Black Hat Europe资料eu-15-Pierce-Defending-Against-Malicious-Application-Compatibility-Shims.pdfVIP

Defending Against Malicious Application Compatibility Shims Sean Pierce About Me Sean Pierce, CISSP Threat Emulation Engineer  Twitter @secure_sean  Code: /securesean  Website: http://sdb.tools/  Email: sdb at secure sean dot com Disclaimer:  Not a Developer  Not an iSIGHT Rep Proprietary and Confidential Information. © Copyright 2015, iSIGHT Partners, Inc. All Rights Reserved 2 About iSIGHT  Best commercial cyber threat intelligence provider on the planet  300 Experts. 24 Languages 16 Countries.  Forward looking, adversary focused intelligence, actionable advice  Intelligence for multiple levels: executive, operational and technical Proprietary and Confidential Information. © Copyright 2014, iSIGHT Partners, Inc. All Rights Reserved 3 History of Application Compatibility  Third Party bugs – Case study: Windows 95 + The SimCity® – Flush File Cache – Undocumented structs/API’s  OS Bugs – Case study: Synchronous Buffer Commits  “Windows lies to 32-bit apps … but it’s ok because we can make it lie to 64-bit apps too” - Greg Proprietary and Confidential Information. © Copyright 2014, iSIGHT Partners, Inc. All Rights Reserved 4 Fixes, Modes, Shims  Fix  Mode  Shim  Fix/Mode Configurations are held in Shim Database (.sdb) files Proprietary and Confidential Information. © Copyright 2014, iSIGHT Partners, Inc. All Rights Reserved 5 How a Process is Shimmed 1. Parent Process calls CreateProcess() 1. Parent Process checks if process should be shimmed 2. Child Process Resources and shimming code are inserted and initialized 3. Typically the shim hooks the Import Address Table (IAT) 2. Child Process begins executing 1. The shimming code intercepts and manipulates API calls