Explore advanced techniques for monitoring native execution in WoW64 applications in this HITB Security Conference talk. Delve into the challenges of injecting 64-bit DLLs into WoW64 processes and hooking 64-bit APIs. Learn about novel injection methods, modifications to existing techniques, and solutions to overcome obstacles introduced by newer Windows versions. Gain insights into OS internals, reverse engineering, and exploit mitigations as presenters Yarden Shafir and Assaf Carlsbad share their research on enhancing security monitoring across all current Windows versions.
Overview
Syllabus
Intro
BACKGROUND
WoW64 system call overview
THE SOLUTION
INJECTION CONT.
INJECTION #1 - WOW64LOG.DLL
INJECTION 32 - HEAVEN'S GATE
INJECTION 33 - APC
CFG - CONTROL FLOW GUARD
VALID CALL TARGETS
CFG IN WOW64
BACK TO APC INJECTION
SO WHERE'S THE PROBLEM?
OPTION #1 - NATIVIZE THE PROCESS
NATIVIZE THE PROCESS - DOWNSIDES
OPTION #2 -"THUNKLESS" APC INJECTION
REQUIREMENTS
WHAT'S IN R9?
INLINE HOOKS 101
CONSTRAINTS
API RE-IMPLEMENTATION
BACK TO THE DRAWING BOARD #1
WORKS ON WINDOWS 10 BUT ONLY THERE.
BACK TO THE DRAWING BOARD #2
DEEP HOOKS - RECAP
REFERENCES
Taught by
Hack In The Box Security Conference
