SlideShare a Scribd company logo

NDIS Packet of Death

N
nitayart

This document summarizes a presentation about finding vulnerabilities in the Windows kernel network stack. It discusses how exploiting complex and uncommon features like IPv6 packet fragmentation can lead to vulnerabilities. Specifically, it describes CVE-2014-9383, a remote code execution vulnerability discovered in a Bitdefender NDIS filter driver through an IPv6 packet defragmentation bug. The presentation outlines techniques for kernel bug hunting such as intercepting packets and overwriting packet data buffers to cause memory overflows. It also notes tools that can help with reverse engineering NDIS drivers like NDISaster.

Technology
1 of 57
Download to read offline
Windows Kernel, the final frontier Our mission: to explore strange new attack surfaces, to seek out new bugs and new 0-days. To boldly go where (almost) no security researcher has gone before
NDIS PACKET OF DEATH TURNING WINDOWS’ COMPLEXITY AGAINST ITSELF NITAY ARTENSTEIN CHECK POINT
AGENDA 1. INTO THE KERNEL 2. FINDING VULNERABILITIES 3. PWNAGE: CVE-2014-9383
AGENDA 1. INTO THE KERNEL 2. FINDING VULNERABILITIES 3. PWNAGE: CVE-2014-9383
USS WINTERPRISE PACKET FLOW USERlAND KERNEL bridge / APPLICATION NETWORK CARD WINSOCK API WINSOCK KERNEL ?
KERNEL NETWORK CARD MINIPORT DRIVER FILTER DRIVER PROTOCOL DRIVER
Filter Drivers • Handle all packets, regardless of configuration • Massive attack surface • Small, easy to reverse engineer “Being stuck in the middle is not THAT bad!”
KERNEL NETWORK CARD MINIPORT DRIVER FILTER DRIVER PROTOCOL DRIVER SECURiTY
 1. Third party code
KERNEL NETWORK CARD MINIPORT DRIVER FILTER DRIVER PROTOCOL DRIVER SECURiTY
 2. Too much complexity
NETWORK DRIVER INTERFACE SPECIFICATION NETWORK CARD MINIPORT DRIVER FILTER DRIVER PROTOCOL DRIVER NDIS SECURiTY
 3. API quality
The Windows network driver layers absolutely horrendous messes of conflicting layers of backward-compatible cruft emotional trauma the Windows network stack 🙀
Hostile Programming Environments • Bad API design • Complicated memory management • Inadequate documentation • No helper functions “They said kernel programming is good money”
NETWORK DRIVER INTERFACE SPECIFICATION NETWORK CARD MINIPORT DRIVER FILTER DRIVER PROTOCOL DRIVER NDIS SECURiTY
 1. Third party code 2. Too much complexity 3. API quality
AGENDA 1. INTO THE KERNEL 2. FINDING VULNERABILITIES 3. PWNAGE: CVE-2014-9383
FACEOFF GOOD EVIL
KeAcquireSpinLockRaiseToSynch KeBreakinBreakpoint KeEnterKernelDebugger KeFlushWriteBuffer KeGetBugMessageText KeRaiseIrqlToSynchLevel KeRemoveByKeyDeviceQueueIfBusy KeSetTimeUpdateNotifyRoutine IoAcquireCancelSpinLock IoAcquireRemoveLock IoAcquireRemoveLockEx IoAdjustPagingPathCount IoAllocateAdapterChannel IoAllocateController IoAllocateDriverObjectExtension IoAllocateErrorLogEntry IoAllocateIrp IoAllocateMdl IoAllocateWorkItem IoAssignArcName IoAssignResources IoAttachDevice IoAttachDeviceByPointer IoAttachDeviceToDeviceStack IoBuildAsynchronousFsdRequest IoBuildDeviceIoControlRequest IoBuildPartialMdl IoBuildSynchronousFsdRequest IoCallDriver IoCancelIrp IoCheckShareAccess IoCheckShareAccessEx IoCompleteRequest IoConnectInterrupt IoConnectInterruptEx IoCopyCurrentIrpStackLocationToNext IoCreateController IoCreateDevice IoCreateDeviceSecure […] KERNEL API 1000+ Functions NdisAcquireReadWriteLock NdisAcquireSpinLock NdisAdjustBufferLength NdisAllocateBuffer NdisAllocateBufferPool NdisAllocateFromBlockPool NdisAllocateFromNPagedLookasideList NdisAllocateMemory NdisAllocateMemoryWithTag NdisAllocatePacket NdisAllocatePacketPool NdisAllocatePacketPoolEx NdisAllocateSpinLock NdisAnsiStringToUnicodeString NdisBufferLength NDIS_BUFFER_LINKAGE NDIS_BUFFER_TO_SPAN_PAGES NdisBufferVirtualAddress NdisBufferVirtualAddressSafe NdisChainBufferAtBack NdisChainBufferAtFront NdisCloseConfiguration NdisCloseFile NdisCopyBuffer