View Inheritance in Odoo 17 - Odoo 17 Slides
View Inheritance in Odoo 17 - Odoo 17  SlidesView Inheritance in Odoo 17 - Odoo 17  Slides
View Inheritance in Odoo 17 - Odoo 17 Slides
 
C Interview Questions PDF By Scholarhat.pdf
C Interview Questions PDF By Scholarhat.pdfC Interview Questions PDF By Scholarhat.pdf
C Interview Questions PDF By Scholarhat.pdf
 
RDBMS Lecture Notes Unit4 chapter12 VIEW
RDBMS Lecture Notes Unit4 chapter12 VIEWRDBMS Lecture Notes Unit4 chapter12 VIEW
RDBMS Lecture Notes Unit4 chapter12 VIEW
 
Cómo crear video-tutoriales con ScreenPal (2 de julio de 2024)
Cómo crear video-tutoriales con ScreenPal (2 de julio de 2024)Cómo crear video-tutoriales con ScreenPal (2 de julio de 2024)
Cómo crear video-tutoriales con ScreenPal (2 de julio de 2024)
 
What is Packaging of Products in Odoo 17
What is Packaging of Products in Odoo 17What is Packaging of Products in Odoo 17
What is Packaging of Products in Odoo 17
 
formative Evaluation By Dr.Kshirsagar R.V
formative Evaluation By Dr.Kshirsagar R.Vformative Evaluation By Dr.Kshirsagar R.V
formative Evaluation By Dr.Kshirsagar R.V
 
How to Manage Early Receipt Printing in Odoo 17 POS
How to Manage Early Receipt Printing in Odoo 17 POSHow to Manage Early Receipt Printing in Odoo 17 POS
How to Manage Early Receipt Printing in Odoo 17 POS
 
Lecture_Notes_Unit4_Chapter_8_9_10_RDBMS for the students affiliated by alaga...
Lecture_Notes_Unit4_Chapter_8_9_10_RDBMS for the students affiliated by alaga...Lecture_Notes_Unit4_Chapter_8_9_10_RDBMS for the students affiliated by alaga...
Lecture_Notes_Unit4_Chapter_8_9_10_RDBMS for the students affiliated by alaga...
 
Kesadaran_Berbangsa_dan_Bernegara_Nasion.pptx
Kesadaran_Berbangsa_dan_Bernegara_Nasion.pptxKesadaran_Berbangsa_dan_Bernegara_Nasion.pptx
Kesadaran_Berbangsa_dan_Bernegara_Nasion.pptx
 
The Cruelty of Animal Testing in the Industry.pdf
The Cruelty of Animal Testing in the Industry.pdfThe Cruelty of Animal Testing in the Industry.pdf
The Cruelty of Animal Testing in the Industry.pdf
 

[若渴計畫] Challenges and Solutions of Window Remote Shellcode

  • 1. Challenges and Solutions of Window Remote Shellcode @若渴 2017.11.19 <ajblane0612@gmail.com> AjMaChInE
  • 2. Outline • Overview of window remote shellcode • Some challenges and solutions – Antivirus – EMET – Firewall – Intrusion-Detection System (IDS)/ Intrusion- Prevention System (IPS) • Reference
  • 3. Remote Shellcode [0][1] pipeprotocol process terminal process command sh
  • 4. Windows Shellcode Skeleton in Assembly [12] • Getting EIP • Decoder • Getting addresses of required functions • Setup socket • Spawning a shell
  • 5. Getting EIP – Why [12][13] • What is the problem with such a hardcoded address? Compiler move that code to another address space ????
  • 7. Getting Addresses of Required Functions [2] Finding kernel32.dll LoadLibraryA GetProcAddress System calls not reliable
  • 8. How to Finding kernel32.dll in ASLR? [2][3][4] Process Environment Block(PEB) fs:[0x30] Structured Exception Handling(SEH) fs:[0] Thread Environment Block +0x4 TOPSTACK fs:[0x18] not reliable
  • 9. Finding kernel32.dll- PEB “The process of determining the kernel32.dll base address involves making use of the Process Environment Block (PEB). The operating system allocates a structure for every running process that can always be found at fs:[0x30] from within the process. The PEB structure holds information about the process’ heaps, binary image information, and, most importantly, three linked lists regarding loaded modules that have been mapped into process space. The linked lists themselves differ in purposes from showing the order in which the modules were loaded to the order in which the modules were initialized. The initialization order linked list is of most interest as the order in which kernel32.dll is initialized is always constant as the second module to be initialized.” [2]
  • 10. Finding kernel32.dll- SEH “Windows NT based versions the top-most entry in the SEH list can always be found at fs:[0] from within the process. With this in mind, one can walk the list of installed exception handlers until they reach the last one. When the last one is reached the address of the function pointer can be used as a starting point for walking down in increments of 64KB, or 16 × 4096 byte pages. In Windows, DLL’s will only align on 64KB boundaries. At each 64KB boundary a check can be performed to see if the two characters at that point are ‘MZ’. These two characters mark the MSDOS header that is prepended to portable executables.” [2]
  • 11. Address Resolution of Required Functions • PEB parsing [5] – This method uses the Process Environment Block(PEB) data structure to locate the base addresses of loaded DLLs and finding their function addresses with parsing the Export Address Table(EAT) • Hash API search [5] – For quickly finding required functions EAT IAT DLL Required Functions hash hash?=
  • 12. Functions You maybe Want to [6] • WinExec • CreateProcessW • CreateProcessA • LoadLibraryExA • LoadLibraryExW • OpenFile • CreateThread • CreateRemoteThread • GetProcAddress • LoadModule • CreateFileA • CreateFileW • _lopen • _lcreat • CopyFileA • CopyFileW • CopyFileExA • CopyFileExW • MoveFileA • MoveFileExW • LockFile • GetModuleHandleA • VirtualProtect • OpenProcess • GetModuleHandleW • MoveFileWithProgressA • MoveFileWithProgressW • DeleteFileA
  • 13. Challenges of Shellcode for Antivirus [7][8] • Static signature analysis – Signature analysis is based on a blacklist method – EX: YARA [9] • Static heuristic analysis – In this case the AV will check the code for patterns which are known to be found in malwares. There are a lot of possible rules, which depends on the vendor • Dynamic analysis – These days most AV will rely on a dynamic approach. When an executable is scanned, it is launched in a virtual environment for a short amount of time. Combining this with signature verification and heuristic analysis allows detecting unknown malwares even those relying on encryption. Indeed, the code is self-decrypted in AV sandbox; then, analysis of the “new code” can trigger some suspicious behavior.
  • 14. Bypassing Challenges of Shellcode for Antivirus [7][8] • Bypassing static signature analysis/ static heuristic analysis – Decryption [10][11] – Obfuscation [7] – Non-standard languages for windows binaries [25] • Bypassing dynamic analysis
  • 16. The Veil-Framework [25] • Obfuscated code • Encrypted code • Non-standard languages for windows binaries – Python, Ruby, Perl, Go, etc.
  • 17. Bypassing Dynamic Analysis [7][8] • Allocate and fill 100M memory • Hundred million increments • Attempt to open a system process • Attempt to open a non-existing URL • Action which depends on local username • What the fuck is NUMA? • What the fuck are FLS? • Check process memory • Time distortion • What is my name? • I am my own father • First open a mutex • Load fake library • Is debugger present • Number of Cores • Trap flag manipulation
  • 18. Bypassing Dynamic Analysis - Hundred Million Increments [8] AV detection emulator
  • 19. Proper Ways To Execute Shellcodes [7][8] • HeapCreate/HeapAlloc • LoadLibrary/GetProcAddress • GetModuleHandle/GetProcAddress • Multi-Threading
  • 20. Challenges of Shellcode for EMET • Preventing EAT parsing techniques
  • 21. Bypassing Challenges of Shellcode for EMET • IAT parsing [23] – Also holding the WIN API function addresses by the application
  • 22. Challenges of Shellcode for Firewalls • Inbound detection • Outbound detection • Usually, firewall allow connection to popular services like port 25(SMTP), 53(DNS), 80(HTTP), etc.
  • 23. Bypassing Challenges of Shellcode for Firewalls • Bypassing inbound detection – Reverse remote shellcode • Bypassing outbound detection (進去了要怎出 來),EX [12] :
  • 24. Bypassing Outbound Detection • DLL/PE Injection to iexplore.exe, telnet, ftp, SSH and alike [13] • One-way shellcode [2][12] • Meterpreter HTTP, HTTPS and DNS stagers [21]
  • 25. DLL Injection Overview – Step 1/2 [17]
  • 26. DLL Injection Overview – Step 3/4 [17]
  • 27. Execution Methods of DLL Injection [15] • CreateRemoteThread() • NtCreateThreadEx() • QueueUserAPC() • SetWindowsHookEx() • RtlCreateUserThread() • Code cave via SetThreadContext() • Reflective DLL
  • 28. DLL/PE Injection to iexplore.exe [13] • Querying the register key, rather than referring to “c:...iexplore.exe” • CreateProcess() to open and keep browser windows hidden • WaitForInputIdle() to give processes time for initialization • WaitProcessMemory() to copy networking code • CreateRemoteThread() to run code • The injected procedure connects the web site and sends HTTP request
  • 29. Reflective DLL Injection [16][18] Reflective DLL (= DLL-format PE file loader) reflective DLL is loaded by reflective DLL
  • 31. One-way Shellcode – Find Socket [12] (using anonymous pipe)
  • 32. One-way Shellcode – Reuse Socket [12] The problem of the “Find Socket” method: • If the socket already been closed (the SO_REUSEADDR socket option)
  • 33. One-way Shellcode – Rebind Socket [12] The problem of the “Rebind Socket” method: • using SO_EXCLUSIVEADDRUSE, thus reusing the address is not possible
  • 34. The Meterpreter: a stager, and and stage [21][22][24]
  • 35. An Up-to-Standards Secure Corporate Environment with the meterpreter/reverse_winhttp Payload [14][22]
  • 36. Bypassing An Up-to-Standards Secure Corporate Environment with the meterpreter/reverse_winhttp Payload [14][22] Thread 1Thread 2 local proxy with port 8080 reverse_winhttp LHOST=127.0.0.1 LPORT=8080 NTLM authentication + HTTP requests trust local proxy and go through the corporate proxy
  • 37. Reference • [0] How To Make A Reverse TCP Backdoor In Python - Part 1 – https://0x00sec.org/t/how-to-make-a-reverse-tcp-backdoor-in-python-part-1/1038 • [1] How To Make A Reverse TCP Backdoor In Python - Part 2 – https://0x00sec.org/t/how-to-make-a-reverse-tcp-backdoor-in-python-part-2/1040 • [2] Understanding Windows Shellcode – http://www.hick.org/code/skape/papers/win32-shellcode.pdf • [3] Windows Reverse Shell Shellcode I. – http://sh3llc0d3r.com/windows-reverse-shell-shellcode-i/ • [4] Windows Reverse Shell Shellcode II. – http://sh3llc0d3r.com/windows-reverse-shell-shellcode-ii/ • [5] Art of Anti Detection 3 – Shellcode Alchemy – https://pentest.blog/art-of-anti-detection-3-shellcode-alchemy/ • [6] NT shellcodes prevrntion Demystified – http://www.phrack.org/issues/63/15.html#article • [7] Art of Anti Detection – 1 Introduction to AV and Detection Techniques – https://www.exploit-db.com/docs/40900.pdf • [8] Bypass Antivirus Dynamic Analysis - Limitations of the AV Model and How to Exploit Them – https://wikileaks.org/ciav7p1/cms/files/BypassAVDynamics.pdf • [9] YARA – http://virustotal.github.io/yara/
  • 38. • [10] Code Segment Encryption – http://blog.sevagas.com/?Code-segment-encryption • [11] Hide Meterpreter Shellcode in Executable – http://blog.sevagas.com/Hide-meterpreter-shellcode-in-executable • [12] History and Advances in Windows Shellcode – http://phrack.org/issues/62/7.html – https://www.blackhat.com/presentations/bh-asia-03/bh-asia-03-chong.pdf • [13] Using Process Infection to Bypass Windows Software Firewalls – http://phrack.org/issues/62/7.html • [14] Evade Egress Restrictions with Staged Payloads – https://blog.cobaltstrike.com/2013/11/15/evade-egress-restrictions-with-staged-payloads/ • [15] Inject All the Things – http://blog.deniable.org/blog/2017/07/16/inject-all-the-things/ – https://github.com/fdiskyou/injectAllTheThings/ – Microsoft Visual Studio Express 2013 for Windows Desktop • [16] Reflective DLL Injection – https://www.dc414.org/wp-content/uploads/2011/01/242.pdf – https://github.com/stephenfewer/ReflectiveDLLInjection • [17] Windows DLL Injection Basics – http://blog.opensecurityresearch.com/2013/01/windows-dll-injection-basics.html
  • 39. • [18] DOUBLEPULSAR Usermode Analysis: Generic Reflective DLL Loader – https://countercept.com/our-thinking/doublepulsar-usermode-analysis-generic-reflective-dll- loader/ • [19] Ten Process Injection Techniques: A Technical Survey Of Common And Trending Process Injection Techniques – https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey- common-and-trending-process – https://github.com/secrary/InjectProc • [20] Process Hollowing – https://github.com/m0n0ph1/Process-Hollowing • [21] Metasploit - The Exploit Learning Tree – https://www.exploit-db.com/docs/27935.pdf • [22] Meterpreter Stage AV/IDS Evasion with Powershell – https://arno0x0x.wordpress.com/2016/04/13/meterpreter-av-ids-evasion-powershell/ – https://github.com/Arno0x/PowerShellScripts/blob/master/proxyMeterpreterHideout.ps1 • [23] Teaching Old Shellcode New Tricks – https://recon.cx/2018/brussels/resources/slides/RECON-BRX-2017- Teaching_Old_Shellcode_New_Tricks.pdf – https://github.com/secretsquirrel/fido • [24] Deep Dive Into Stageless Meterpreter Payloads – https://blog.rapid7.com/2015/03/25/stageless-meterpreter-payloads/ • [25] The Art of AV Evasion - or Lack Thereof – https://www.slideshare.net/CTruncer/the-art-of-av-evasion-or-lack-thereof – https://github.com/Veil-Framework/Veil