Detecting Reflective Injection

Presented at DEF CON 20 (2012), July 27, 2012, 3 p.m. (50 minutes)

This talk will focus on detecting reflective injection with some mildly humorous notes and bypassing said protections until vendors start actually working on this problem. It seems amazing that reflective injection still works. Why is that? Because programmers are lazy. They don't want to write new engines, they want to write definitions for an engine that already exists. So what do we do about it? Release a $5 tool that does what $50 AV has failed epically at for several years now...oh and it took me a week or so...Alternately, you could license it to vendors since their programmers are lazy.

Presenters:

• Andrew King - Contract Researcher, GrayHat Research, LLC
  Andrew King is a recent graduate. He has been a hobbyist for many years, but has only recently tried to transition into information security as a job field. A previous talk was given at ToorCon on polymorphism as it relates to definitions. He wrote a set of articles demonstrating implementation of simple internal to function encoding and decoding. Additional code will be released to demonstrate automation of binary patching to use this method without using a debugger. It is not a fully functional evasion tool, but it does demonstrate pushing this level of obfuscation into a more automated arena. Adding a couple of small code sections could turn this in to a usable evasion tool. Twitter: @aking1012

Links:

• https://defcon.org/html/defcon-20/dc-20-speakers.html#King
• https://infocon.org/cons/DEF CON/DEF CON 20/DEF CON 20 video and slides/DEF CON 20 - Andrew King - Detecting Reflective Injection - Video and Slides.mp4 (Video and Slides)
• https://www.youtube.com/watch?v=ZB1yD8LlFns