Presented at
DEF CON 30 (2022),
Aug. 12, 2022, 1:30 p.m.
(20 minutes).
While much knowledge exists on using syscalls for red team efforts, information on writing original shellcode with syscalls so in modern x86 is sparse and lacking. Our reverse engineering efforts, however, have revealed the necessary steps to take to successfully perform syscalls in shellcode, both for Windows 7 and 10, as there are some significant differences.
In this talk, we will embark upon a journey that will show the process of reverse engineering how Windows syscalls work in both Windows 7 and 10, while focusing predominately on the latter. With this necessary foundation, we will explore the process of effectively utilizing syscalls inside shellcode. We will explore the special steps that must be taken to set up syscalls – steps that may not be required to do equivalent actions with WinAPI functions.
This talk will feature various demonstrations of syscalls in x86 shellcode.
Presenters:
-
Bramwell Brizendine
as Dr. Bramwell Brizendine
Dr. Bramwell Brizendine completed his Ph.D. in Cyber Operations recently, where he did his dissertation on Jump-Oriented Programming, a hitherto, seldom-studied and poorly understood subset of code-reused attacks. Bramwell developed a fully featured tool that helps facilitate JOP exploit development, the JOP ROCKET. Bramwell is the Director of the Vulnerability and Exploitation Research for Offensive and Novel Attacks (VERONA Lab), specializing in vulnerability research, software exploitation, software security assessments, and the development of new, cutting-edge tools and techniques with respect to software exploitation and malware analysis. Bramwell also teaches undergraduate, graduate, and doctoral level courses in software exploitation, reverse engineering, malware analysis, and offensive security. Bramwell teaches the development of modern Windows shellcode from scratch in various courses. Bramwell is a PI on an NSA grant to develop a shellcode analysis framework. Bramwell has been a speaker at many top security conferences, such as DEF CON, Black Hat Asia, Hack in the Box Amsterdam, Hack, and more.
-
Tarek Abdelmotaleb
- Security Researcher, VERONA Labs
Tarek Abdelmotaleb is a security researcher at VERONA Labs, and he is a graduate student at Dakota State University, who will soon graduate with a MS in Computer Science. Tarek specializes in malware development, software exploitation, reverse engineering, and malware analysis. Tarek recently published an IEEE paper that provides a new way for finding the base address of kernel32, making it possible to do shellcode without needing to make use of walking the Process Environment Block (PEB).
Links:
Similar Presentations: