DOCSLIB.ORG

In Injected DLL, 145–146 for Writing and Reading, 122–124 Event

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

INDEX A anti-cheat software, 245–246 anti-cheat rootkit, defeating, About text field, Trainer generator 261–262 dialog, 9 binary validation, defeating, accessing memory 259–261 in injected DLL, 145–146 bot footprints, managing, for writing and reading, 122–124 250–256 Action Message Format (AMF), 169 ESEA Anti-Cheat toolkit, 247 actor functions, 216 GameGuard toolkit, 248–249 actuation, 216, 223 heuristics, defeating, 262–263 Address column PunkBuster toolkit, 246–247 Event Properties dialog, 55 screenshots, defeating, 258 OllyDbg disassembler pane, 27 signature-based detection, addresses, memory. See memory evading, 256–257 addresses VAC toolkit, 247–248 Address Space Layout Randomization Warden toolkit, 249–250 (ASLR), 128 anti-crowd-control hacks, 218 bypassing in injected DLL, anti-debugging techniques, 251, 146 –147 255–256 bypassing in production, arithmetic instructions, 90–92 128–130 A* search algorithm, 234 disabling for bot cost, 233 development, 128 creating node, 234–237 in Process Explorer, 56, 57 creating path list, 239–240 Adobe AIR hooking, 169 score, 234 decode() function, 172–173, uses for, 240–241 174 –175 writing search function, 237–239 encode() function, 171–172, ASLR. See Address Space Layout 174 –175 Randomization (ASLR) placing hooks, 173 –175 Asm2Clipboard plug-in, 42 RTMP, assessing, 169–170 assembly code Adobe AIR.dll, 173 –175 copying, 42 airlog tool, 170 tracing, 32–33 alignment viewing and navigating in in numeric data, 68 OllyDbg, 27–29 of variables, in data structures, assembly language, 78. See also 70–71 x86 assembly language ambient light, adding, 190–192 assembly patterns, searching for, AMF (Action Message Format), 169 19–21 AStarNode class, 234–236 intercepting network traffic, AT&T syntax, 80 206–211 autocombo, 219 monitoring memory, 204–205 autododge, 219 obfuscation, 251, 255–256 autokite bots, 244 sending packets, 215–217 automatic healer, 218, 225–228, spell trainers, 219 230–232 branching, 92–94 autonomous bots, 221–222. See also breakpoints, 30, 34, 38 control theory; state Breakpoints window, OllyDbg, 26 machines BSOD (Blue Screen of Death), 256 cavebots, 241–243 BYTE data type, 67 complex hypothetical state bytes, machine code, 78 machine, 228–230 error correction, 230–232 C healer state machine, 225–228 pathfinding with search C++, 66 algorithms, 232–234 callee, 94–95 warbots, 243–244 caller, 94–95 autoreload, 219 callHook() function, 154 autosnipe bots, 244 call hooking, 153–156. See also Adobe autowall bots, 244 AIR hooking calling conventions, 95 for call hooks, 155 B __cdecl, 95, 155 ban waves, 246 __fastcall, 95 Bigger Than scan type, Cheat __stdcall, 95 Engine, 6 __thiscall, 95, 217 binary arithmetic instructions, 90 for trampoline functions, 168 binary validation, 248, 259–261 for VF table hooks, 156–158 bits, EFLAGS register, 84 CALL instruction, 94–95 Blue Screen of Death (BSOD), 256 call stack bots. See also autonomous bots; overflow, 255–256 extrasensory perception viewing, 30 (ESP) hacks x86 assembly language, 86–88 anti-crowd-control hacks, 218 Call stack window, OllyDbg, 26 anti-debugging techniques, 251, capacity of std::vector, 109 255–256 casting spells. See spells automatic healer, 218, 225–228, cavebots, 241–243 230–232 __cdecl convention, 95, 155 detecting debuggers, 251–254 Changed Value scan type, Cheat detecting visual cues, 205–206 Engine, 7 disabling ASLR for characters. See also enemies development, 128 health bars, monitoring with emulating keyboard, 211–215 bots, 204–205 footprints, managing, 250–256 pausing execution when health game updates, dealing with, drops, 39–42 101–104 player health, finding with OllyDbg, 99–101 266 Index char data type, 67 Comment column, OllyDbg Cheat Engine, 3, 5–6 disassembler pane, 28 automatically locating string complex hypothetical state machine, addresses with, 102 228–230 cheat tables, 7–8 conditional breakpoints, 34, 38 correct address, determining, 7 conditional statements, 93 first scan, running, 6 constant ratio of health, adjusting installing, 4 for, 230–231 Lua scripting environment, control-critical routines, timing, 254 18–22 control flow hacks, 31 memory modification, 8–11 control flow manipulation, 149–150. next scan, running, 7 See also Adobe AIR pointer scanning with, 14–18 hooking; Direct3D scan types, 6 hooking std::list, determining whether call hooking, 153–156 data is stored in, 112–113 IAT hooking, 160–165 std::m a p, determining whether jump hooking, 165–169 data is stored in, 117 NOPing, 150–152 trainer generator, 9–11 VF table hooking, 156–160 VF tables, 78 control theory, 222 zoom factor, finding, 197 combining with state cheat tables, Cheat Engine, 7–8 machines, 225 Cheat Utility plug-in, 42–43 complex hypothetical state CheckRemoteDebuggerPresent() machine, 228–230 function, 251 error correction, 230–232 classes, 74–78 healer state machine, 225–228 class instances, 76 control windows, OllyDbg, 25–26 CloseHandle() function, 122, 138 cooldowns, displaying enemy, closing mutexes, 59–60 200–201 CMP instruction, 92 copying assembly code, 42 code caves, 134 copy-on-write protection, 126 loading DLLs, 143 –146 corpses, bot behavior toward, thread hijacking, 138–142 229, 240 thread injection, 134–138 correct address, determining in code injection, 133–134 Cheat Engine, 7 bypassing ASLR in production, CPU window, OllyDbg, 26–30, 40 128–130 crashing debuggers, 255 DLLs, 142–146 CreateRemoteThread() function, 129, with thread hijacking, 138–142 130, 134, 138 with thread injection, 134–138 CreateToolhelp32Snapshot() function, code patches, creating, 31–32 120, 141 column configurations, Process creature data, knowing structure Monitor, 51 behind, 106–107 combat, automating, 243–244 critical game information, displaying, command line plug-in, OllyDbg, 198–201 43–44 crowd-control attacks, 218 command syntax, x86 assembly cryptographic functions, language, 79–81 hooking, 170 Index 267 CS register, 85 finding devices, 177–181 C-style operators, OllyDbg, 34–35 optional fixes for stability, 184 custom behaviors for cavebots, writing hook for EndScene(), scripting, 243 182–183 writing hook for Reset(), 183–184 D directional lighthacks, 190–191 disabling ASLR, 128 dark environments, lighting up, disassembler pane, OllyDbg, 190–192 27–29, 42 data modification instructions, 89 Disassembly column, OllyDbg data structures, 71–73 disassembler pane, 28 data types, 66 dispatchPacket() function, 210 classes and VF tables, 74–78 display base, 27 numeric data, 67–69 DLL (dynamic link library), OllyDbg, 36 injecting, 142–146 string data, 69–71 DllMain() entry point, 144 –145 unions, 73–74 DLLs option, Process Explorer DBG_RIPEXCEPTION handlers, pane, 57 checking for, 253 Domain Name System (DNS) cache debugging. See also OllyDbg scans, 248 anti-debugging techniques, DOS header, 160–161 255–256 DrawIndexedPrimitive() function, 194, debug drivers, checking for, 254 195, 196, 200 debug strings, printing, 253 drawing loop, Direct3D, 176–177 detecting debuggers, 251–254 DS register, 85 Process Monitor, 52–53 dump pane, OllyDbg, 29–30 __declspec(naked) convention, 168 DWORD data type, 67, 145–146 decode() function, hooking, 172–173, dynamically allocated memory, 6, 174 –175 11, 12 Decreased Value By scan type, Cheat dynamic link library (DLL), Engine, 7 injecting, 142–146 Decreased Value scan type, Cheat dynamic lure, 242–243 Engine, 7 dynamic structures, 105 dependencies, DLL, 145 std::list class, 110–113 dependency loading, 160 std::m a p class, 114–118 depositor, 242 std::string class, 105–108 destination operand, 80 std::vector class, 108–110 detection, avoiding. See anti-cheat software device->SetRenderState() function, 192 E Dijkstra’s algorithm, 233–234 EAX register, 81 Direct3D 9, 176 EBP register, 83 Direct3D hooking, 175–176. See also EBX register, 82 extrasensory perception ECX register, 82, 157 (ESP) hacks EDI register, 83 detecting visual cues in games, EDX register, 82 205–206 EFLAGS register, 84, 92 drawing loop, 176 –177 EIP register, 83, 139 268 Index emulating keyboard, 211–215 pausing execution when health enableLightHackDirectional() function, of character drops, 190–191 39–42 encode() function, hooking, 171–172, pausing execution when name of 174 –175 player is printed, 37–38 EndScene() function supported data types, 36 jump hooking, 178–181 extrasensory perception (ESP) hacks, stability of, 184 189–190 writing hook for, 182–183 background knowledge, 190 endSceneTrampoline() function, 181 floor spy hacks, 201–202 enemies. See also extrasensory HUDs, 198–201 perception (ESP) hacks lighthacks, 190–192 cooldowns, displaying, 200–201 loading-screen HUDs, 201 critical game information, pick-phase HUDs, 201 displaying, 198–201 range hacks, 201 predicting movements of, 241 wallhacks, 192–197 texture, changing, 195–196 zoomhacks, 197–198 entropy, 5, 7 Environment tab, Process Explorer F Properties dialog, 58 error correction, 230–232 false positives, VAC toolkit, 248 ESEA (E-Sports Entertainment __fastcall convention, 95 Association), 247 feedback loop, 222 ESEA Anti-Cheat toolkit, 247 file accesses, inspecting in Process ESI register, 83 Explorer, 60 ESP hacks. See extrasensory Filesystem event class filter, 52 perception (ESP) hacks FILO (first-in-last-out), 86 ESP register, 83 filters, event class, 51–52 ES register, 85 findItem() function, 116–117 Euclidean distance heuristic, 236 findSequence() function, 175 event class filters, Process Monitor, first-in-last-out (FILO), 86 51–52 first-person shooter (FPS), xxii, 246 event log, Process Monitor, 52–53 first scan, running in Cheat Event Properties dialog,
Recommended publications
  • Advance Dynamic Malware Analysis Using Api Hooking

    Advance Dynamic Malware Analysis Using Api Hooking

    www.ijecs.in International Journal Of Engineering And Computer Science ISSN:2319-7242 Volume – 5 Issue -03 March, 2016 Page No. 16038-16040 Advance Dynamic Malware Analysis Using Api Hooking Ajay Kumar , Shubham Goyal Department of computer science Shivaji College, University of Delhi, Delhi, India [email protected] [email protected] Abstract— As in real world, in virtual world also there are type of Analysis is ineffective against many sophisticated people who want to take advantage of you by exploiting you software. Advanced static analysis consists of reverse- whether it would be your money, your status or your personal engineering the malware’s internals by loading the executable information etc. MALWARE helps these people into a disassembler and looking at the program instructions in accomplishing their goals. The security of modern computer order to discover what the program does. Advanced static systems depends on the ability by the users to keep software, analysis tells you exactly what the program does. OS and antivirus products up-to-date. To protect legitimate users from these threats, I made a tool B. Dynamic Malware Analysis (ADVANCE DYNAMIC MALWARE ANAYSIS USING API This is done by watching and monitoring the behavior of the HOOKING) that will inform you about every task that malware while running on the host. Virtual machines and software (malware) is doing over your machine at run-time Sandboxes are extensively used for this type of analysis. The Index Terms— API Hooking, Hooking, DLL injection, Detour malware is debugged while running using a debugger to watch the behavior of the malware step by step while its instructions are being processed by the processor and their live effects on I.
  • Userland Hooking in Windows

    Userland Hooking in Windows

    Your texte here …. Userland Hooking in Windows 03 August 2011 Brian MARIANI SeniorORIGINAL Security SWISS ETHICAL Consultant HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch SOME IMPORTANT POINTS Your texte here …. This document is the first of a series of five articles relating to the art of hooking. As a test environment we will use an english Windows Seven SP1 operating system distribution. ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch WHAT IS HOOKING? Your texte here …. In the sphere of computer security, the term hooking enclose a range of different techniques. These methods are used to alter the behavior of an operating system by intercepting function calls, messages or events passed between software components. A piece of code that handles intercepted function calls, is called a hook. ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch THE WHITE SIDE OF HOOKING TECHNIQUES? YourThe texte control here …. of an Application programming interface (API) call is very useful and enables programmers to track invisible actions that occur during the applications calls. It contributes to comprehensive validation of parameters. Reports issues that frequently remain unnoticed. API hooking has merited a reputation for being one of the most widespread debugging techniques. Hooking is also quite advantageous technique for interpreting poorly documented APIs. ORIGINAL SWISS ETHICAL HACKING ©2011 High-Tech Bridge SA – www.htbridge.ch THE BLACK SIDE OF HOOKING TECHNIQUES? YourHooking texte here can …. alter the normal code execution of Windows APIs by injecting hooks. This technique is often used to change the behavior of well known Windows APIs.
  • I've Injected a Dll - You Won't Believe What Happened Next! by @Captnbanana

    I've Injected a Dll - You Won't Believe What Happened Next! by @Captnbanana

    I'VE INJECTED A DLL - YOU WON'T BELIEVE WHAT HAPPENED NEXT! BY @CAPTNBANANA WHO R U MAN I do red teaming / pentesting Interested in reversing & exploit development And: Game hacking https://bananamafia.dev/ MOTIVATION MOTIVATION: MONEY Win at Tournament: $$$ Cheat: Easier $$$ ? Cheat subscription 7 Days: 7€ 30 Days: 30€ 90 Days: 28€ PAID CHEATS "Humanized Bot" "We are undetected, we swear!" "If you attach a debugger we will ban you from the cheat service" "We don't log, trust us!" CHEAT TYPES Wallhack Aimbot Game Specific: No Flash Anti Grip See invisible players Crosshair hack HACK TYPES Internal External (Instrumented) TOOLING Visual Studio: C++ Debugger, e.g. x64dbg IDA/Ghidra/Radare2/Cutter/... Cheat Engine ABOUT CHEAT ENGINE It's great Inspect and analyze process memory Disassembler Scripting engine Windows / Linux ceserver + GUI (wine) HANDY CHEAT ENGINE FEATURES Scan for known values "What writes/reads" this address Freeze values 0:00 / 0:59 INTERNAL HACK ON WINDOWS For Jedi Academy and Counter Strike: GO Plan: Build DLL loader Build actual DLL Inject DLL Profit LOADER CODE HANDLE procHandle = OpenProcess( PROCESS_ALL_ACCESS, FALSE, PID); LPVOID loadFunctionAddress = (LPVOID)GetProcAddress( GetModuleHandle("kernel32.dll"), "LoadLibraryA"); LPVOID allocatedMem = LPVOID(VirtualAllocEx( procHandle, nullptr, MAX_PATH, MEM_RESERVE | MEM_COMMIT, THE INJECTED DLL BOOL APIENTRY DllMain (HMODULE hModule, DWORD ul_reason_for_ca switch (ul_reason_for_call) { case DLL_PROCESS_ATTACH: MessageBox(0, "Cool, Works!", "1337 DLL", 0); break; } return
  • Contents in This Issue

    Contents in This Issue

    APRIL 2006 The International Publication on Computer Virus Prevention, Recognition and Removal CONTENTS IN THIS ISSUE 2 COMMENT LEAP YEAR Problems for AV vendors: some thoughts Although the hype surrounding OSX/Leap-A far outweighs the number of reported infections, the 3 NEWS virus does present a number of new ideas that we may well see again. Glyn Kennington investigates. More updating woes page 4 Spy couple sentenced ‘Real’ computer virus MR AND MRS ROOTKIT Viewers of the German version of the Mr. and Mrs. Smith movie DVD were surprised to find a little 3 VIRUS PREVALENCE TABLE more than they had bargained for on their DVDs thanks to the presence of a new protection system. VIRUS ANALYSES The protection software was found to be using 4 A small step for Mac OS X rootkit-like techniques to hide itself. Elia Florio discusses the security issues associated with the 6 Not a feeble attempt Settec DRM case. page 10 10 FEATURE LINUX COMPARATIVE Stories from the DRM world: the Settec case The main competition amongst products this month seemed to be to determine 13 COMPARATIVE REVIEW which could have the least useful Red Hat Linux 9 documentation – find out which products redeemed themselves by achieving a VB 100%. page 13 20 END NOTES & NEWS This month: anti-spam news & events and Sorin Mustaca takes an indepth look at PayPal phishing. ISSN 1749-7027 COMMENT ‘I see drowning in • Analysing proactive technologies, including heuristics and behaviour blockers so as to penetrate new malware as systems despite these barriers. one of the main • Interfering with anti-virus solutions, for instance, by issues facing the blocking automatic updates.
  • A Brief Survey on Rootkit Techniques in Malicious Codes

    A Brief Survey on Rootkit Techniques in Malicious Codes

    A Brief Survey on Rootkit Techniques in Malicious Codes Sungkwan Kim, Junyoung Park, Kyungroul Lee Ilsun You Soonchunhyang University Korean Bible University Shinchang-myun, Asan-si, Republic of Korea Seoul, Republic of Korea fcarpedm, wwkim3, [email protected] [email protected] Kangbin Yim∗ Soonchunhyang University Shinchang-myun, Asan-si, Republic of Korea [email protected] Abstract Nowadays, malicious codes are significantly increasing, leading to serious damages to information systems. It is worth to note that these codes generally depend on the rootkit techniques to make it more difficult for themselves to be analyzed and detected. Therefore, it is of paramount importance to research the rootkits to effectively defend against malicious codes. In this paper, we explore and survey the rootkit techniques both in user-level and kernel-level. Several rootkit samples are also utilized for the test and verification purpose. Keywords: rootkit, malicious codes, keyboard security 1 Introduction The superlative invention of the Internet in the 20th century has generated innovative developments in the computer industry. While internet speed is increasing, adverse effects are also increasing. A com- puter virus, which would have taken a long time to propagate in former days, can now spread throughout the world currently in a few seconds or minutes. In the past, the spreading technology was very simple and the path was limited, thus enabling an account technician sufficient time to protect against the virus. However, malicious codes have been intelligently armed with self-deformation and concealment, cre- ating many problems such as Distributed Denial of Services Attacks (DDoS), SPAM, and hijacking of personal information[2].
  • Captain Hook: Pirating AVS to Bypass Exploit Mitigations WHO?

    Captain Hook: Pirating AVS to Bypass Exploit Mitigations WHO?

    Captain Hook: Pirating AVS to Bypass Exploit Mitigations WHO? Udi Yavo . CTO and Co-Founder, enSilo . Former CTO, Rafael Cyber Security Division . Researcher . Author on BreakingMalware Tomer Bitton . VP Research and Co-Founder, enSilo . Low Level Researcher, Rafael Advanced Defense Systems . Malware Researcher . Author on BreakingMalware AGENDA . Hooking In a Nutshell . Scope of Research . Inline Hooking – Under the hood - 32-bit function hooking - 64-bit function hooking . Hooking Engine Injection Techniques . The 6 Security Issues of Hooking . Demo – Bypassing exploit mitigations . 3rd Party Hooking Engines . Affected Products . Research Tools . Summary HOOKING IN A NUTSHELL . Hooking is used to intercept function calls in order to alter or augment their behavior . Used in most endpoint security products: • Anti-Exploitation – EMET, Palo-Alto Traps, … • Anti-Virus – Almost all of them • Personal Firewalls – Comodo, Zone-Alarm,… • … . Also used in non-security products for various purposes: • Application Performance Monitoring (APM) • Application Virtualization (Microsoft App-V) . Used in Malware: • Man-In-The-Browser (MITB) SCOPE OF RESEARCH . Our research encompassed about a dozen security products . Focused on user-mode inline hooks – The most common hooking method in real-life products . Hooks are commonly set by an injected DLL. We’ll refer to this DLL as the “Hooking Engine” . Kernel-To-User DLL injection techniques • Used by most vendors to inject their hooking engine • Complex and leads security issues Inline Hooking INLINE HOOKING – 32-BIT FUNCTION HOOKING Straight forward most of the time: Patch the Disassemble Allocate Copy Prolog Prolog with a Prolog Code Stub Instructions JMP INLINE HOOKING – 32-BIT FUNCTION HOOKING InternetConnectW before the hook is set: InternetConnectW After the hook is set: INLINE HOOKING – 32-BIT FUNCTION HOOKING The hooking function (0x178940) The Copied Instructions Original Function Code INLINE HOOKING – 32-BIT FUNCTION HOOKING .
  • Towards a General Defense Against Kernel Queue Hooking Attacks

    Towards a General Defense Against Kernel Queue Hooking Attacks

    Towards a General Defense against Kernel Queue Hooking Attacks Jinpeng Wei 1 and Calton Pu 2 1Florida International University, 11200 SW 8th Street, Miami, FL, 33199 USA, [email protected] 2Georgia Institute of Technology, 266 Ferst Dr, Atlanta, GA 30332 USA, [email protected] Abstract Kernel queue hooking (KQH) attacks achieve stealthy malicious function execution by embedding malicious hooks in dynamic kernel schedulable queues (K-Queues). Because they keep kernel code and persistent hooks intact, they can evade detection of state-of-the-art kernel integrity monitors. Moreover, they have been used by advanced malware such as the Rustock spam bot to achieve malicious goals. In this paper, we present a systematic defense against such novel attacks. We propose the Precise Lookahead Checking of function Pointers approach that checks the legitimacy of pending K-Queue callback requests by proactively checking function pointers that may be invoked by the callback function. To facilitate the derivation of specifications for any K-Queue, we build a unified static analysis framework and a toolset that can derive from kernel source code properties of legitimate K-Queue requests and turn them into source code for the runtime checker. We implement proof-of-concept runtime checkers for four K-Queues in Linux and perform a comprehensive experimental evaluation of these checkers, which shows that our defense is effective against KQH attacks. Keywords : control flow integrity; kernel queue hooking; rootkits; runtime defense; static analysis 1 Introduction Rootkits have become one of the most dangerous threats to systems security. Because they run at the same privilege level as the operating systems kernel, they can modify the OS behavior 1 in arbitrary ways.
  • Evasive Internet Protocol: End to End Performance

    Evasive Internet Protocol: End to End Performance

    EVASIVE INTERNET PROTOCOL: END TO END PERFORMANCE By Maaz Khan Submitted in partial fulfillment of the requirements for the Degree of Master of Science Thesis Advisor: Prof. Michael Rabinovich Department of Electrical Engineering and Computer Science CASE WESTERN RESERVE UNIVERSITY August 2011 CASE WESTERN RESERVE UNIVERSITY SCHOOL OF GRADUATE STUDIES We hereby approve the thesis/dissertation of Maaz Khan ______________________________________________________ Masters candidate for the ________________________________degree *. Michael Rabinovich (signed)_______________________________________________ (chair of the committee) Mehmet Koyuturk ________________________________________________ Vincenzo Liberatore ________________________________________________ ________________________________________________ ________________________________________________ ________________________________________________ 06/09/2011 (date) _______________________ *We also certify that written approval has been obtained for any proprietary material contained therein. Contents Contents i List of Figures iii Abstract iv Chapter 1 Introduction 1 1.1 Basic Approach . 2 1.2 Security and feasibility . 3 Chapter 2 Architecture 6 2.1 Delegation of Authority . 6 2.2 T-Address . .8 2.3 Datagrams . 9 2.4 Obtaining a Destination T-address. 13 Chapter 3 Packet Modification using Netfilter Framework 15 3.1 The Packet Buffer . 15 3.1.1 SKB basic management functiuons . 18 3.2 The Netfilter API . .20 i 3.2.1 Netfilter Hooks . .21 3.2.2 Registering and Unregistering hook functions . .23 Chapter 4 Implementation 27 4.1 Components . 28 4.2 Changing the MSS . 31 Chapter 5 Performance 33 5.1 Experiment Setup . 33 5.2 TCP v/s EIP Performance . ..35 5.3 UDP v/s EIP Performance . .39 Chapter 6 Conclusion 43 References 44 ii List of Figures 1. T-Address . .. .. .. .. 9 2. Type-1 Datagram . .. .. .. 11 3. Type-2 Datagram . 11 4.
  • David Weinstein Dweinst@Insitusec.Com 2

    David Weinstein [email protected] 2

    20121 Advanced x86: Virtualization with VT-x Part 3 David Weinstein [email protected] 2 All materials are licensed under a Creative Commons “Share Alike” license. • http://creativecommons.org/licenses/by-sa/3.0/ 42012 Real mode guest VM • What if we wanted to run some real mode code as a guest VM. – Maybe because support for Virtual-8086 emulation is unsupported by the CPU’s compatibility mode in 64-bit mode • Allan Cruse (Prof. Emeritus @ University of San Francisco) shows us how to do this with a guest VM – http://www.cs.usfca.edu/~cruse/cs686s07/lesson24.ppt • So I fixed the code to work with recent Linux 3.* kernels • We’ll get to experience the fun of calling a BIOS interrupt in a guest VM container – In the comfort of our Linux environment 2012 The Real Mode Address Space • Code that uses real-mod addresses is limited to the bottom megabyte of memory: 0xFFFFF ROM Read-Only Memory (BIOS) ROM Read-Only Memory (Video) VRAM Video display memory one-megabyte EBDA Extended BIOS Data Area address-space RBDA ROM-BIOS Data Area IVT Interrupt-Vector Table 0x00000 Ref: http://www.cs.usfca.edu/~cruse/cs686s07/lesson24.ppt 5 62012 Real mode guests… for reals • To support guest real-mode execution, the VMM may establish a simple fat page table for guest linear to host physical address mapping. 72012 BIOS Services • int 0x10: video display services • int 0x11: equipment-list service • int 0x12: memory-size service • int 0x13: disk input/output services • int 0x14: serial communications services • int 0x15: system software services • More on
  • Countering Kernel Rootkits with Lightweight Hook Protection

    Countering Kernel Rootkits with Lightweight Hook Protection

    Countering Kernel Rootkits with Lightweight Hook Protection ZhiWang XuxianJiang WeidongCui PengNing NC State University NC State University Microsoft Research NC State University [email protected] [email protected] [email protected] [email protected] ABSTRACT stealing private information, escalating privileges of malicious pro- Kernel rootkits have posed serious security threats due to their stealthy cesses, and disabling defense mechanisms. manner. To hide their presence and activities, many rootkits hi- Given the serious security threats, there has been a long line of jack control flows by modifying control data or hooks in the kernel research on rootkit defense. Specifically, prior research efforts can space. A critical step towards eliminating rootkits is to protect such be roughly classified into three categories. In the first category, hooks from being hijacked. However, it remains a challenge be- systems such as Panorama [33], HookFinder [32], K-Tracer [15], cause there exist a large number of widely-scattered kernel hooks and PoKeR [24] focus on analyzing rootkit behaviors. Systems and many of them could be dynamically allocated from kernel heap in the second category are primarily designed for detecting rootk- and co-located together with other kernel data. In addition, there is its based on certain symptoms exhibited by rootkit infection. Ex- a lack of flexible commodity hardware support, leading to the so- amples are Copilot [20], SBCFI [21], and VMwatcher [13]. In called protection granularity gap – kernel hook protection requires the third category, systems such as SecVisor [26], Patagonix [16], byte-level granularity but commodity hardware only provides page- and NICKLE [23] have been developed to preserve kernel code level protection.
  • Subverting Operating System Properties Through Evolutionary DKOM Attacks

    Subverting Operating System Properties Through Evolutionary DKOM Attacks

    Subverting Operating System Properties through Evolutionary DKOM Attacks Mariano Graziano1;3, Lorenzo Flore2, Andrea Lanzi2, and Davide Balzarotti1 1 Eurecom 2 Universit`adegli Studi di Milano 3 Cisco Systems, Inc. Abstract Modern rootkits have moved their focus on the exploitation of dynamic memory struc- tures, which allows them to tamper with the behavior of the system without modifying or injecting any additional code. In this paper we discuss a new class of Direct Kernel Object Manipulation (DKOM) attacks that we call Evolutionary DKOM (E-DKOM). The goal of this attack is to alter the way some data structures \evolve" over time. As case study, we designed and im- plemented an instance of Evolutionary DKOM attack that targets the OS scheduler for both userspace programs and kernel threads. Moreover, we discuss the implementation of a hypervisor-based data protection system that mimics the behavior of an OS com- ponent (in our case the scheduling system) and detect any unauthorized modification. We finally discuss the challenges related to the design of a general detection system for this class of attacks. 1 Introduction Rootkits are a particular type of malicious software designed to maintain a hidden access to a compromised machine by targeting the running kernel. To mitigate this severe threat, several defense techniques for code protection and attestation have been proposed in the literature [27, 37, 39, 46]. These mechanisms try to protect the appli- cations and the kernel code against any illicit modification of its instructions. This also prevents hooking techniques that attempt to divert the control flow to a routine controlled by the attacker.
  • 2019 Mid-Market Threat and Incident Response Report

    2019 Mid-Market Threat and Incident Response Report

    TM Infocyte Mid-Market Threat and Incident Response Report (Q2, 2019) 2019 Mid-market Threat and Incident Response Report infocyte.com 1 TM Infocyte Mid-Market Threat and Incident Response Report (Q2, 2019) Q2 2019 Mid-market Threat and Incident Response Report by Chris Gerritz, Co-founder and Chief Product Officer, Infocyte Executive Summary In the 90-day span from April to June 2019, Infocyte’s SaaS threat detection and incident response platform, Infocyte HUNT1, has performed over 550,000 forensic inspections on systems across hundreds of customer networks within the mid-enterprise business sector. These inspections were divided between partner-led investigations, proactive compromise assessments, and continuous use by Infocyte subscribed customers. As part of these inspections, we performed analysis on over 12.4 million unique files and 44,800 fileless in-memory injections found in whitelisted/approved applications. We reviewed 339,000+ accounts and associated behavioral logs for malicious activity, and evaluated 161,000+ unique applications for possible threats and vulnerabilities. This report is a summary of our findings from customers and partners. It includes what we have learned about the threats and our recommendations on what companies can do to lower their risk of being affected by these and other security threats. The findings and recommendations in this report are significant for companies in the mid-market range having between 99 and 5,000 employees and up to $1 billion in annual revenue. Most industry reports of this nature – such as the annual Verizon Data 1: Infocyte HUNT is an independent, Breach Incident Report and the FireEye Mandiant M-Trends report cloud-deployable proactive security and – are focused on the large enterprise, consisting of companies incident response platform that helps that typically have far larger security budgets, larger teams and organizations detect and respond to threats and vulnerabilities hiding within more tools and resources compared to mid-market companies.