Presented at
DEF CON 24 (2016),
Aug. 5, 2016, noon
(60 minutes).
What's your style of hooking? My hooking Style? It's like hooking without hookers.
The use cases for hooking code execution are abundant and this topic is very expansive. EhTracing (pronounced ATracing) is technique that allows monitoring/altering of code execution at a high rate with several distinct advantages.
In a nutshell, EhTrace enables very good performance, in proc debugging and a dead simple RoP hook primitive. Some neat graphics and visualizations will be made some of the early examples up at https://github.com/K2/EhTrace
This novel implementation for hookers establishes a model for small purpose built block-fighting primitives to be used in order to analyze & do battle, code vs. code.
As a special bonus "round 3 FIGHT!" we will see a hypervisor DoS that will cause a total lockup for most hypervisors (100%+ utilization per CORE). This goes to show that emulating or even adapting a hypervisor to a full CPU feature set is exceedingly hard and it’s unlikely that a sandbox/hypervisor/emulator will be a comprehensive solution to evade detection from adversarial code for some time.
Let’s have some fun blockfighting with some loose boxed hookers!
Presenters:
-
K2
- Director, IOACTIVE
K2 likes to poke around at security cyber stuff, writing tools and exploits to get an understanding of what’s easy, hard and fun/profit! He’s written and contributed to books, papers and spent time at security conferences over the years.
K2 currently works with IOActive and enjoys a diverse and challenging role analyzing some of the most complex software systems around.
ktwo
Twitter @IOACTIVE
github.com/K2
github.com/ShaneK2
Links:
Similar Presentations: