STrace - A DTrace on windows reimplementation.

Presented at DEF CON 30 (2022), Aug. 14, 2022, 11 a.m. (45 minutes)

II'll document the kernel tracing APIs in modern versions of windows, implemented to support Microsofts' port of the ‘DTrace’ system to windows. This system provides an officially supported mechanism to perform system call interception that is patchguard compatible, but not secure boot compatible. Alongside the history and details of DTrace this talk will also cover a C++ and Rust based reimplementation of the system that I call STrace. This reimplementation allows users to write custom plugin dlls which are manually mapped to the kernel address space. These plugins can then log all system calls, or perform any side effects before and after system call execution by invoking the typical kernel driver APIs – if desired.

Presenters:

• Stephen Eckels
  Stephen Eckels, is a reverse engineer that explores blue team tooling and regularly sees front line malware. Stephen has published past tools such as GoReSym - a golang symbol recovery tool, and written extensively about many forms of hooking including hooking the wow64 layer. Stephen maintains the open source hooking library PolyHook, some of his other work is public on the Mandiant blog!

Links:

• https://forum.defcon.org/node/242292
• https://infocon.org/cons/DEF CON/DEF CON 30/DEF CON 30 video and slides/DEF CON 30 - Stephen Eckels - STrace - A DTrace on windows reimplementation.mp4
• https://infocon.org/cons/DEF CON/DEF CON 30/DEF CON 30 video and slides/DEF CON 30 - Stephen Eckels - STrace - A DTrace on windows reimplementation.srt (subtitles)

Similar Presentations:

• Black Hat Europe 2016 / Attacking Windows by Windows
• Black Hat USA 2022 / To Flexibly Tame Kernel Execution With Onsite Analysis
• Black Hat USA 2016 / The Linux Kernel Hidden Inside Windows 10