Windows systems & code signing protection

Presented at Hackfest 2016, Nov. 4, 2016, 3:30 p.m. (Unknown duration).

This presentation explains the code signing mechanism (authenticode) developed by Microsoft on Windows systems. The presentation will first explain the kernel implication and the impact on driver development. This protection firstly annoyed rootkit developers but they found several ways to bypass it. Well-know rootkits such as Derusbi, Uroburos or GrayFish use tricks to bypass driver signature. These techniques will be described during the presentation. Finally, the user-land will be discussed with the new library injection protection based on code signing implemented in Windows 10 TH2 and especially for the Edge process.

Presenters:

• Paul Rascagnères
  Paul Rascagnères is a malware analyst and researcher for the Sekoia's CERT. He is specialized in Advanced Persistant Threat (APT) and incident response. He worked on several complex cases such as government linked malware or rootkits analysis. He is a worldwide speaker at several security events.

Links:

• https://hackfest.ca/en/2016/speakers2016/#rascagneres
• https://infocon.org/cons/Hackfest/Hackfest 8 2016/Hackfest 2016 - Paul Rascagneres presented Windows systems & code signing protection.mp4
• https://www.youtube.com/watch?v=GKe92l-pxsU

Similar Presentations:

• ShmooCon X (2014) / The Evolution of Linux Kernel Module Signing
• Shakacon VIII (2016) / Windows Systems & Code Signing Protection
• BSidesDC 2019 / Signing your code the easy way