Dailydave mailing list archives
Conover's BCE
From: Dave Aitel <dave () kof immunityinc com>
Date: Wed, 13 May 2009 20:15:44 -0400
Matthew Conover's BCE talk was very interesting yesterday, and I had a chance to annoy him a bit more about it at dinner. Basically the idea is this: Apply virtualization techniques (code rewriting + page permissions) to run drivers in usermode. The goal here is to be able to control the driver such that it does not know it is running under BCE, and be able to analyze it. He has working code - this was not a theory talk so much as a demonstration and explanation, as were most of the talks at SyScan. This is a useful dynamic analysis tool (he demo'd running process explorer under it, which worked), and if he open sourced it I could see lots of people using it for rootkit analysis. One thing he did during his talk that I thought was good was stop every 5-10 slides for questions. With something as technical as this, it's a very good idea as it kept the audience on the same page. In order to run a driver in "usermode" he has to emulate a stack and a Kernel Pool for the driver. So for example, if you do a: call popme popme: pop eax Then EAX has a kernel address in it (a "fake eip" if you will), even though the driver is really running in userspace. One attack I think would be hard to stop would be for the driver to allocate kernel Pool data, then go search the kernel pool to make sure their data is there. If the data is not there, they are running under BCE and it's time to pretend to be innocous. I'm sure there's lots of other exciting attacks, but as Kostya says "in the real world, no one is ever going to attack this thing if you don't give it out to everyone". On the other hand, I kinda want one so I'm hoping he does. :> Today is Shellcode class day. We're giving out our latest shellcode library for everyone to use to learn how to create shellcode. It's fun for the whole family! -dave
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Conover's BCE Dave Aitel (May 13)
- Re: Conover's BCE Joanna Rutkowska (May 14)
- Re: Conover's BCE Matt Conover (May 14)
- Re: Conover's BCE Joanna Rutkowska (May 14)