NdisCopyFromPacketToPacket NdisCreateBlockPool NdisDeleteNPagedLookasideList NdisDestroyBlockPool NdisDprAcquireSpinLock NdisDprAllocatePacket NdisDprFreePacket NdisDprReleaseSpinLock NdisEqualMemory NdisEqualString NdisEqualUnicodeString NdisFillMemory NdisFlushBuffer NdisFreeBuffer NdisFreeBufferPool […] NDIS 5 500+ Functions MiniportCheckForHangEx MiniportDevicePnPEventNotify MiniportDriverUnload MiniportInitializeEx MiniportHaltEx MiniportPause MiniportResetEx MiniportRestart MiniportSetOptions MiniportShutdownEx NdisMDeregisterMiniportDriver NdisMGetDeviceProperty NdisMNetPnPEvent NdisMPauseComplete NdisMQueryAdapterInstanceName NdisMRegisterMiniportDriver NdisMRemoveMiniport NdisMResetComplete NdisMResetMiniport NdisMRestartComplete NdisMSetMiniportAttributes NdisMAllocateSharedMemory NdisMFreeSharedMemory NdisGetPhysicalAddressHigh NdisGetPhysicalAddressLow NdisSetPhysicalAddressHigh NdisSetPhysicalAddressLow NdisGetSharedDataAlignment NdisRegisterProtocolDriver NdisDeregisterProtocolDriver NdisOpenAdapterEx NdisCompleteBindAdapterEx NdisCloseAdapterEx NdisCompleteUnbindAdapterEx NdisUnbindAdapter NdisCompleteNetPnPEvent NdisQueryAdapterInstanceName NdisQueryBindInstanceName NdisReEnumerateProtocolBindings […] NDIS 6 500+ Functions
FIRST ATTACK: PACKET CONFUSION GOOD EVIL
FIRST ATTACK: PACKET CONFUSION GOOD MINIPORT DRIVER FILTER DRIVER PROTOCOL DRIVER PACKET PACKET PACKET PACKET TASK: INTERCEPT PACKET, INSPECT CONTENTS
NdisDprAllocatePacket(&Status, &MyPacket, pAdapt->RecvPacketPoolHandle); NDIS_PACKET_FIRST_NDIS_BUFFER(MyPacket) = NDIS_PACKET_FIRST_NDIS_BUFFER(Packet); NDIS_PACKET_LAST_NDIS_BUFFER(MyPacket) = NDIS_PACKET_LAST_NDIS_BUFFER(Packet); // Inspect packet here NdisMIndicateReceivePacket(pAdapt->MiniportHandle, &MyPacket, 1); FIRST ATTACK: PACKET CONFUSION GOOD
FIRST ATTACK: PACKET CONFUSION GOOD [The receive function] the received data as soon as it is copied system performance. Instead, the driver must
NdisDprAllocatePacket(&Status, &MyPacket, pAdapt->RecvPacketPoolHandle); NDIS_PACKET_FIRST_NDIS_BUFFER(MyPacket) = NDIS_PACKET_FIRST_NDIS_BUFFER(Packet); NDIS_PACKET_LAST_NDIS_BUFFER(MyPacket) = NDIS_PACKET_LAST_NDIS_BUFFER(Packet); pPersistentData.Packet = MyPacket; QueueForLaterProcessing(pPersistentData); NdisMIndicateReceivePacket(pAdapt->MiniportHandle, &MyPacket, 1); FIRST ATTACK: PACKET CONFUSION GOOD
FIRST ATTACK: PACKET CONFUSION EVIL API DOCUMENTATION SAMPLE CODE STACKOVERFLOW.COM SITES FROM THE 90’s
FIRST ATTACK: PACKET CONFUSION If we need to queue this packet we will also have to copy over the per-packet information. This is because data is available only for the duration of this receive indication call EVIL
FIRST ATTACK: PACKET CONFUSION EVIL PACKET METADATA BUFFER PACKET METADATA BUFFER PACKET METADATA BUFFER ATTACKER CONTROLLED PACKET SIZE
if (NDIS_GET_PACKET_HEADER_SIZE(Packet) BufferSize) { memcpy( Buffer, PacketBuffer, NDIS_GET_PACKET_HEADER_SIZE(Packet) ); } FIRST ATTACK: PACKET CONFUSION GOOD EVIL 40 1337
GOOD EVIL 0 1 “Much, MUCH better than a green rubber lizard”
SECOND ATTACK: PACKET OVERWRITE GOOD EVIL
SECOND ATTACK: PACKET OVERWRITE GOOD PACKET DATA TASK: APPEND DATA TO END OF PACKET BUFFER BUFFER BUFFER
SECOND ATTACK: PACKET OVERWRITE GOOD BUFFER END OF PACKET DATA
SECOND ATTACK: PACKET OVERWRITE EVIL API DOCUMENTATION SAMPLE CODE Remove all MDLs [memory buffers] from the end of the chain, where the last byte of the MDL isn’t part of the packet buffer
SECOND ATTACK: PACKET OVERWRITE EVIL BUFFER END OF PACKET BUFFER IN USE
BUFFER END OF PACKET BUFFER IN USE EVILGOOD DATA SECOND ATTACK: PACKET OVERWRITE
GOOD EVIL 0 2 “Thank God that hairy chests are acceptable in the 60s”
THIRD ATTACK: death by protocol GOOD EVIL
THIRD ATTACK: death by protocol TASK: DEFRAGMENT IPv6 PACKETS GOOD
KeAcquireSpinLockRaiseToSynch KeBreakinBreakpoint KeEnterKernelDebugger KeFlushWriteBuffer KeGetBugMessageText KeRaiseIrqlToSynchLevel KeRemoveByKeyDeviceQueueIfBusy KeSetTimeUpdateNotifyRoutine IoAcquireCancelSpinLock IoAcquireRemoveLock IoAcquireRemoveLockEx IoAdjustPagingPathCount IoAllocateAdapterChannel IoAllocateController IoAllocateDriverObjectExtension IoAllocateErrorLogEntry IoAllocateIrp IoAllocateMdl IoAllocateWorkItem IoAssignArcName IoAssignResources IoAttachDevice IoAttachDeviceByPointer IoAttachDeviceToDeviceStack IoBuildAsynchronousFsdRequest IoBuildDeviceIoControlRequest IoBuildPartialMdl IoBuildSynchronousFsdRequest IoCallDriver IoCancelIrp IoCheckShareAccess IoCheckShareAccessEx IoCompleteRequest IoConnectInterrupt IoConnectInterruptEx IoCopyCurrentIrpStackLocationToNext IoCreateController IoCreateDevice IoCreateDeviceSecure […] KERNEL API 1000+ Functions NdisAcquireReadWriteLock NdisAcquireSpinLock NdisAdjustBufferLength NdisAllocateBuffer NdisAllocateBufferPool NdisAllocateFromBlockPool NdisAllocateFromNPagedLookasideList NdisAllocateMemory NdisAllocateMemoryWithTag NdisAllocatePacket NdisAllocatePacketPool NdisAllocatePacketPoolEx NdisAllocateSpinLock NdisAnsiStringToUnicodeString NdisBufferLength NDIS_BUFFER_LINKAGE NDIS_BUFFER_TO_SPAN_PAGES NdisBufferVirtualAddress NdisBufferVirtualAddressSafe NdisChainBufferAtBack NdisChainBufferAtFront NdisCloseConfiguration NdisCloseFile NdisCopyBuffer NdisCopyFromPacketToPacket NdisCreateBlockPool NdisDeleteNPagedLookasideList NdisDestroyBlockPool NdisDprAcquireSpinLock NdisDprAllocatePacket NdisDprFreePacket NdisDprReleaseSpinLock NdisEqualMemory NdisEqualString NdisEqualUnicodeString NdisFillMemory NdisFlushBuffer NdisFreeBuffer NdisFreeBufferPool […] NDIS 6 500+ Functions PROTOCOL HELPERS 0 Functions “No worries Spock, I got all the RFCs in my head”
THIRD ATTACK: death by protocol GOOD RFC 2460 (IPv6) RFC 790 (IPv4) RFC 791 (IPv4) RFC 826 (ARP) RFC 1034 (DNS) RFC 768 (UDP) RFC 793 (TCP) RFC 792 (ICMP)
GOOD EVIL 0 3 “I keep this around for when Spock is not on board”
AGENDA 1. INTO THE KERNEL 2. FINDING VULNERABILITIES 3. PWNAGE: CVE-2014-9383
PREMISE: 1. MORE COMPLEXITY == MORE BUGS 2. EDGE CASES ARE THE MOST DIFFICULT TO TEST CONCLUSION: LOOK FOR BUGS IN COMPLICATED AND UNCOMMON USE CASES BUG HUNTING 101 EVIL
A Word About IPv6 • Insanely complicated protocol • Nobody’s using it • Has isoteric features that REALLY nobody uses • NDIS drivers still have to support those features “Anybody order pizza?”
BONUS: YOU GET TO SET THE SIZE OF THE EXTENSION HEADER SECURiTY
 1. Complicated!
RFC 2460 A node may use the IPv6 Fragment header to fragment the packet at the source and have it reassembled at the destination. However, is discouraged EVIL SECURiTY
 2. Unused!
About CVE-2014-9383 • RCE vulnerability in Bitdefender NDIS filter driver • Patched last month • Disclaimer: No ASLR bypass (requires another vuln) • Another disclaimer: Statistical attack, works 50% of the time “Next time Iet me write a Linux driver”
CVE-2014-9383 EVILGOOD PACKET DEFRAGMENTED PACKET TASK: DEFRAGMENT IPv6 PACKETS
CVE-2014-9383 EVILGOOD Buffer 1 Buffer 2 SIZE CALCULATION: HEADERS ARBITRARY SIZE HDR HDR HDR HDR OVERFLOW MAXSIZE
CVE-2014-9383 EVILGOOD EXPLOITABILITY PACKET OBJECT FUNCTION POINTERS OVERFLOWED BUFFER
MergedPacket = ExAllocatePoolWithTag(0, MAX_HEADER_SIZE + BufSize1 + Bufsize2, ‘ TAG’); HeaderSize = CalculateHeaderSize(Packet1); memcpy(MergedPacket, Packet1, HeaderSize); Packet1 += HeaderSize; memcpy(MergedPacket, Packet1, BufSize1); memcpy(MergedPacket, Packet2, BufSize2);GOOD EVIL CVE-2014-9383
“Damn, we’ve exhausted our special effects budget on the previous memes”
Bonus: DIY with NDISaster • Identifies the main handler functions in NDIS drivers • Generates a Windbg script for packet capture • Incorporates the output from Windbag back to IDA • Identifies the main functions per protocol • Still no support for NDIS 6!
github.com/nitayart/NDISaster QUESTIONS?
THANK YOU

