DC9723 April 2018 Meeting
When: Monday 23 of April, 2018 from 18:45 to 22:00 (NOTE IS IN MONDAY!)
Where: Checkpoint Offices in Tel-Aviv (Ha’Solelim Street 5, Tel Aviv)
Agenda:
Brief Introduction
Deep hooks: monitoring native execution in WoW64 processes – Yarden Shaffir, Assaf Carlsbad
When Virtual Hell Freezes Over – Reversing C++ Code – Gal Zaban
As always, the talks are free and there is no need to register. Come and bring your friends.
The talks will be uploaded to youtube a week after the meeting.
You can watch the previous talks at https://www.dc9723.org
*We need more talks, please consider submitting a talk for the next DC9723 meeting. For more details and questions, please contact cfp@dc9723.org
Title
Deep hooks: monitoring native execution in WoW64 processes – Yarden Shaffir, Assaf Carlsbad
Abstract
WoW64 processes have a complete 32-bit subsystem inside of them, in charge of supplying the 32-bit application with everything it needs to execute. But eventually, the communication with the 64-bit environment itself is done by the 64-bit portion of the process, often ignored by security products and malware alike. Mostly, only monitoring the 32-bit subsystem is enough, but attacks such as the notorious “Heaven’s Gate” technique prove that this approach is far from perfect.
In this talk, we wish to present the possibility of hooking 64-bit API calls inside of WoW64 processes. These can serve various purposes – either intercepting the normal flow of the process execution or gaining better visibility into the process actions – while taking advantage of a “blind spot” and being virtually invisible to the normal security product and confusing to many security researchers.
The task of hooking 64-bit APIs in WoW64 processes introduces some unique challenges, which we will discuss in detail. We will present several injection methods, including a couple of novel modifications for existing ones, that enable injecting a 64-bit DLL into a WoW64 process. We will then demonstrate the adjustments we made to an out-of-the-box hooking engine to make it able to hook 64-bit APIs in the process. Some changes in new Windows versions, such as the introducing of CFG and the changes to some API functions, made this task more challenging, and we will show how we researched these and solved these issues, making this hooking technique useful on all currently available Windows versions.
Title
When Virtual Hell Freezes Over – Reversing C++ Code – Gal Zaban
Abstract
The capabilities that C++ programming provides with the use of polymorphism are also obstacles when reverse engineering these programs.
Dynamic reverse engineering of C++ code is potentially extremely time-consuming and resource-intensive. So, what if we could automate parts of this process and even customize it to the behavior of each individual program?
C++ is known to be a knotty language, templates, lambdas, and smart and unique pointers. All of these features create a jungle of objects intended to make life easier for the programmer. But once the program is compiled, the target program is no longer what it once seemed.
Reversing C++ programs is tedious and demanding, and requires rebuilding inheritance, identifying templates and tainting program flow in order to combat the ties of function overloading and class utilization.
In my presentation I will show how we can use smart and automated tracing to shorten the process in reverse engineering C++ programs.
Rebuilding automatic vtables and virtual function calls are strong capabilities that could be easily achieved with IDAPython, as I’ll explain in my talk, in which I will also show examples for a framework created especially for this purpose.
In my presentation I present “Virtuailor”: a tailor-made framework that helps rebuild the relationships of C++ classes in the program and sew together all of the loose ends.