Presented at
DEF CON 27 (2019),
Aug. 9, 2019, 4 p.m.
(20 minutes).
Malware authors are always looking for new ways to achieve code injection, thereby allowing them to run their code in remote processes. Code Injection allows hackers to better hide their presence, gain persistence and leverage other processes' data and privileges.
Finding and implementing new, stable methods for code injection is becoming more and more challenging as traditional techniques are now widely detected by various security solutions or limited by native OS protections.
Inject-Me is a new method to inject code to a remote process in x64. Inject-Me is in fact "injection-less" - the remote (target) process is manipulated to read data from the injecting process, copy and execute it. The manipulation is mainly based on abusing ReadProcessMemory and calling conventions in X64. In addition to presenting Inject-Me, the talk will mention a generalized approach to copying data in remote processes to recreate shellcode from the injecting process.
Presenters:
-
Alon Weinberg
- Security Researcher, Deep Instinct
Alon Weinberg is a security researcher at Deep Instinct. Prior to joining Deep Instinct two years ago, Alon served in the IDF for 4.5 years in an elite cyber unit as a security researcher.
As part of his role in Deep Instinct, Alon is in charge of finding new ways to enhance and develop protection and defense mechanisms. Alon leverages his experience in offensive operations, OS internals and programming to explore attack surfaces in Windows and macOS, analyze malware and research attack vectors and evasion techniques. Alon is a cross-fit junky and enjoys riding his motorcycle whenever his training routine allows it.
LinkedIn: https://www.linkedin.com/in/alon-weinberg-2a7742142/
Links:
Similar Presentations: