Видео DEF CON 30 (2022) - Запускаем руткиты как хакер национального государства

[weaver]

Как всегда ищу для вас, что-то интересное по тематике offensive-security, на этот раз на глаза попался вот такой вот доклад, где были представлены две новые техники page swapping & callback swapping..

Запасаемся бубликами к чаю, листаем слайды смотрим видео))

Описание

Code Integrity is a threat protection feature first introduced by Microsoft over 15 years ago. On x64-based versions of Windows, kernel drivers must be digitally signed and checked each time they are loaded into memory. This is also referred to as Driver Signature Enforcement (DSE). The passing year showed high-profile APT groups kept leveraging the well-known tampering technique to disable DSE on runtime. Meanwhile, Microsoft rolled out new mitigations: driver blocklists and Kernel Data Protection (KDP), a new platform security technology for preventing data-oriented attacks. Since using blocklist only narrows the attack vector, we focused on how KDP was applied in this case to eliminate the attack surface. We found two novel data-based attacks to bypass KDP-protected DSE, one of which is feasible in real-world scenarios. Furthermore, they work on all Windows versions, starting with the first release of DSE. We’ll present each method and run them on live machines. We’ll discuss why KDP is an ineffective mitigation. As it didn’t raise the bar against DSE tampering, we looked for a different approach to mitigate it. We’ll talk about how defenders can take a page out of attackers’ playbook to cope with the issue until HVCI becomes prevalent and really eliminates this attack surface.

Слайды

https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Omri%20Misgav%20-%20Running%20Rootkits%20Like%20A%20Nation-State%20Hacker.pdf

Видео
youtube.com/watch?v=xwMXDo0YDro

Дополнительные материалы
- M. Jurczyk, “A quick insight into the Driver Signature Enforcement” (https://j00ru.vexillium.org/2010/06/...e-enforcement/)
- A. Matrosov, E. Rodionov and S. Bratus, “Rootkits and Bootkits: Reversing Modern Malware and Next Generation Threats” [No Starch Press]
- “Dissecting Turla Rootkit Malware Using Dynamic Analysis“, (https://www.lastline.com/labsblog/di...amic-analysis/)
- P. Rascagneres, Windows Systems & Code Signing Protection (https://www.slideshare.net/Shakacon/...ul-rascagneres)
- J. Michael and M. Skhatov, “Defcon 27: Get off the Kernel if you can’t Drive” (https://media.defcon.org/DEF%20CON%2...cant-drive.pdf)
- M. Poslušný, “Signed kernel drivers – Unguarded gateway to Windows’ core” (https://www.welivesecurity.com/2022/...-windows-core/)

 

[Dread Pirate Roberts]

руткиты на уровне операционной системы...
скукота и прошлый век.

 

[weaver]

руткиты на уровне операционной системы...
скукота и прошлый век.

Да-да я так и понял блеклотус, uefi. И прошлый холивар помню про 0дей hvci. Но образцы в "in the wild" показывают совсем другое.

 

[Dread Pirate Roberts]

блеклотус, uefi

PCH, BMC