Recommended

Attacking Windows NDIS Drivers
Attacking Windows NDIS DriversAttacking Windows NDIS Drivers
Attacking Windows NDIS Drivers
Kique Nissim
 
OSCP.pdf
OSCP.pdfOSCP.pdf
OSCP.pdf
Camuss Sofi
 
OS X Drivers Reverse Engineering
OS X Drivers Reverse EngineeringOS X Drivers Reverse Engineering
OS X Drivers Reverse Engineering
Positive Hack Days
 
Injection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniquesInjection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniques
enSilo
 
Linux Device Driver’s
Linux Device Driver’sLinux Device Driver’s
Linux Device Driver’s
Rashmi Warghade
 
Metasploitable
MetasploitableMetasploitable
Metasploitable
Sri Manakula Vinayagar Engineering College
 
Cryptography 101 for Java Developers - Devoxx 2019
Cryptography 101 for Java Developers - Devoxx 2019Cryptography 101 for Java Developers - Devoxx 2019
Cryptography 101 for Java Developers - Devoxx 2019
Michel Schudel
 
Introduction Linux Device Drivers
Introduction Linux Device DriversIntroduction Linux Device Drivers
Introduction Linux Device Drivers
NEEVEE Technologies
 

Recommended

Attacking Windows NDIS Drivers
Attacking Windows NDIS DriversAttacking Windows NDIS Drivers
Attacking Windows NDIS Drivers
Kique Nissim
 
OSCP.pdf
OSCP.pdfOSCP.pdf
OSCP.pdf
Camuss Sofi
 
OS X Drivers Reverse Engineering
OS X Drivers Reverse EngineeringOS X Drivers Reverse Engineering
OS X Drivers Reverse Engineering
Positive Hack Days
 
Injection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniquesInjection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniques
enSilo
 
Linux Device Driver’s
Linux Device Driver’sLinux Device Driver’s
Linux Device Driver’s
Rashmi Warghade
 
Metasploitable
MetasploitableMetasploitable
Metasploitable
Sri Manakula Vinayagar Engineering College
 
Cryptography 101 for Java Developers - Devoxx 2019
Cryptography 101 for Java Developers - Devoxx 2019Cryptography 101 for Java Developers - Devoxx 2019
Cryptography 101 for Java Developers - Devoxx 2019
Michel Schudel
 
Introduction Linux Device Drivers
Introduction Linux Device DriversIntroduction Linux Device Drivers
Introduction Linux Device Drivers
NEEVEE Technologies
 
Diving into SWUpdate: adding new platform support in 30minutes with Yocto/OE !
Diving into SWUpdate: adding new platform support in 30minutes with Yocto/OE !Diving into SWUpdate: adding new platform support in 30minutes with Yocto/OE !
Diving into SWUpdate: adding new platform support in 30minutes with Yocto/OE !
Pierre-jean Texier
 
I2C Subsystem In Linux-2.6.24
I2C Subsystem In Linux-2.6.24I2C Subsystem In Linux-2.6.24
I2C Subsystem In Linux-2.6.24
Varun Mahajan
 
Spi drivers
Spi driversSpi drivers
Spi drivers
pradeep_tewani
 
Abusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itAbusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get it
Benjamin Delpy
 
Linux device drivers
Linux device drivers Linux device drivers
Linux device drivers
Emertxe Information Technologies Pvt Ltd
 
Insecure direct object reference (null delhi meet)
Insecure direct object reference (null delhi meet)Insecure direct object reference (null delhi meet)
Insecure direct object reference (null delhi meet)
Abhinav Mishra
 
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
Christopher Frohoff
 
UEFI Firmware Rootkits: Myths and Reality
UEFI Firmware Rootkits: Myths and RealityUEFI Firmware Rootkits: Myths and Reality
UEFI Firmware Rootkits: Myths and Reality
Sally Feller
 
Inter-process communication of Android
Inter-process communication of AndroidInter-process communication of Android
Inter-process communication of Android
Tetsuyuki Kobayashi
 
Find your own iOS kernel bug
Find your own iOS kernel bugFind your own iOS kernel bug
Find your own iOS kernel bug
Gustavo Martinez
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS Vectors
Rodolfo Assis (Brute)
 
Linux I2C
Linux I2CLinux I2C
Linux I2C
KaidenYu
 
Page cache in Linux kernel
Page cache in Linux kernelPage cache in Linux kernel
Page cache in Linux kernel
Adrian Huang
 
Siber Güvenlik ve Etik Hacking Sunu - 5
Siber Güvenlik ve Etik Hacking Sunu - 5Siber Güvenlik ve Etik Hacking Sunu - 5
Siber Güvenlik ve Etik Hacking Sunu - 5
Murat KARA
 
Linux PCI device driver
Linux PCI device driverLinux PCI device driver
Linux PCI device driver
艾鍗科技
 
Memory Mapping Implementation (mmap) in Linux Kernel
Memory Mapping Implementation (mmap) in Linux KernelMemory Mapping Implementation (mmap) in Linux Kernel
Memory Mapping Implementation (mmap) in Linux Kernel
Adrian Huang
 
CanSecWest 2017 - Port(al) to the iOS Core
CanSecWest 2017 - Port(al) to the iOS CoreCanSecWest 2017 - Port(al) to the iOS Core
CanSecWest 2017 - Port(al) to the iOS Core
Stefan Esser
 
Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013
Abraham Aranguren
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
Frans Rosén
 
sqlmap internals
sqlmap internalssqlmap internals
sqlmap internals
Miroslav Stampar
 
MODERN MALWARE: OBFUSCATION AND EMULATION DEF CON CHINA 1.0 (2019)
MODERN MALWARE: OBFUSCATION AND EMULATION DEF CON CHINA 1.0 (2019)MODERN MALWARE: OBFUSCATION AND EMULATION DEF CON CHINA 1.0 (2019)
MODERN MALWARE: OBFUSCATION AND EMULATION DEF CON CHINA 1.0 (2019)
Alexandre Borges
 
An overview of unix rootkits
An overview of unix rootkitsAn overview of unix rootkits
An overview of unix rootkits
UltraUploader
 

More Related Content

What's hot

Diving into SWUpdate: adding new platform support in 30minutes with Yocto/OE !
Diving into SWUpdate: adding new platform support in 30minutes with Yocto/OE !Diving into SWUpdate: adding new platform support in 30minutes with Yocto/OE !
Diving into SWUpdate: adding new platform support in 30minutes with Yocto/OE !
Pierre-jean Texier
 
I2C Subsystem In Linux-2.6.24
I2C Subsystem In Linux-2.6.24I2C Subsystem In Linux-2.6.24
I2C Subsystem In Linux-2.6.24
Varun Mahajan
 
Spi drivers
Spi driversSpi drivers
Spi drivers
pradeep_tewani
 
Abusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itAbusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get it
Benjamin Delpy
 
Linux device drivers
Linux device drivers Linux device drivers
Linux device drivers
Emertxe Information Technologies Pvt Ltd
 
Insecure direct object reference (null delhi meet)
Insecure direct object reference (null delhi meet)Insecure direct object reference (null delhi meet)
Insecure direct object reference (null delhi meet)
Abhinav Mishra
 
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
Christopher Frohoff
 
UEFI Firmware Rootkits: Myths and Reality
UEFI Firmware Rootkits: Myths and RealityUEFI Firmware Rootkits: Myths and Reality
UEFI Firmware Rootkits: Myths and Reality
Sally Feller
 
Inter-process communication of Android
Inter-process communication of AndroidInter-process communication of Android
Inter-process communication of Android
Tetsuyuki Kobayashi
 
Find your own iOS kernel bug
Find your own iOS kernel bugFind your own iOS kernel bug
Find your own iOS kernel bug
Gustavo Martinez
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS Vectors
Rodolfo Assis (Brute)
 
Linux I2C
Linux I2CLinux I2C
Linux I2C
KaidenYu
 
Page cache in Linux kernel
Page cache in Linux kernelPage cache in Linux kernel
Page cache in Linux kernel
Adrian Huang
 
Siber Güvenlik ve Etik Hacking Sunu - 5
Siber Güvenlik ve Etik Hacking Sunu - 5Siber Güvenlik ve Etik Hacking Sunu - 5
Siber Güvenlik ve Etik Hacking Sunu - 5
Murat KARA
 
Linux PCI device driver
Linux PCI device driverLinux PCI device driver
Linux PCI device driver
艾鍗科技
 
Memory Mapping Implementation (mmap) in Linux Kernel
Memory Mapping Implementation (mmap) in Linux KernelMemory Mapping Implementation (mmap) in Linux Kernel
Memory Mapping Implementation (mmap) in Linux Kernel
Adrian Huang
 
CanSecWest 2017 - Port(al) to the iOS Core
CanSecWest 2017 - Port(al) to the iOS CoreCanSecWest 2017 - Port(al) to the iOS Core
CanSecWest 2017 - Port(al) to the iOS Core
Stefan Esser
 
Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013
Abraham Aranguren
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
Frans Rosén
 
sqlmap internals
sqlmap internalssqlmap internals
sqlmap internals
Miroslav Stampar
 

What's hot (20)

Diving into SWUpdate: adding new platform support in 30minutes with Yocto/OE !
Diving into SWUpdate: adding new platform support in 30minutes with Yocto/OE !Diving into SWUpdate: adding new platform support in 30minutes with Yocto/OE !
Diving into SWUpdate: adding new platform support in 30minutes with Yocto/OE !
 
I2C Subsystem In Linux-2.6.24
I2C Subsystem In Linux-2.6.24I2C Subsystem In Linux-2.6.24
I2C Subsystem In Linux-2.6.24
 
Spi drivers
Spi driversSpi drivers
Spi drivers
 
Abusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itAbusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get it
 
Linux device drivers
Linux device drivers Linux device drivers
Linux device drivers
 
Insecure direct object reference (null delhi meet)
Insecure direct object reference (null delhi meet)Insecure direct object reference (null delhi meet)
Insecure direct object reference (null delhi meet)
 
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...
 
UEFI Firmware Rootkits: Myths and Reality
UEFI Firmware Rootkits: Myths and RealityUEFI Firmware Rootkits: Myths and Reality
UEFI Firmware Rootkits: Myths and Reality
 
Inter-process communication of Android
Inter-process communication of AndroidInter-process communication of Android
Inter-process communication of Android
 
Find your own iOS kernel bug
Find your own iOS kernel bugFind your own iOS kernel bug
Find your own iOS kernel bug
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS Vectors
 
Linux I2C
Linux I2CLinux I2C
Linux I2C
 
Page cache in Linux kernel
Page cache in Linux kernelPage cache in Linux kernel
Page cache in Linux kernel
 
Siber Güvenlik ve Etik Hacking Sunu - 5
Siber Güvenlik ve Etik Hacking Sunu - 5Siber Güvenlik ve Etik Hacking Sunu - 5
Siber Güvenlik ve Etik Hacking Sunu - 5
 
Linux PCI device driver
Linux PCI device driverLinux PCI device driver
Linux PCI device driver
 
Memory Mapping Implementation (mmap) in Linux Kernel
Memory Mapping Implementation (mmap) in Linux KernelMemory Mapping Implementation (mmap) in Linux Kernel
Memory Mapping Implementation (mmap) in Linux Kernel
 
CanSecWest 2017 - Port(al) to the iOS Core
CanSecWest 2017 - Port(al) to the iOS CoreCanSecWest 2017 - Port(al) to the iOS Core
CanSecWest 2017 - Port(al) to the iOS Core
 
Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013Pentesting like a grandmaster BSides London 2013
Pentesting like a grandmaster BSides London 2013
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
 
sqlmap internals
sqlmap internalssqlmap internals
sqlmap internals
 

Similar to NDIS Packet of Death

MODERN MALWARE: OBFUSCATION AND EMULATION DEF CON CHINA 1.0 (2019)
MODERN MALWARE: OBFUSCATION AND EMULATION DEF CON CHINA 1.0 (2019)MODERN MALWARE: OBFUSCATION AND EMULATION DEF CON CHINA 1.0 (2019)
MODERN MALWARE: OBFUSCATION AND EMULATION DEF CON CHINA 1.0 (2019)
Alexandre Borges
 
An overview of unix rootkits
An overview of unix rootkitsAn overview of unix rootkits
An overview of unix rootkits
UltraUploader
 
Strange security mitigations
Strange security mitigationsStrange security mitigations
Strange security mitigations
Antonio Costa aka Cooler_
 
LinuxLabs 2017 talk: Container monitoring challenges
LinuxLabs 2017 talk: Container monitoring challengesLinuxLabs 2017 talk: Container monitoring challenges
LinuxLabs 2017 talk: Container monitoring challenges
Xavier Vello
 
Dynamic Port Scanning
Dynamic Port ScanningDynamic Port Scanning
Dynamic Port Scanning
amiable_indian
 
Dynamic Port Scanning
Dynamic Port ScanningDynamic Port Scanning
Dynamic Port Scanning
amiable_indian
 
Cyberattacks on a marine context (NATO Congress 2011)
Cyberattacks on a marine context (NATO Congress 2011)Cyberattacks on a marine context (NATO Congress 2011)
Cyberattacks on a marine context (NATO Congress 2011)
flagsolutions
 
ifwt remote (sydney ruxmon edition)
ifwt remote (sydney ruxmon edition)ifwt remote (sydney ruxmon edition)
ifwt remote (sydney ruxmon edition)
Tim N
 
ADVANCED MALWARE THREATS -- NO HAT 2019 (BERGAMO / ITALY)
ADVANCED MALWARE THREATS -- NO HAT 2019 (BERGAMO / ITALY)ADVANCED MALWARE THREATS -- NO HAT 2019 (BERGAMO / ITALY)
ADVANCED MALWARE THREATS -- NO HAT 2019 (BERGAMO / ITALY)
Alexandre Borges
 
Wireless Hacking Talk
Wireless Hacking TalkWireless Hacking Talk
Wireless Hacking Talk
Mario B.
 
Kubernetes - Starting with 1.2
Kubernetes - Starting with 1.2Kubernetes - Starting with 1.2
Kubernetes - Starting with 1.2
William Stewart
 
Docker, Linux Containers (LXC), and security
Docker, Linux Containers (LXC), and securityDocker, Linux Containers (LXC), and security
Docker, Linux Containers (LXC), and security
Jérôme Petazzoni
 
MODERN MALWARE THREAT: HANDLING OBFUSCATED CODE -- CONFIDENCE CONFERENCE (2019)
MODERN MALWARE THREAT: HANDLING OBFUSCATED CODE -- CONFIDENCE CONFERENCE (2019)MODERN MALWARE THREAT: HANDLING OBFUSCATED CODE -- CONFIDENCE CONFERENCE (2019)
MODERN MALWARE THREAT: HANDLING OBFUSCATED CODE -- CONFIDENCE CONFERENCE (2019)
Alexandre Borges
 
Security as Code in Docker Ecosystem for Cloud Native Apps
Security as Code in Docker Ecosystem for Cloud Native AppsSecurity as Code in Docker Ecosystem for Cloud Native Apps
Security as Code in Docker Ecosystem for Cloud Native Apps
enlamp
 
Rust: Reach Further
Rust: Reach FurtherRust: Reach Further
Rust: Reach Further
nikomatsakis
 
Fire & Ice: Making and Breaking macOS Firewalls
Fire & Ice: Making and Breaking macOS FirewallsFire & Ice: Making and Breaking macOS Firewalls
Fire & Ice: Making and Breaking macOS Firewalls
Priyanka Aash
 
SnakeGX (full version)
SnakeGX (full version) SnakeGX (full version)
SnakeGX (full version)
Flavio Toffalini
 
Introducing MQTT
Introducing MQTTIntroducing MQTT
Introducing MQTT
Andy Piper
 
DPDK in Containers Hands-on Lab
DPDK in Containers Hands-on LabDPDK in Containers Hands-on Lab
DPDK in Containers Hands-on Lab
Michelle Holley
 
A hitchhiker‘s guide to the cloud native stack
A hitchhiker‘s guide to the cloud native stackA hitchhiker‘s guide to the cloud native stack
A hitchhiker‘s guide to the cloud native stack
QAware GmbH
 

Similar to NDIS Packet of Death (20)

MODERN MALWARE: OBFUSCATION AND EMULATION DEF CON CHINA 1.0 (2019)
MODERN MALWARE: OBFUSCATION AND EMULATION DEF CON CHINA 1.0 (2019)MODERN MALWARE: OBFUSCATION AND EMULATION DEF CON CHINA 1.0 (2019)
MODERN MALWARE: OBFUSCATION AND EMULATION DEF CON CHINA 1.0 (2019)
 
An overview of unix rootkits
An overview of unix rootkitsAn overview of unix rootkits
An overview of unix rootkits
 
Strange security mitigations
Strange security mitigationsStrange security mitigations
Strange security mitigations
 
LinuxLabs 2017 talk: Container monitoring challenges
LinuxLabs 2017 talk: Container monitoring challengesLinuxLabs 2017 talk: Container monitoring challenges
LinuxLabs 2017 talk: Container monitoring challenges
 
Dynamic Port Scanning
Dynamic Port ScanningDynamic Port Scanning
Dynamic Port Scanning
 
Dynamic Port Scanning
Dynamic Port ScanningDynamic Port Scanning
Dynamic Port Scanning
 
Cyberattacks on a marine context (NATO Congress 2011)
Cyberattacks on a marine context (NATO Congress 2011)Cyberattacks on a marine context (NATO Congress 2011)
Cyberattacks on a marine context (NATO Congress 2011)
 
ifwt remote (sydney ruxmon edition)
ifwt remote (sydney ruxmon edition)ifwt remote (sydney ruxmon edition)
ifwt remote (sydney ruxmon edition)
 
ADVANCED MALWARE THREATS -- NO HAT 2019 (BERGAMO / ITALY)
ADVANCED MALWARE THREATS -- NO HAT 2019 (BERGAMO / ITALY)ADVANCED MALWARE THREATS -- NO HAT 2019 (BERGAMO / ITALY)
ADVANCED MALWARE THREATS -- NO HAT 2019 (BERGAMO / ITALY)
 
Wireless Hacking Talk
Wireless Hacking TalkWireless Hacking Talk
Wireless Hacking Talk
 
Kubernetes - Starting with 1.2
Kubernetes - Starting with 1.2Kubernetes - Starting with 1.2
Kubernetes - Starting with 1.2
 
Docker, Linux Containers (LXC), and security
Docker, Linux Containers (LXC), and securityDocker, Linux Containers (LXC), and security
Docker, Linux Containers (LXC), and security
 
MODERN MALWARE THREAT: HANDLING OBFUSCATED CODE -- CONFIDENCE CONFERENCE (2019)
MODERN MALWARE THREAT: HANDLING OBFUSCATED CODE -- CONFIDENCE CONFERENCE (2019)MODERN MALWARE THREAT: HANDLING OBFUSCATED CODE -- CONFIDENCE CONFERENCE (2019)
MODERN MALWARE THREAT: HANDLING OBFUSCATED CODE -- CONFIDENCE CONFERENCE (2019)
 
