Hooking Nirvana: Stealthy Instrumentation Techniques for Windows 10

Presented at REcon 2015, June 20, 2015, 2 p.m. (60 minutes).

In this talk we will cover 5 novel instrumentation techniques that all rely on deep Windows Internals: AVRF Hooking, MinWin Hooking, Shim Hooking, Nirvana Hooking, and CFG Hooking. We will start by describing the intended use of these technologies in Windows and what their normal use cases and scenarios are, followed by explanations and demonstrations on how to abuse them to do your bidding. In turn, we will detail how to detect each of them from a defensive perspective, contrasting current hook detection methods and their inability to pick up on these techniques. These hooking techniques can be leveraged for code obfuscation, dynamic binary instrumentation, implementing stealthy hiding techniques and more.


Presenters:

Links:

Similar Presentations: