Monitoring Native Execution in WoW64 Apps
Offered By: Hack In The Box Security Conference via YouTube
Course Description
Overview
Explore advanced techniques for monitoring native execution in WoW64 applications in this HITB Security Conference talk. Delve into the challenges of injecting 64-bit DLLs into WoW64 processes and hooking 64-bit APIs. Learn about novel injection methods, modifications to existing techniques, and solutions to overcome obstacles introduced by newer Windows versions. Gain insights into OS internals, reverse engineering, and exploit mitigations as presenters Yarden Shafir and Assaf Carlsbad share their research on enhancing security monitoring across all current Windows versions.
Syllabus
Intro
BACKGROUND
WoW64 system call overview
THE SOLUTION
INJECTION CONT.
INJECTION #1 - WOW64LOG.DLL
INJECTION 32 - HEAVEN'S GATE
INJECTION 33 - APC
CFG - CONTROL FLOW GUARD
VALID CALL TARGETS
CFG IN WOW64
BACK TO APC INJECTION
SO WHERE'S THE PROBLEM?
OPTION #1 - NATIVIZE THE PROCESS
NATIVIZE THE PROCESS - DOWNSIDES
OPTION #2 -"THUNKLESS" APC INJECTION
REQUIREMENTS
WHAT'S IN R9?
INLINE HOOKS 101
CONSTRAINTS
API RE-IMPLEMENTATION
BACK TO THE DRAWING BOARD #1
WORKS ON WINDOWS 10 BUT ONLY THERE.
BACK TO THE DRAWING BOARD #2
DEEP HOOKS - RECAP
REFERENCES
Taught by
Hack In The Box Security Conference
Related Courses
Browser Hacking With ANGLEHack In The Box Security Conference via YouTube Can A Fuzzer Match A Human
Hack In The Box Security Conference via YouTube Biometrics System Hacking in the Age of the Smart Vehicle
Hack In The Box Security Conference via YouTube ICEFALL - Revisiting A Decade Of OT Insecure-By-Design Practices
Hack In The Box Security Conference via YouTube Fuzzing the MCU of Connected Vehicles for Security and Safety
Hack In The Box Security Conference via YouTube