Slides for a college course at City College San Francisco. Based on "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software", by Michael Sikorski and Andrew Honig; ISBN-10: 1593272901.
Instructor: Sam Bowne
Class website: https://samsclass.info/126/126_F18.shtml
CNIT 126: 10: Kernel Debugging with WinDbgSam Bowne
Slides for a college course at City College San Francisco. Based on "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software", by Michael Sikorski and Andrew Honig; ISBN-10: 1593272901.
Instructor: Sam Bowne
Class website: https://samsclass.info/126/126_F19.shtml
CNIT 126: 10: Kernel Debugging with WinDbgSam Bowne
Slides for a college course at City College San Francisco. Based on "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software", by Michael Sikorski and Andrew Honig; ISBN-10: 1593272901.
Instructor: Sam Bowne
Class website: https://samsclass.info/126/126_F19.shtml
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
Although web application firewall (WAF) solutions are very useful to prevent common or automated attacks, most of them are based on blacklist approaches and are still far from perfect. This talk illustrates a number of creative techniques to smuggle and reshape HTTP requests using the strange behaviour of web servers and features such as request encoding or HTTP pipelining. These methods can come in handy when testing a website behind a WAF and can help penetration testers and bug bounty hunters to avoid drama and pain! Knowing these techniques is also beneficial for the defence team in order to design appropriate mitigation techniques. Additionally, it shows why developers should not solely rely on WAFs as the defence mechanism.
Finally, an open source Burp Suite extension will be introduced that can be used to assess or bypass a WAF solution using some of the techniques discussed in this talk. The plan is to keep improving this extension with the help of the http.ninja project.
Slides for a college course at City College San Francisco. Based on "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software", by Michael Sikorski and Andrew Honig; ISBN-10: 1593272901.
Instructor: Sam Bowne
Class website: https://samsclass.info/126/126_S17.shtml
CNIT 126 4: A Crash Course in x86 DisassemblySam Bowne
Slides for a college course at City College San Francisco. Based on "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software", by Michael Sikorski and Andrew Honig; ISBN-10: 1593272901.
Instructor: Sam Bowne
Class website: https://samsclass.info/126/126_S17.shtml
Slides for a college course at City College San Francisco. Based on "The Shellcoder's Handbook: Discovering and Exploiting Security Holes ", by Chris Anley, John Heasman, Felix Lindner, Gerardo Richarte; ASIN: B004P5O38Q.
Instructor: Sam Bowne
Class website: https://samsclass.info/127/127_S17.shtml
Slides for a college course at City College San Francisco. Based on "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software", by Michael Sikorski and Andrew Honig; ISBN-10: 1593272901.
Instructor: Sam Bowne
Class website: https://samsclass.info/126/126_F18.shtml
A college lecture at City College San Francisco. Based on "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software", by Michael Sikorski and Andrew Honig; ISBN-10: 1593272901.
Instructor: Sam Bowne
Class website: https://samsclass.info/126/126_S17.shtml
Social Engineering the Windows Kernel by James ForshawShakacon
One successful technique in social engineering is pretending to be someone or something you're not and hoping the security guard who's forgotten their reading glasses doesn't look too closely at your fake ID. Of course there's no hyperopic guard in the Windows OS, but we do have an ID card, the Access Token which proves our identity to the system and let us access secured resources.
The Windows kernel provides simple capabilities to identify fake Access Tokens, but sometimes the kernel or other kernel-mode drivers are too busy to use them correctly. If a fake token isn't spotted during a privileged operation local elevation of privilege or information disclosure vulnerabilities can be the result. This could allow an attacker to break out of an application sandbox, elevate to administrator privileges or even compromise the kernel itself.
This presentation is about finding and then exploiting the incorrect handling of tokens in the windows kernel as well as first and third party drivers. Examples of serious vulnerabilities such as CVE-2015-0002 and CVE-2015-0062 will be presented. It will provide clear exploitable patterns so that you can do your own security reviews for these issues. Finally I'll discuss some of the ways of exploiting these types of vulnerabilities to elevate local privileges.
Slides for a college course at City College San Francisco. Based on "The Shellcoder's Handbook: Discovering and Exploiting Security Holes ", by Chris Anley, John Heasman, Felix Lindner, Gerardo Richarte; ASIN: B004P5O38Q.
Instructor: Sam Bowne
Class website: https://samsclass.info/127/127_S17.shtml
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
Although web application firewall (WAF) solutions are very useful to prevent common or automated attacks, most of them are based on blacklist approaches and are still far from perfect. This talk illustrates a number of creative techniques to smuggle and reshape HTTP requests using the strange behaviour of web servers and features such as request encoding or HTTP pipelining. These methods can come in handy when testing a website behind a WAF and can help penetration testers and bug bounty hunters to avoid drama and pain! Knowing these techniques is also beneficial for the defence team in order to design appropriate mitigation techniques. Additionally, it shows why developers should not solely rely on WAFs as the defence mechanism.
Finally, an open source Burp Suite extension will be introduced that can be used to assess or bypass a WAF solution using some of the techniques discussed in this talk. The plan is to keep improving this extension with the help of the http.ninja project.
Slides for a college course at City College San Francisco. Based on "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software", by Michael Sikorski and Andrew Honig; ISBN-10: 1593272901.
Instructor: Sam Bowne
Class website: https://samsclass.info/126/126_S17.shtml
CNIT 126 4: A Crash Course in x86 DisassemblySam Bowne
Slides for a college course at City College San Francisco. Based on "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software", by Michael Sikorski and Andrew Honig; ISBN-10: 1593272901.
Instructor: Sam Bowne
Class website: https://samsclass.info/126/126_S17.shtml
Slides for a college course at City College San Francisco. Based on "The Shellcoder's Handbook: Discovering and Exploiting Security Holes ", by Chris Anley, John Heasman, Felix Lindner, Gerardo Richarte; ASIN: B004P5O38Q.
Instructor: Sam Bowne
Class website: https://samsclass.info/127/127_S17.shtml
Slides for a college course at City College San Francisco. Based on "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software", by Michael Sikorski and Andrew Honig; ISBN-10: 1593272901.
Instructor: Sam Bowne
Class website: https://samsclass.info/126/126_F18.shtml
A college lecture at City College San Francisco. Based on "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software", by Michael Sikorski and Andrew Honig; ISBN-10: 1593272901.
Instructor: Sam Bowne
Class website: https://samsclass.info/126/126_S17.shtml
Social Engineering the Windows Kernel by James ForshawShakacon
One successful technique in social engineering is pretending to be someone or something you're not and hoping the security guard who's forgotten their reading glasses doesn't look too closely at your fake ID. Of course there's no hyperopic guard in the Windows OS, but we do have an ID card, the Access Token which proves our identity to the system and let us access secured resources.
The Windows kernel provides simple capabilities to identify fake Access Tokens, but sometimes the kernel or other kernel-mode drivers are too busy to use them correctly. If a fake token isn't spotted during a privileged operation local elevation of privilege or information disclosure vulnerabilities can be the result. This could allow an attacker to break out of an application sandbox, elevate to administrator privileges or even compromise the kernel itself.
This presentation is about finding and then exploiting the incorrect handling of tokens in the windows kernel as well as first and third party drivers. Examples of serious vulnerabilities such as CVE-2015-0002 and CVE-2015-0062 will be presented. It will provide clear exploitable patterns so that you can do your own security reviews for these issues. Finally I'll discuss some of the ways of exploiting these types of vulnerabilities to elevate local privileges.
Slides for a college course at City College San Francisco. Based on "The Shellcoder's Handbook: Discovering and Exploiting Security Holes ", by Chris Anley, John Heasman, Felix Lindner, Gerardo Richarte; ASIN: B004P5O38Q.
Instructor: Sam Bowne
Class website: https://samsclass.info/127/127_S17.shtml
CNIT 126 7: Analyzing Malicious Windows ProgramsSam Bowne
Slides for a college course at City College San Francisco. Based on "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software", by Michael Sikorski and Andrew Honig; ISBN-10: 1593272901.
Instructor: Sam Bowne
Class website: https://samsclass.info/126/126_S17.shtml
This presentation briefs about the Linux Kernel Module and Character Device Driver. This also contains sample code snippets. Also briefs about character driver registration and access.
Course 102: Lecture 25: Devices and Device Drivers Ahmed El-Arabawy
This lecture discusses the concept of Linux device Drivers and Kernel Loadable Modules in general. It shows how to handle them such as loading/unloading ,and querying for their info. It also discusses the role of device files and how it binds to device drivers in the Linux Kernel
Video for this lecture on youtube:
http://www.youtube.com/watch?v=5qhgMyPyvVE
Check the other Lectures and courses in
http://Linux4EnbeddedSystems.com
or Follow our Facebook Group at
- Facebook: @LinuxforEmbeddedSystems
Lecturer Profile:
Ahmed ElArabawy
- https://www.linkedin.com/in/ahmedelarabawy
For a college course at City College San Francisco.
Based on: "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia, ASIN: B00JFG7152
More information at: https://samsclass.info/152/152_F19.shtml
Owning computers without shell access 2Royce Davis
These are the slides from my talk at BSides Puerto Rico 2013. I will post a link to the slides later.
Abstract:
For many years Penetration Testers have relied on gaining shell access to remote systems in order to take ownership of network resources and enterprise owned assets. AntiVirus (AV) companies are becoming increasingly more aware of shell signatures and are therefore making it more and more difficult to compromise remote hosts. The current industry mentality seams to believe the answer is stealthier payloads and super complex obfuscation techniques. I believe a more effective answer might lie in alternative attack methodologies involving authenticated execution of native Windows commands to accomplish the majority of shell reliant tasks common to most network level penetration tests. The techniques I will be discussing were developed precisely with this style of attack in mind. Using these new tools, I will demonstrate how to accomplish the same degree of network level compromise that has been enjoyed in the past with shell-based attack vectors, while avoiding detection from AV solut
Slides for a college course at City College San Francisco. Based on "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software", by Michael Sikorski and Andrew Honig; ISBN-10: 1593272901.
Instructor: Sam Bowne
Class website: https://samsclass.info/126/126_S17.shtml
Injection on Steroids: Codeless code injection and 0-day techniquesenSilo
Most nefarious activities carried out by malware—such as running code in Internet Explorer in an attempt to steal passwords, hijack sessions, or conduct Man-in-the-Browser fraud, require code injection.
This session exposes additional new user- and kernel-mode injection techniques. One of these techniques we’ve coined as “code-less code injection” since, as opposed to other known injection techniques, does not require adding code to the injected process.
Similar to CNIT 126: 10: Kernel Debugging with WinDbg (20)
A Strategic Approach: GenAI in EducationPeter Windle
Artificial Intelligence (AI) technologies such as Generative AI, Image Generators and Large Language Models have had a dramatic impact on teaching, learning and assessment over the past 18 months. The most immediate threat AI posed was to Academic Integrity with Higher Education Institutes (HEIs) focusing their efforts on combating the use of GenAI in assessment. Guidelines were developed for staff and students, policies put in place too. Innovative educators have forged paths in the use of Generative AI for teaching, learning and assessments leading to pockets of transformation springing up across HEIs, often with little or no top-down guidance, support or direction.
This Gasta posits a strategic approach to integrating AI into HEIs to prepare staff, students and the curriculum for an evolving world and workplace. We will highlight the advantages of working with these technologies beyond the realm of teaching, learning and assessment by considering prompt engineering skills, industry impact, curriculum changes, and the need for staff upskilling. In contrast, not engaging strategically with Generative AI poses risks, including falling behind peers, missed opportunities and failing to ensure our graduates remain employable. The rapid evolution of AI technologies necessitates a proactive and strategic approach if we are to remain relevant.
Embracing GenAI - A Strategic ImperativePeter Windle
Artificial Intelligence (AI) technologies such as Generative AI, Image Generators and Large Language Models have had a dramatic impact on teaching, learning and assessment over the past 18 months. The most immediate threat AI posed was to Academic Integrity with Higher Education Institutes (HEIs) focusing their efforts on combating the use of GenAI in assessment. Guidelines were developed for staff and students, policies put in place too. Innovative educators have forged paths in the use of Generative AI for teaching, learning and assessments leading to pockets of transformation springing up across HEIs, often with little or no top-down guidance, support or direction.
This Gasta posits a strategic approach to integrating AI into HEIs to prepare staff, students and the curriculum for an evolving world and workplace. We will highlight the advantages of working with these technologies beyond the realm of teaching, learning and assessment by considering prompt engineering skills, industry impact, curriculum changes, and the need for staff upskilling. In contrast, not engaging strategically with Generative AI poses risks, including falling behind peers, missed opportunities and failing to ensure our graduates remain employable. The rapid evolution of AI technologies necessitates a proactive and strategic approach if we are to remain relevant.
Synthetic Fiber Construction in lab .pptxPavel ( NSTU)
Synthetic fiber production is a fascinating and complex field that blends chemistry, engineering, and environmental science. By understanding these aspects, students can gain a comprehensive view of synthetic fiber production, its impact on society and the environment, and the potential for future innovations. Synthetic fibers play a crucial role in modern society, impacting various aspects of daily life, industry, and the environment. ynthetic fibers are integral to modern life, offering a range of benefits from cost-effectiveness and versatility to innovative applications and performance characteristics. While they pose environmental challenges, ongoing research and development aim to create more sustainable and eco-friendly alternatives. Understanding the importance of synthetic fibers helps in appreciating their role in the economy, industry, and daily life, while also emphasizing the need for sustainable practices and innovation.
The Roman Empire A Historical Colossus.pdfkaushalkr1407
The Roman Empire, a vast and enduring power, stands as one of history's most remarkable civilizations, leaving an indelible imprint on the world. It emerged from the Roman Republic, transitioning into an imperial powerhouse under the leadership of Augustus Caesar in 27 BCE. This transformation marked the beginning of an era defined by unprecedented territorial expansion, architectural marvels, and profound cultural influence.
The empire's roots lie in the city of Rome, founded, according to legend, by Romulus in 753 BCE. Over centuries, Rome evolved from a small settlement to a formidable republic, characterized by a complex political system with elected officials and checks on power. However, internal strife, class conflicts, and military ambitions paved the way for the end of the Republic. Julius Caesar’s dictatorship and subsequent assassination in 44 BCE created a power vacuum, leading to a civil war. Octavian, later Augustus, emerged victorious, heralding the Roman Empire’s birth.
Under Augustus, the empire experienced the Pax Romana, a 200-year period of relative peace and stability. Augustus reformed the military, established efficient administrative systems, and initiated grand construction projects. The empire's borders expanded, encompassing territories from Britain to Egypt and from Spain to the Euphrates. Roman legions, renowned for their discipline and engineering prowess, secured and maintained these vast territories, building roads, fortifications, and cities that facilitated control and integration.
The Roman Empire’s society was hierarchical, with a rigid class system. At the top were the patricians, wealthy elites who held significant political power. Below them were the plebeians, free citizens with limited political influence, and the vast numbers of slaves who formed the backbone of the economy. The family unit was central, governed by the paterfamilias, the male head who held absolute authority.
Culturally, the Romans were eclectic, absorbing and adapting elements from the civilizations they encountered, particularly the Greeks. Roman art, literature, and philosophy reflected this synthesis, creating a rich cultural tapestry. Latin, the Roman language, became the lingua franca of the Western world, influencing numerous modern languages.
Roman architecture and engineering achievements were monumental. They perfected the arch, vault, and dome, constructing enduring structures like the Colosseum, Pantheon, and aqueducts. These engineering marvels not only showcased Roman ingenuity but also served practical purposes, from public entertainment to water supply.
Honest Reviews of Tim Han LMA Course Program.pptxtimhan337
Personal development courses are widely available today, with each one promising life-changing outcomes. Tim Han’s Life Mastery Achievers (LMA) Course has drawn a lot of interest. In addition to offering my frank assessment of Success Insider’s LMA Course, this piece examines the course’s effects via a variety of Tim Han LMA course reviews and Success Insider comments.
Macroeconomics- Movie Location
This will be used as part of your Personal Professional Portfolio once graded.
Objective:
Prepare a presentation or a paper using research, basic comparative analysis, data organization and application of economic information. You will make an informed assessment of an economic climate outside of the United States to accomplish an entertainment industry objective.
2024.06.01 Introducing a competency framework for languag learning materials ...Sandy Millin
http://sandymillin.wordpress.com/iateflwebinar2024
Published classroom materials form the basis of syllabuses, drive teacher professional development, and have a potentially huge influence on learners, teachers and education systems. All teachers also create their own materials, whether a few sentences on a blackboard, a highly-structured fully-realised online course, or anything in between. Despite this, the knowledge and skills needed to create effective language learning materials are rarely part of teacher training, and are mostly learnt by trial and error.
Knowledge and skills frameworks, generally called competency frameworks, for ELT teachers, trainers and managers have existed for a few years now. However, until I created one for my MA dissertation, there wasn’t one drawing together what we need to know and do to be able to effectively produce language learning materials.
This webinar will introduce you to my framework, highlighting the key competencies I identified from my research. It will also show how anybody involved in language teaching (any language, not just English!), teacher training, managing schools or developing language learning materials can benefit from using the framework.
Biological screening of herbal drugs: Introduction and Need for
Phyto-Pharmacological Screening, New Strategies for evaluating
Natural Products, In vitro evaluation techniques for Antioxidants, Antimicrobial and Anticancer drugs. In vivo evaluation techniques
for Anti-inflammatory, Antiulcer, Anticancer, Wound healing, Antidiabetic, Hepatoprotective, Cardio protective, Diuretics and
Antifertility, Toxicity studies as per OECD guidelines
Welcome to TechSoup New Member Orientation and Q&A (May 2024).pdfTechSoup
In this webinar you will learn how your organization can access TechSoup's wide variety of product discount and donation programs. From hardware to software, we'll give you a tour of the tools available to help your nonprofit with productivity, collaboration, financial management, donor tracking, security, and more.
2. WinDbg v. OllyDbg
• OllyDbg is the most popular user-mode
debugger for malware analysts
• WinDbg can be used in either user-mode
or kernel-mode
• This chapter explores ways to use WinDbg
for kernel debugging and rootkit analysis
4. Device Drivers
• Windows device drivers allow third-party
developers to run code in the Windows kernel
• Drivers are difficult to analyze
– They load into memory, stay resident, and
respond to requests from applications
• Applications don't directly access kernel
drivers
– They access device objects which send requests
to particular devices
5. Devices
• Devices are not physical hardware
components
• They are software representations of
those components
• A driver creates and destroys devices,
which can be accessed from user space
6. Example: USB Flash Drive
• User plugs in flash drive
• Windows creates the F: drive device object
• Applications can now make requests to the
F: drive (such as read and write)
– They will be sent to the driver for that USB
flash drive
• User plugs in a second flash drive
– It may use the same driver, but applications
access it through the G: drive
7. Loading DLLs (Review)
• DLLs are loaded into processes
• DLLs export functions that can be used
by applications
• Using the export table
• When a function loads or unloads the
library, it calls DLLMain
• Link Ch 10n
8. Loading Drivers
• Drivers must be loaded into the kernel
– When a driver is first loaded, its DriverEntry
procedure is called
– To prepare callback objects
– Just like DLLMain for DLLs
– Links Ch 10n, 10o, 10p
10. DLLs v. Drivers
• DLL
• Loads into memory when a process is launched
• Executes DLLMain at loadtime
• Prepares the export table
• Driver
• Loads into kernel when hardware is added
• Executes DriverEntry at loadtime
• Prepares callback functions and callback
objects
11. DriverEntry
• DLLs expose functionality through the export
table; drivers don't
• Drivers must register the address for callback
functions
– They will be called when a user-space software
component requests a service
– DriverEntry routine performs this registration
– Windows creates a driver object structure, passes it
to DriverEntry which fills it with callback functions
– DriverEntry then creates a device that can be
accessed from user-land
12. Example: Normal Read
• Normal read request
– User-mode application obtains a file handle
to device
– Calls ReadFile on that handle
– Kernel processes ReadFile request
– Invokes the driver's callback function handling
I/O
13. Malicious Request
• Most common request from malware is
DeviceIoControl
– A generic request from a user-space module
to a device managed by a driver
– User-space program passes in an arbitrary-
length buffer of input data
– Received an arbitrary-length buffer of data as
output
16. Ntoskrnl.exe & Hal.dll
• Malicious drivers rarely control hardware
• They interact with Ntoskrnl.exe & Hal.dll
– Ntoskrnl.exe has code for core OS functions
– Hal.dll has code for interacting with main
hardware components
• Malware will import functions from one or
both of these files so it can manipulate
the kernel
19. VMware
• In the virtual machine, enable kernel
debugging
• Configure a virtual serial port between VM
and host
• Configure WinDbg on the host machine
20. Boot.ini
• The book activates kernel debugging by
editing Boot.ini
• But Microsoft abandoned that system
after Windows XP
• The new system uses bcdedit
24. 24
Run LiveKD
• Instructions for Windows Server 2016 x64
• Download livekd from https://docs.microsoft.com/en-us/
sysinternals/downloads/livekd
• Put livekd.exe in C:Program Files (x86)Windows
Kits10Debuggersx64
• Run from that directory
27. Reading from Memory
• dx addressToRead
• x can be
– da Displays as ASCII text
– du Displays as Unicode text
– dd Displays as 32-bit double words
• da 0x401020
– Shows the ASCII text starting at 0x401020
28. Editing Memory
• ex addressToWrite dataToWrite
• x can be
– ea Writes as ASCII text
– eu Writes as Unicode text
– ed Writes as 32-bit double words
29. Using Arithmetic Operators
• Usual arithmetic operators + - / *
• dwo reveals the value at a 32-bit location
pointer
• du dwo (esp+4)
– Shows the first argument for a function, as a
wide character string
30. Setting Breakpoints
• bp sets breakpoints
• You can specify an action to be performed
when the breakpoint is hit
• g tells it to resume running after the
action
• bp GetProcAddress "da dwo(esp+8); g"
– Breaks when GetProcAddress is called, prints
out the second argument, and then continues
– The second argument is the function name
31. No Breakpoints with LiveKD
• LiveKD works from a memory dump
• It's read-only
• So you can't use breakpoints
32. Listing Modules
• lm
– Lists all modules loaded into a process
• Including EXEs and DLLs in user space
• And the kernel drivers in kernel mode
– As close as WinDbg gets to a memory map
• lm m disk
– Shows the disk driver
33. Reading from Memory
• dd nt
• Shows the start of module "nt"
• dd nt L10
• Shows the first 0x10 words of "nt"
34.
35. Online Help
• .hh dd
– Shows help
about "dd"
command
– But there
are no
examples
39. Symbols are Labels
• Including symbols lets you use
– MmCreateProcessAddressSpace
• instead of
– 0x8050f1a2
40. Searching for Symbols
• moduleName!symbolName
– Can be used anywhere an address is expected
• moduleName
– The EXE, DLL, or SYS filename (without
extension)
• symbolName
– Name associated with the address
• ntoskrnl.exe is an exception, and is named nt
– Ex: u nt!NtCreateProcess
• Unassembles that function (disassembly)
41. Demo
• Try these
– u nt!ntCreateProcess
– u nt!ntCreateProcess L10
– u nt!ntCreateProcess L20
42. Deferred Breakpoints
• bu newModule!exportedFunction
– Will set a breakpoint on exportedFunction as
soon as a module named newModule is loaded
• $iment
– Function that finds the entry point of a
module
• bu $iment(driverName)
– Breaks on the entry point of the driver before
any of the driver's code runs
43. Searching with x
• You can search for functions or symbols
using wildcards
• x nt!*CreateProcess*
– Displays exported functions & internal
functions
44. Listing Closest Symbol with ln
• Helps in figuring out where a call goes
• ln address
– First lines show two closest matches
– Last line shows exact match
45. Viewing Structure Information with dt
• Microsoft symbols include type
information for many structures
– Including undocumented internal types
– They are often used by malware
• dt moduleName!symbolName
• dt moduleName!symbolName address
– Shows structure with data from address
49. Initialization Function
• The DriverInit function is called first
when a driver is loaded
• See labelled line in previous slide
• Malware will sometimes place its entire
malicious payload in this function
50. Configuring Windows Symbols
• If your debugging machine is connected to
an always-on broadband link, you can
configure WinDbg to automatically
download symbols from Microsoft as
needed
• They are cached locally
• File, Symbol File Path
– SRC*c:websymbols*http://
msdl.microsoft.com/download/symbols
54. Kernel Mode and User Mode Functions
• We'll examine a program that writes to
files from kernel space
• An unusual thing to do
• Fools some security products
– Kernel mode programs cannot call user-mode
functions like CreateFile and WriteFile
– Must use NtCreateFile and NtWriteFile
55. User-Space Code
Creates a service with the CreateService
function
dwServiceType is 0x01 (Kernel driver)
58. Kernel-Mode Code
• Set WinDbg to Verbose mode (View,
Verbose Output)
• Doesn't work with LiveKD
• You'll see every kernel module that loads
• Kernel modules are not loaded or
unloaded often
– Any loads are suspicious
– Except Kmixer.sys in VMware machines
62. Kernel-Mode Filenames
• Tracing this function, it eventually creates
this file
– DosDevicesC:secretfile.txt
• This is a fully qualified object name
– Identifies the root device, usually DosDevices
63. Finding Driver Objects
• Applications work with devices, not drivers
• Look at user-space application to identify
the interesting device object
• Use device object in User Mode to find driver
object in Kernel Mode
• Use !devobj to find out more about the
device object
• Use !devhandles to find application that use
the driver
65. Rootkit Basics
• Rootkits modify the internal functionality of
the OS to conceal themselves
– Hide processes, network connections, and other
resources from running programs
– Difficult for antivirus, administrators, and security
analysts to discover their malicious activity
• Most rootkits modify the kernel
• Most popular method:
– System Service Descriptor Table (SSDT) hooking
66. System Service Descriptor Table (SSDT)
• Used internally by Microsoft
– To look up function calls into the kernel
– Not normally used by third-party applications or
drivers
• Only three ways for user space to access
kernel code
– SYSCALL
– SYSENTER
– INT 0x2E
67. SYSENTER
• Used by modern versions of Windows
• Function code stored in EAX register
• More info about the three ways to call
kernel code is in links Ch 10j and 10k
69. SSDT Table Entries
• Rootkit changes the values in the SSDT so rootkit
code is called instead of the intended function
• 0x25 would be changed to a malicious driver's
function
70. Hooking NtCreateFile
• Rootkit calls the original NtCreateFile, then
removes files it wants to hide
• This prevents applications from getting a
handle to the file
• Hooking NtCreateFile alone won't hide a file
from DIR, however
71. Rootkit Analysis in Practice
• Simplest way to detect SSDT hooking
– Just look at the SSDT
– Look for values that are unreasonable
– In this case, ntoskrnl.exe starts at address
804d7000 and ends at 806cd580
– ntoskrnl.exe is the Kernel!
• lm m nt
– Lists modules matching "nt" (Kernel modules)
– Shows the SSDT table (not in Win 2008 in LiveKD)
72. Win 2008
• lm m nt failed on my Win 2008 VM
• This command shows the SSDT
• dps nt!KiServiceTable L poi nt!
KiServiceLimit
• Link Ch 10l
73. SSDT Table
• Marked entry is hooked
• To identify it, examine a clean system's SSDT
74. Finding the Malicious Driver
• lm
– Lists open modules
– In the kernel, they are all drivers
75.
76. Interrupts
• Interrupts allow hardware to trigger
software events
• Driver calls IoConnectInterrupt to
register a handler for an interrupt code
• Specifies an Interrupt Service Routine (ISR)
– Will be called when the interrupt code is
generated
• Interrupt Descriptor Table (IDT)
– Stores the ISR information
– !idt command shows the IDT
77.
78. Loading Drivers
• If you want to
load a driver to
test it, you can
download the
OSR Driver
Loader tool
79. Kernel Issues for Windows Vista,
Windows 7, and x64 Versions
• Uses BCDedit instead of boot.ini
• x64 versions starting with XP have PatchGuard
– Prevents third-party code from modifying the
kernel
– Including kernel code itself, SSDT, IDT, etc.
– Can interfere with debugging, because debugger
patches code when inserting breakpoints
• There are 64-bit kernel debugging tools
– Link Ch 10c
80. Driver Signing
• Enforced in all 64-bit versions of Windows
starting with Vista
• Only digitally signed drivers will load
• Effective protection!
• Kernel malware for x64 systems is
practically nonexistent
– You can disable driver signing enforcement by
specifying nointegritychecks in BCDEdit