Class Central is learner-supported. When you buy through links on our site, we may earn an affiliate commission.

YouTube

Monitoring Native Execution in WoW64 Apps

Hack In The Box Security Conference via YouTube

Overview

Explore advanced techniques for monitoring native execution in WoW64 applications in this HITB Security Conference talk. Delve into the challenges of injecting 64-bit DLLs into WoW64 processes and hooking 64-bit APIs. Learn about novel injection methods, modifications to existing techniques, and solutions to overcome obstacles introduced by newer Windows versions. Gain insights into OS internals, reverse engineering, and exploit mitigations as presenters Yarden Shafir and Assaf Carlsbad share their research on enhancing security monitoring across all current Windows versions.

Syllabus

Intro
BACKGROUND
WoW64 system call overview
THE SOLUTION
INJECTION CONT.
INJECTION #1 - WOW64LOG.DLL
INJECTION 32 - HEAVEN'S GATE
INJECTION 33 - APC
CFG - CONTROL FLOW GUARD
VALID CALL TARGETS
CFG IN WOW64
BACK TO APC INJECTION
SO WHERE'S THE PROBLEM?
OPTION #1 - NATIVIZE THE PROCESS
NATIVIZE THE PROCESS - DOWNSIDES
OPTION #2 -"THUNKLESS" APC INJECTION
REQUIREMENTS
WHAT'S IN R9?
INLINE HOOKS 101
CONSTRAINTS
API RE-IMPLEMENTATION
BACK TO THE DRAWING BOARD #1
WORKS ON WINDOWS 10 BUT ONLY THERE.
BACK TO THE DRAWING BOARD #2
DEEP HOOKS - RECAP
REFERENCES

Taught by

Hack In The Box Security Conference

Reviews

Start your review of Monitoring Native Execution in WoW64 Apps

Never Stop Learning.

Get personalized course recommendations, track subjects and courses with reminders, and more.

Someone learning on their laptop while sitting on the floor.