Code obfuscation to defeat static analysis using cross mode

Presented at SOURCE Seattle 2016, Oct. 12, 2016, 8 a.m. (Unknown duration).

Patch management is often looked down upon due to its simplicity and relatively short shelf life. However, if we identify patch management as a way to categorize all known and unknown code in our infrastructure (given clouds can be more uniform in deployments), we can accomplish a great number of goals at the same time.

Memory white listing has become more common in a variety of scenarios like game consoles, some cloud and current Windows versions. We’ll release some memory analysis tools based on memory integrity checking that work for 64 bit versions of Windows (all versions), Linux and *BSD. This will be sort of a “tripwire” for volatile memory designed to ensure no hidden, targeted, APT or zero-day threat ransom-ware is on your box.

Presenters:

• Shane McAuley - IOActive
  Some code is at github.com/K2 & github.com/ShaneK2 & ktwo.ca (hosted are a number of hypervisor memory extraction and other fun tools for system/state comprehension) I've also contributed other projects over the years including KARMA wifi test tools and exploits. Previous conferences are DefCon, CanSecWest, Source Boston, Virus Bulletin, Honeynet Project, IEEE, AAFS and more.

Similar Presentations:

• DEF CON 30 (2022) / Master Class: Delivering a New Construct in Advanced Volatile Memory Analysis for Fun and Profit Workshop
• CactusCon 11 (2023) / Is Dead Memory Analysis Dead? Finding Infected Systems through Live Memory Analysis