The use cases for hooking code execution are abundant and this topic is very expansive. EhTracing (pronounced Tracing) is technique that allows monitoring/altering of code execution at a high rate with several distinct advantages. Full context (registers, stack & system state) hooking can be logged without needing to know a function prototype and changes to execution flow can be made as desired. Traditional detours like hooking requires a length disassembly engine than direct binary .text segment modifications to insert an intended hook (no changes to binary needed with EhTrace). Block/Branch stepping enables a simplification of analysis code (does not need to do a full procedure/function graph recognition/traversal). This will feature focus on the use of VEH and the DR7 backdoor in x64 Windows.In a nutshell, EhTrace enables very good performance, in proc debugging and a dead simple RoP hook primitive. Some neat graphics and visualizations will be made some of the early examples up at https://github.com/K2/EhTrace This novel implementation for hookers establishes a model for small purpose built block-fighting primitives to be used in order to analyze & do battle, code vs. code. As a special bonus “round 3 FIGHT!” we will see a hypervisor DoS that will cause a total lockup for most hypervisors (100%+ utilization per CORE). This goes to show that emulating or even adapting a hypervisor to a full CPU feature set is exceedingly hard and it’s unlikely that a sandbox/hypervisor/emulator will be a comprehensive solution to evade detection from adversarial code for some time. Let’s have some fun block fighting with some loose boxed hookers! Bio: K2 likes to poke around at security cyber stuff, writing tools and exploits to get an understanding of what’s easy, hard and fun/profit! He’s written and contributed to books, papers and spent time at security conferences over the years. K2 currently works with IOActive and enjoys a diverse and challenging role analyzing some of the most complex software systems around.
DEF CON 24 - K2 - BlockFighting with a Hooker: BlockfFghter2! - YouTube |
| 5 Likes | 5 Dislikes |
| 4,001 views views | 147,504 followers |
| Science & Technology Creative Commons Attribution licence (reuse allowed) View attributions | Upload TimePublished on 13 Nov 2016 |
Không có nhận xét nào:
Đăng nhận xét