Security as Code in Docker Ecosystem for Cloud Native Apps
Security as Code in Docker Ecosystem for Cloud Native AppsSecurity as Code in Docker Ecosystem for Cloud Native Apps
Security as Code in Docker Ecosystem for Cloud Native Apps
 
Rust: Reach Further
Rust: Reach FurtherRust: Reach Further
Rust: Reach Further
 
Fire & Ice: Making and Breaking macOS Firewalls
Fire & Ice: Making and Breaking macOS FirewallsFire & Ice: Making and Breaking macOS Firewalls
Fire & Ice: Making and Breaking macOS Firewalls
 
SnakeGX (full version)
SnakeGX (full version) SnakeGX (full version)
SnakeGX (full version)
 
Introducing MQTT
Introducing MQTTIntroducing MQTT
Introducing MQTT
 
DPDK in Containers Hands-on Lab
DPDK in Containers Hands-on LabDPDK in Containers Hands-on Lab
DPDK in Containers Hands-on Lab
 
A hitchhiker‘s guide to the cloud native stack
A hitchhiker‘s guide to the cloud native stackA hitchhiker‘s guide to the cloud native stack
A hitchhiker‘s guide to the cloud native stack
 

Recently uploaded

Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
Pitangent Analytics & Technology Solutions Pvt. Ltd
 
Generating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and MilvusGenerating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and Milvus
Zilliz
 
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
Edge AI and Vision Alliance
 
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and BioinformaticiansBiomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Neo4j
 
Y-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PPY-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PP
c5vrf27qcz
 
JavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green MasterplanJavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green Masterplan
Miro Wengner
 
The Microsoft 365 Migration Tutorial For Beginner.pptx
The Microsoft 365 Migration Tutorial For Beginner.pptxThe Microsoft 365 Migration Tutorial For Beginner.pptx
The Microsoft 365 Migration Tutorial For Beginner.pptx
operationspcvita
 
Harnessing the Power of NLP and Knowledge Graphs for Opioid Research
Harnessing the Power of NLP and Knowledge Graphs for Opioid ResearchHarnessing the Power of NLP and Knowledge Graphs for Opioid Research
Harnessing the Power of NLP and Knowledge Graphs for Opioid Research
Neo4j
 
What is an RPA CoE? Session 1 – CoE Vision
What is an RPA CoE? Session 1 – CoE VisionWhat is an RPA CoE? Session 1 – CoE Vision
What is an RPA CoE? Session 1 – CoE Vision
DianaGray10
 
Leveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and StandardsLeveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and Standards
Neo4j
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
Zilliz
 
Apps Break Data
Apps Break DataApps Break Data
Apps Break Data
Ivo Velitchkov
 
Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |
AstuteBusiness
 
June Patch Tuesday
June Patch TuesdayJune Patch Tuesday
June Patch Tuesday
Ivanti
 
Choosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptxChoosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptx
Brandon Minnick, MBA
 
Fueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte WebinarFueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte Webinar
Zilliz
 
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
panagenda
 
Taking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdfTaking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdf
ssuserfac0301
 
Mutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented ChatbotsMutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented Chatbots
Pablo Gómez Abajo
 
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
Alex Pruden
 

Recently uploaded (20)

Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
Crafting Excellence: A Comprehensive Guide to iOS Mobile App Development Serv...
 
Generating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and MilvusGenerating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and Milvus
 
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
 
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and BioinformaticiansBiomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
 
Y-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PPY-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PP
 
JavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green MasterplanJavaLand 2024: Application Development Green Masterplan
JavaLand 2024: Application Development Green Masterplan
 
The Microsoft 365 Migration Tutorial For Beginner.pptx
The Microsoft 365 Migration Tutorial For Beginner.pptxThe Microsoft 365 Migration Tutorial For Beginner.pptx
The Microsoft 365 Migration Tutorial For Beginner.pptx
 
Harnessing the Power of NLP and Knowledge Graphs for Opioid Research
Harnessing the Power of NLP and Knowledge Graphs for Opioid ResearchHarnessing the Power of NLP and Knowledge Graphs for Opioid Research
Harnessing the Power of NLP and Knowledge Graphs for Opioid Research
 
What is an RPA CoE? Session 1 – CoE Vision
What is an RPA CoE? Session 1 – CoE VisionWhat is an RPA CoE? Session 1 – CoE Vision
What is an RPA CoE? Session 1 – CoE Vision
 
Leveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and StandardsLeveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and Standards
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
 
Apps Break Data
Apps Break DataApps Break Data
Apps Break Data
 
Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |
 
June Patch Tuesday
June Patch TuesdayJune Patch Tuesday
June Patch Tuesday
 
Choosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptxChoosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptx
 
Fueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte WebinarFueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte Webinar
 
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
 
Taking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdfTaking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdf
 
Mutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented ChatbotsMutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented Chatbots
 
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
 

NDIS Packet of Death