Explore advanced code injection techniques and zero-day vulnerabilities in this BSidesLV 2015 conference talk. Delve into classic code injection methods before examining PowerLoader's innovative approaches, including abusing shared sections and ROP techniques. Learn about desktop heap exploitation and strategies for 64-bit systems. Investigate kernel-to-user code injections, covering common methods like User APC, entry point patching, and import table patching. Discover the intricacies of Trap Frame injection and KTRAP_FRAME. Conclude with an in-depth look at codeless code injection, addressing challenges and demonstrating practical applications through API examples.
Overview
Syllabus
Intro
Classic Code Injection Methods
PowerLoader - Abusing Shared Sections
Powerloader - ROP n' Roll
PowerLoader - Quick Summary
Ul Shared Memory - Reminder
PowerLoaderEx - Desktop Heap as Shared Section
PowerLoaderEx64 - What About 64-bit?
PowerLoaderEx64 - Strategy
PowerLoaderEx64 - User32 Calbacks To Rescue
Introduction - Kernel-To-User Code Injections
Common Injection Methods - User APC
Common Injection Methods - Entry Point Patching
Common Injection Methods -- Import Table Patching
Common Injection Methods - Quick Summary
Introducing Trap Frame injection
KTRAP_FRAME
The Trivial Injection
Codeless Code Injection - Challenges
Codeless Code Injection - NtClose as a callback
Codeless Code Injection - Creating dedicated thread
Codeless Code Injection - Creating a Dedicated Thread
Codeless Code Injection - API Example
