SlideShare a Scribd company logo
(Un) Fucking Forensics
Active/Passive memory hacking/debugging
K2 / Director @IOACTIVE
https://github.com/K2
About me?
• Hacker for a while
• inVtero.net
• Memory analysis framework for Windows
• Super fast/GBPS throughput
• Memory integrity checking of VM’s/CrashDumps/Memory
• Type aware memory hacking tool
• EhTrace
• Binary trace tool
• Uses hook/patch-less technique for in-process debugging
• Lots of other stuff
Outline / areas
• How to forensic, how to Fuck forensics and how to un fuck it.
• Intx80 AF technique on header wipe/non-resident code/trim()
• How to deal with that
• RoP background, how it’s used in attacks
• Gargoyle attacks & how to protect against them
• CloudLeech – twist on UlfFrisk DMA attacks / PCILeech
• Demo of open source memory integrity platform for Windows!
Can you even
forensic?
• In general: Determine what happened.
Make a timeline of known events.
• “Artifacts” disk & memory (often
incomplete/fragmented) used to build timeline.
• How good can we do? How do we know if were
done?
Artifact
sources
How
attestable are
they?
• Time stamps from all sources to derive timeline
(event logs/syslog/firewall/filesystem time, etc…)
• Wevtutil - Windows Events Command Line Utility.
Configure more than 1189 event log sources
• SysMon (from SysInternals/Mark Russinovich) / neat
config: https://github.com/SwiftOnSecurity/sysmon-
config
• Linux (osquery
https://github.com/facebook/osquery )
Handling memory
• Forensics meets Reverse Engineering
• Dump / disassemble determine what the extent of capability the attacker possesses
• I want to at least clear this guy out & find out how much damage he did
• Volatility/Rekall python forensic engines
• Stephen Ridley’s RE memory hacking tool: https://github.com/s7ephen/SandKit
• Paper: Escaping the sandbox
• GAME HACKING! 
• Let’s look at what people do to cheat sometime?
How to F’it?
• Hide really well
• Wipe/Destroy logging/leave no
trace/Stenography/Encrypt
• Misdirect
• Flood/Annoy/Make analysis so
costly$$$/Obfuscate/Spoof/
• Direct Attack
• DefCon 15: Breaking Forensics
Software: Weaknesses in Critical
Evidence Collection Chris Palmer,
Alex Stamos
Anti-forensics: Furthering digital forensic science through a new extended,
granular taxonomy:
Foreshadowing: normalize you’re operations
• A great way to operate undetected is to ensure you are not an
anomaly.
• Use the resources of you’re target to conduct you’re operations.
• “Configuration” attacks
• Enable IPV6 tunneling & VPN access
• Attacker has trusted CA capability (added their privkey to trusted list)
• The more “normal” the method will be very hard to dig up
Int0x80’s AF counter
Attack against a tool:
Rekall
• Prevent dumping for working
More ways to get it;
• Use VAD (kernel source)
• Use PageTable (ABI)
• Use inVtero.net
• dump.py - VADDump (VAD) or
Dump (PageTable)
RoP: More normal
• RoP is an often discussed topic used mostly for exploitation
• RoP uses the CPU stack semantics to execute as if it were a really large set of return
statements.
• This uses the code that’s already on the system more “normalized” than if you had to inject
an executable payload that did not originate from the target
• RoP is used by Gargoyle (Josh Lospinoso) as an example of a persistence
technique that evades memory analysis systems
• There is hope, we can detect RoP attacks through call chain evaluation
RoP is not
perfect
https://www.cs.columbia.edu/~angelos/Papers/theses/vpappas_thesis.pdf
Gargoyle
persistence
• Leverages a timer and blocking
wait that moves it into the “active
state”
• Once active, stages page
protection +X
• Then uses this page to invoke it’s
primary payload
• It then mask’s the +X bit back off
and goes inactive
Tools too defend against RoP attack?
• Analysis: ROPEMU: A Framework for the Analysis of Complex Code-
Reuse Attacks
• Dump a complex RoP execution trace into an ELF !! Wow!
• Detection: inVtero.net can perform a stack checking function against
the memory dump.
• Similar tools for monitoring RoP at run time (EhTrace, RoPGuard, etc…)
• From the inVtero output, you really do NOT want to see the Gargoyle gadget,
or anything that looks like a stack pivot
Injection techniques
• Many variegations to achieve the same goal;
• 10 Process Injection Techniques (Ashkan Hosseini/Endgame)
• LoadLibrary, Hallowing, Thread hijacking, Windows Hooks, Registry
keys, APC, SetWindowLong, Shims & IAT shims
• Flame was a sort of hallowing attack
• “hid” inside of ntdll, remained undetected for years
Enter DMA with PCILeech
• Ulf Frisk Direct-Memory-Attack-the-Kernel:
• PCILeech attacks and utility for forensics (memory) collection
• Uses a variety of (very cool) techniques to execute payloads
• One of the simplest is the “unlock” functionality
• It’s an inline patch however
• Hard to detect w/o manual reversing
Integrity validation
• Full validation at any point in time must be able to be conducted
• System state should/must be static
• CPU execution will allow attackers to play games / evade read’s
• RDMA
• LiveMigration / Snapshotting
Tie it together
Un F’d Memory Forensics – Remove the guesswork
• Leverage wide range of information sources
• Have a comprehensive global view of the data set
• Appropriate countermeasures for most attackers (RoP)
• Integrity checking of memory (in line patch protection)
• Symbols and context for analysis of pointers
• Pointer tracking becomes more significant as we can qualify their address/vector
Demo’s & Thank you
• Check out the tools
Github.com/K2

More Related Content

What's hot

Reverse Engineering the TomTom Runner pt. 1
Reverse Engineering the TomTom Runner pt. 1 Reverse Engineering the TomTom Runner pt. 1
Reverse Engineering the TomTom Runner pt. 1
Luis Grangeia
 
Steelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with PythonSteelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with Python
infodox
 
DefCamp 2013 - MSF Into The Worm Hole
DefCamp 2013 - MSF Into The Worm HoleDefCamp 2013 - MSF Into The Worm Hole
DefCamp 2013 - MSF Into The Worm Hole
DefCamp
 
Distributed Fuzzing Framework Design
Distributed Fuzzing Framework DesignDistributed Fuzzing Framework Design
Distributed Fuzzing Framework Design
bannedit
 
Csw2016 d antoine_automatic_exploitgeneration
Csw2016 d antoine_automatic_exploitgenerationCsw2016 d antoine_automatic_exploitgeneration
Csw2016 d antoine_automatic_exploitgeneration
CanSecWest
 
Fuzzing 101 Webinar on Zero Day Management
Fuzzing 101 Webinar on Zero Day ManagementFuzzing 101 Webinar on Zero Day Management
Fuzzing 101 Webinar on Zero Day Management
Codenomicon
 
FUZZING & SOFTWARE SECURITY TESTING
FUZZING & SOFTWARE SECURITY TESTINGFUZZING & SOFTWARE SECURITY TESTING
FUZZING & SOFTWARE SECURITY TESTING
MuH4f1Z
 
[CB16] COFI break – Breaking exploits with Processor trace and Practical cont...
[CB16] COFI break – Breaking exploits with Processor trace and Practical cont...[CB16] COFI break – Breaking exploits with Processor trace and Practical cont...
[CB16] COFI break – Breaking exploits with Processor trace and Practical cont...
CODE BLUE
 
Defcon 22-philip-young-from-root-to-special-hacking-ibm-main
Defcon 22-philip-young-from-root-to-special-hacking-ibm-mainDefcon 22-philip-young-from-root-to-special-hacking-ibm-main
Defcon 22-philip-young-from-root-to-special-hacking-ibm-main
Priyanka Aash
 
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers - [ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
Zoltan Balazs
 
Cloud Security with LibVMI
Cloud Security with LibVMICloud Security with LibVMI
Cloud Security with LibVMI
Tamas K Lengyel
 
2016 TTL Security Gap Analysis with Kali Linux
2016 TTL Security Gap Analysis with Kali Linux2016 TTL Security Gap Analysis with Kali Linux
2016 TTL Security Gap Analysis with Kali Linux
Jason Murray
 
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis SystemScalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
Tamas K Lengyel
 
50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi
50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi
50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi
Shakacon
 
XFLTReat: a new dimension in tunnelling
XFLTReat:  a new dimension in tunnellingXFLTReat:  a new dimension in tunnelling
XFLTReat: a new dimension in tunnelling
Shakacon
 
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwareDefcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Priyanka Aash
 
Hacking Windows 95 #33c3
Hacking Windows 95 #33c3Hacking Windows 95 #33c3
Hacking Windows 95 #33c3
Zoltan Balazs
 
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Shota Shinogi
 
Oscp preparation
Oscp preparationOscp preparation
Oscp preparation
Manich Koomsusi
 
Practical Windows Kernel Exploitation
Practical Windows Kernel ExploitationPractical Windows Kernel Exploitation
Practical Windows Kernel Exploitation
zeroSteiner
 

What's hot (20)

Reverse Engineering the TomTom Runner pt. 1
Reverse Engineering the TomTom Runner pt. 1 Reverse Engineering the TomTom Runner pt. 1
Reverse Engineering the TomTom Runner pt. 1
 
Steelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with PythonSteelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with Python
 
DefCamp 2013 - MSF Into The Worm Hole
DefCamp 2013 - MSF Into The Worm HoleDefCamp 2013 - MSF Into The Worm Hole
DefCamp 2013 - MSF Into The Worm Hole
 
Distributed Fuzzing Framework Design
Distributed Fuzzing Framework DesignDistributed Fuzzing Framework Design
Distributed Fuzzing Framework Design
 
Csw2016 d antoine_automatic_exploitgeneration
Csw2016 d antoine_automatic_exploitgenerationCsw2016 d antoine_automatic_exploitgeneration
Csw2016 d antoine_automatic_exploitgeneration
 
Fuzzing 101 Webinar on Zero Day Management
Fuzzing 101 Webinar on Zero Day ManagementFuzzing 101 Webinar on Zero Day Management
Fuzzing 101 Webinar on Zero Day Management
 
FUZZING & SOFTWARE SECURITY TESTING
FUZZING & SOFTWARE SECURITY TESTINGFUZZING & SOFTWARE SECURITY TESTING
FUZZING & SOFTWARE SECURITY TESTING
 
[CB16] COFI break – Breaking exploits with Processor trace and Practical cont...
[CB16] COFI break – Breaking exploits with Processor trace and Practical cont...[CB16] COFI break – Breaking exploits with Processor trace and Practical cont...
[CB16] COFI break – Breaking exploits with Processor trace and Practical cont...
 
Defcon 22-philip-young-from-root-to-special-hacking-ibm-main
Defcon 22-philip-young-from-root-to-special-hacking-ibm-mainDefcon 22-philip-young-from-root-to-special-hacking-ibm-main
Defcon 22-philip-young-from-root-to-special-hacking-ibm-main
 
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers - [ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
[ENG] OHM2013 - The Quest for the Client-Side Elixir Against Zombie Browsers -
 
Cloud Security with LibVMI
Cloud Security with LibVMICloud Security with LibVMI
Cloud Security with LibVMI
 
2016 TTL Security Gap Analysis with Kali Linux
2016 TTL Security Gap Analysis with Kali Linux2016 TTL Security Gap Analysis with Kali Linux
2016 TTL Security Gap Analysis with Kali Linux
 
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis SystemScalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
 
50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi
50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi
50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi
 
XFLTReat: a new dimension in tunnelling
XFLTReat:  a new dimension in tunnellingXFLTReat:  a new dimension in tunnelling
XFLTReat: a new dimension in tunnelling
 
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwareDefcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
 
Hacking Windows 95 #33c3
Hacking Windows 95 #33c3Hacking Windows 95 #33c3
Hacking Windows 95 #33c3
 
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
 
Oscp preparation
Oscp preparationOscp preparation
Oscp preparation
 
Practical Windows Kernel Exploitation
Practical Windows Kernel ExploitationPractical Windows Kernel Exploitation
Practical Windows Kernel Exploitation
 

Similar to Un) fucking forensics

Security research over Windows #defcon china
Security research over Windows #defcon chinaSecurity research over Windows #defcon china
Security research over Windows #defcon china
Peter Hlavaty
 
Creating Havoc using Human Interface Device
Creating Havoc using Human Interface DeviceCreating Havoc using Human Interface Device
Creating Havoc using Human Interface Device
Positive Hack Days
 
EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22
MichaelM85042
 
Reverse Engineering Presentation.pdf
Reverse Engineering Presentation.pdfReverse Engineering Presentation.pdf
Reverse Engineering Presentation.pdf
AbdelrahmanShaban3
 
AV Evasion with the Veil Framework
AV Evasion with the Veil FrameworkAV Evasion with the Veil Framework
AV Evasion with the Veil Framework
VeilFramework
 
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
Hackito Ergo Sum
 
The basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwon
The basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwonThe basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwon
The basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwon
Kenneth Kwon
 
Malware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence MoroccoMalware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence Morocco
Touhami Kasbaoui
 
2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion Detection2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion Detection
APNIC
 
Jason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional ToolsJason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional Tools
centralohioissa
 
You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0
Michael Gough
 
Vulnerability, exploit to metasploit
Vulnerability, exploit to metasploitVulnerability, exploit to metasploit
Vulnerability, exploit to metasploit
Tiago Henriques
 
DEF CON 27 - DIMITRY SNEZHKOV - zombie ant farm practical tips
DEF CON 27 - DIMITRY SNEZHKOV - zombie ant farm practical tipsDEF CON 27 - DIMITRY SNEZHKOV - zombie ant farm practical tips
DEF CON 27 - DIMITRY SNEZHKOV - zombie ant farm practical tips
Felipe Prado
 
Injection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniquesInjection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniques
enSilo
 
Hacking the Gateways
Hacking the GatewaysHacking the Gateways
Hacking the Gateways
Onur Alanbel
 
From Thousands of Hours to a Couple of Minutes: Automating Exploit Generation...
From Thousands of Hours to a Couple of Minutes: Automating Exploit Generation...From Thousands of Hours to a Couple of Minutes: Automating Exploit Generation...
From Thousands of Hours to a Couple of Minutes: Automating Exploit Generation...
Priyanka Aash
 
Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015
Zoltan Balazs
 
how-to-bypass-AM-PPL
how-to-bypass-AM-PPLhow-to-bypass-AM-PPL
how-to-bypass-AM-PPL
nitinscribd
 
L27
L27L27
Cyber attacks 101
Cyber attacks 101Cyber attacks 101
Cyber attacks 101
Rafel Ivgi
 

Similar to Un) fucking forensics (20)

Security research over Windows #defcon china
Security research over Windows #defcon chinaSecurity research over Windows #defcon china
Security research over Windows #defcon china
 
Creating Havoc using Human Interface Device
Creating Havoc using Human Interface DeviceCreating Havoc using Human Interface Device
Creating Havoc using Human Interface Device
 
EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22
 
Reverse Engineering Presentation.pdf
Reverse Engineering Presentation.pdfReverse Engineering Presentation.pdf
Reverse Engineering Presentation.pdf
 
AV Evasion with the Veil Framework
AV Evasion with the Veil FrameworkAV Evasion with the Veil Framework
AV Evasion with the Veil Framework
 
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
 
The basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwon
The basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwonThe basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwon
The basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwon
 
Malware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence MoroccoMalware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence Morocco
 
2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion Detection2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion Detection
 
Jason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional ToolsJason Kent - AppSec Without Additional Tools
Jason Kent - AppSec Without Additional Tools
 
You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0You need a PROcess to catch running processes and their modules_v2.0
You need a PROcess to catch running processes and their modules_v2.0
 
Vulnerability, exploit to metasploit
Vulnerability, exploit to metasploitVulnerability, exploit to metasploit
Vulnerability, exploit to metasploit
 
DEF CON 27 - DIMITRY SNEZHKOV - zombie ant farm practical tips
DEF CON 27 - DIMITRY SNEZHKOV - zombie ant farm practical tipsDEF CON 27 - DIMITRY SNEZHKOV - zombie ant farm practical tips
DEF CON 27 - DIMITRY SNEZHKOV - zombie ant farm practical tips
 
Injection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniquesInjection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniques
 
Hacking the Gateways
Hacking the GatewaysHacking the Gateways
Hacking the Gateways
 
From Thousands of Hours to a Couple of Minutes: Automating Exploit Generation...
From Thousands of Hours to a Couple of Minutes: Automating Exploit Generation...From Thousands of Hours to a Couple of Minutes: Automating Exploit Generation...
From Thousands of Hours to a Couple of Minutes: Automating Exploit Generation...
 
Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015
 
how-to-bypass-AM-PPL
how-to-bypass-AM-PPLhow-to-bypass-AM-PPL
how-to-bypass-AM-PPL
 
L27
L27L27
L27
 
Cyber attacks 101
Cyber attacks 101Cyber attacks 101
Cyber attacks 101
 

Recently uploaded

Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
Aftab Hussain
 
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial IntelligenceAI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
IndexBug
 
Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024
Jason Packer
 
AI-Powered Food Delivery Transforming App Development in Saudi Arabia.pdf
AI-Powered Food Delivery Transforming App Development in Saudi Arabia.pdfAI-Powered Food Delivery Transforming App Development in Saudi Arabia.pdf
AI-Powered Food Delivery Transforming App Development in Saudi Arabia.pdf
Techgropse Pvt.Ltd.
 
Taking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdfTaking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdf
ssuserfac0301
 
Infrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI modelsInfrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI models
Zilliz
 
“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”
Claudio Di Ciccio
 
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
panagenda
 
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdfMonitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Tosin Akinosho
 
Choosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptxChoosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptx
Brandon Minnick, MBA
 
OpenID AuthZEN Interop Read Out - Authorization
OpenID AuthZEN Interop Read Out - AuthorizationOpenID AuthZEN Interop Read Out - Authorization
OpenID AuthZEN Interop Read Out - Authorization
David Brossard
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
名前 です男
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
DianaGray10
 
UI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentationUI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentation
Wouter Lemaire
 
CAKE: Sharing Slices of Confidential Data on Blockchain
CAKE: Sharing Slices of Confidential Data on BlockchainCAKE: Sharing Slices of Confidential Data on Blockchain
CAKE: Sharing Slices of Confidential Data on Blockchain
Claudio Di Ciccio
 
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
Tomaz Bratanic
 
GenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizationsGenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizations
kumardaparthi1024
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
Kumud Singh
 
June Patch Tuesday
June Patch TuesdayJune Patch Tuesday
June Patch Tuesday
Ivanti
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
Zilliz
 

Recently uploaded (20)

Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
 
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial IntelligenceAI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
 
Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024
 
AI-Powered Food Delivery Transforming App Development in Saudi Arabia.pdf
AI-Powered Food Delivery Transforming App Development in Saudi Arabia.pdfAI-Powered Food Delivery Transforming App Development in Saudi Arabia.pdf
AI-Powered Food Delivery Transforming App Development in Saudi Arabia.pdf
 
Taking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdfTaking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdf
 
Infrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI modelsInfrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI models
 
“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”
 
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
 
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdfMonitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdf
 
Choosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptxChoosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptx
 
OpenID AuthZEN Interop Read Out - Authorization
OpenID AuthZEN Interop Read Out - AuthorizationOpenID AuthZEN Interop Read Out - Authorization
OpenID AuthZEN Interop Read Out - Authorization
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
 
UI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentationUI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentation
 
CAKE: Sharing Slices of Confidential Data on Blockchain
CAKE: Sharing Slices of Confidential Data on BlockchainCAKE: Sharing Slices of Confidential Data on Blockchain
CAKE: Sharing Slices of Confidential Data on Blockchain
 
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
 
GenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizationsGenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizations
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
 
June Patch Tuesday
June Patch TuesdayJune Patch Tuesday
June Patch Tuesday
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
 

Un) fucking forensics

  • 1. (Un) Fucking Forensics Active/Passive memory hacking/debugging K2 / Director @IOACTIVE https://github.com/K2
  • 2. About me? • Hacker for a while • inVtero.net • Memory analysis framework for Windows • Super fast/GBPS throughput • Memory integrity checking of VM’s/CrashDumps/Memory • Type aware memory hacking tool • EhTrace • Binary trace tool • Uses hook/patch-less technique for in-process debugging • Lots of other stuff
  • 3. Outline / areas • How to forensic, how to Fuck forensics and how to un fuck it. • Intx80 AF technique on header wipe/non-resident code/trim() • How to deal with that • RoP background, how it’s used in attacks • Gargoyle attacks & how to protect against them • CloudLeech – twist on UlfFrisk DMA attacks / PCILeech • Demo of open source memory integrity platform for Windows!
  • 4. Can you even forensic? • In general: Determine what happened. Make a timeline of known events. • “Artifacts” disk & memory (often incomplete/fragmented) used to build timeline. • How good can we do? How do we know if were done?
  • 5. Artifact sources How attestable are they? • Time stamps from all sources to derive timeline (event logs/syslog/firewall/filesystem time, etc…) • Wevtutil - Windows Events Command Line Utility. Configure more than 1189 event log sources • SysMon (from SysInternals/Mark Russinovich) / neat config: https://github.com/SwiftOnSecurity/sysmon- config • Linux (osquery https://github.com/facebook/osquery )
  • 6. Handling memory • Forensics meets Reverse Engineering • Dump / disassemble determine what the extent of capability the attacker possesses • I want to at least clear this guy out & find out how much damage he did • Volatility/Rekall python forensic engines • Stephen Ridley’s RE memory hacking tool: https://github.com/s7ephen/SandKit • Paper: Escaping the sandbox • GAME HACKING!  • Let’s look at what people do to cheat sometime?
  • 7. How to F’it? • Hide really well • Wipe/Destroy logging/leave no trace/Stenography/Encrypt • Misdirect • Flood/Annoy/Make analysis so costly$$$/Obfuscate/Spoof/ • Direct Attack • DefCon 15: Breaking Forensics Software: Weaknesses in Critical Evidence Collection Chris Palmer, Alex Stamos
  • 8. Anti-forensics: Furthering digital forensic science through a new extended, granular taxonomy:
  • 9. Foreshadowing: normalize you’re operations • A great way to operate undetected is to ensure you are not an anomaly. • Use the resources of you’re target to conduct you’re operations. • “Configuration” attacks • Enable IPV6 tunneling & VPN access • Attacker has trusted CA capability (added their privkey to trusted list) • The more “normal” the method will be very hard to dig up
  • 10. Int0x80’s AF counter Attack against a tool: Rekall • Prevent dumping for working More ways to get it; • Use VAD (kernel source) • Use PageTable (ABI) • Use inVtero.net • dump.py - VADDump (VAD) or Dump (PageTable)
  • 11. RoP: More normal • RoP is an often discussed topic used mostly for exploitation • RoP uses the CPU stack semantics to execute as if it were a really large set of return statements. • This uses the code that’s already on the system more “normalized” than if you had to inject an executable payload that did not originate from the target • RoP is used by Gargoyle (Josh Lospinoso) as an example of a persistence technique that evades memory analysis systems • There is hope, we can detect RoP attacks through call chain evaluation
  • 13. Gargoyle persistence • Leverages a timer and blocking wait that moves it into the “active state” • Once active, stages page protection +X • Then uses this page to invoke it’s primary payload • It then mask’s the +X bit back off and goes inactive
  • 14. Tools too defend against RoP attack? • Analysis: ROPEMU: A Framework for the Analysis of Complex Code- Reuse Attacks • Dump a complex RoP execution trace into an ELF !! Wow! • Detection: inVtero.net can perform a stack checking function against the memory dump. • Similar tools for monitoring RoP at run time (EhTrace, RoPGuard, etc…) • From the inVtero output, you really do NOT want to see the Gargoyle gadget, or anything that looks like a stack pivot
  • 15. Injection techniques • Many variegations to achieve the same goal; • 10 Process Injection Techniques (Ashkan Hosseini/Endgame) • LoadLibrary, Hallowing, Thread hijacking, Windows Hooks, Registry keys, APC, SetWindowLong, Shims & IAT shims • Flame was a sort of hallowing attack • “hid” inside of ntdll, remained undetected for years
  • 16. Enter DMA with PCILeech • Ulf Frisk Direct-Memory-Attack-the-Kernel: • PCILeech attacks and utility for forensics (memory) collection • Uses a variety of (very cool) techniques to execute payloads • One of the simplest is the “unlock” functionality • It’s an inline patch however • Hard to detect w/o manual reversing
  • 17. Integrity validation • Full validation at any point in time must be able to be conducted • System state should/must be static • CPU execution will allow attackers to play games / evade read’s • RDMA • LiveMigration / Snapshotting
  • 18. Tie it together Un F’d Memory Forensics – Remove the guesswork • Leverage wide range of information sources • Have a comprehensive global view of the data set • Appropriate countermeasures for most attackers (RoP) • Integrity checking of memory (in line patch protection) • Symbols and context for analysis of pointers • Pointer tracking becomes more significant as we can qualify their address/vector
  • 19. Demo’s & Thank you • Check out the tools Github.com/K2