Relocation Bonus: Attacking the Windows Loader Makes Analysts Switch Careers

Presented at DEF CON 26 (2018), Aug. 11, 2018, 5 p.m. (45 minutes).

The arbiters of defense wield many static analysis tools; disassemblers, PE viewers, and anti-viruses are among them. When you peer into their minds, these tools reveal their perilous implementations of PE file parsing. They assume PE files come as-is, but the Windows Loader actually applies many mutations (some at the command of the PE itself) before execution ever begins. This talk is about bending that loader to one's whim with the Relocations Table as a command spell. It will demonstrate how the loader can be instrumented into a mutation engine capable of transforming an utterly mangled PE file into a valid executable. This method starts with multiple ASLR Preselection attacks that force binary mapping at a predictable address. It then mangles the PE file, garbling any byte not required prior to relocation. Finally, it embeds a new Relocations Table which, when paired with a preselected base address, causes the loader to reconstruct the PE and execute it with ease. This isn't a packer or a POC, it is a PE rebuilder which generates completely valid, stable, and vastly tool-breaking executables. This talk will show you how this attack twists the protocols of a machine against the controls meant to protect it. It flexes on tools with various look-what-I-can-break demonstrations and, if you write similar tools, it'll make you rethink how you do it.


Presenters:

  • Nick Cano - Senior Security Architect @ Cylance
    Nick is a self-taught software engineer, hacker, and an avid CTFer. He started coding when he was 11 and planted his roots in video game hacking by 14. His game hacking endeavors lead to a profitable business which became the foothold for his career. Nick is the author of"Game Hacking: Developing Autonomous Bots for Online Games," and has spoken about topics such as malware analysis, Windows internals, game hacking, and memory forensics at DEF CON, DerbyCon, HOPE, and other prestigious conferences. Previously a Senior Engineer at Bromium and currently a Senior Architect at Cylance, he's using his Windows internals experience to help make advances with endpoint protection, detection, and response. https://twitter.com/nickcano93, https://nickcano.com/, https://github.com/nickcano

Links:

Similar Presentations: