Black Hat USA 2018 - Windows Offender Reverse Engineering Windows Defender's Antivirus Emulator
Windows Defender's mpengine.dll implements the core of Defender antivirus' functionality in an enormous ~11 MB, 45,000+ function DLL.
In this presentation, we'll look at Defender's emulator for analysis of potentially malicious Windows PE binaries on the endpoint. To the best of my knowledge, there has never been a conference talk or publication on reverse engineering the internals of any antivirus binary emulator before.
I'll cover a range of topics including emulator internals (bytecode to intermediate language lifting and execution; memory management; Windows API emulation; NT kernel emulation; file system and registry emulation; integration with Defender's antivirus features; the virtual environment; etc.), how I built custom tooling to assist in reverse engineering and attacking the emulator; tricks that malicious binaries can use to evade or subvert analysis; and attack surface within the emulator. I'll share code that I used to instrument Defender and IDA scripts that can be helpful in reverse engineering it. ... https://www.youtube.com/watch?v=LvW68czaEGs
Speakers: bushing, marcan
Is implementation the enemy of design?
The Nintendo Wii game console has been one of the most popular of all time, selling almost as many units as all of its competitors combined. Despite being cheaper than the PS3 and Xbox360, it contains a sophisticated security architecture that withstood over a year of concerted effort to hack the device. The design itself is impressive; unfortunately, flaws in the implementation (both subtle and severe) render the device easily hacked, with little chance of recovery.
24C3 saw the first public demonstration of unsigned code running on the Wii. A year later, we will present full details of that attack and share the results of another full year of research. We will show the bugs that have been found, the reasons they may have existed, and what attempts the vendor has made to fix them.
Gamers will probably find this talk interesting, but it will be most valuable for anyone who hacks on (or designs) embedded systems. Basic knowledge of crypto is assumed. We will have an area set up in the Hackcenter for those who want to learn more about this subject, before or after the presentation.
More information about the 25th Chaos Communication Congress can be found via the Chaos Communication
...
https://www.youtube.com/watch?v=DFvMsoBMIJk
Enjoy the videos and music you love, upload original content, and share it all with friends, family, and the world on YouTube.
...
https://www.youtube.com/watch?v=ZBEzWPIbh_Q
From small business to large enterprise, VOIP phones can be found on nearly every desk. But how secure are they? What if your phone was spying on every conversation you have?
This talk is an introduction to hardware hacking and as a case study I'll use the [REDACTED] Deskphone, a device frequently deployed in corporate environments. I'll use it to introduce the tools and methodology needed to answer these questions.
During this talk, attendees will get a close up look at the operations of a hardware hacker, including ARM disassembly, firmware extraction using binwalk, micro-soldering to patch an EEPROM and get a root shell over UART, and ultimately uncover an already known decade-old bug that somehow remained unnoticed in the device's firmware.
Beyond the case study I will also address alternative tactics; some did not work, others may have but were not the lowest-hanging fruit. When it comes to hardware hacking, the process is as important as the result; knowing that there are multiple ways to reach the end goal helps researchers remain confident when hurdles arise. After the talk, attendees will have an increased distrust towards always-on devices; however, they will have the background knowledge to investigate the products and systems they encounter daily.
Intro to Embedded Hacking-How you too can find a decade old bug in widely deployed devices. [REDACTED] Deskphones, a case study.
...
https://www.youtube.com/watch?v=OW95vw2_BxQ
On modern Intel based computers there exists two powerful and protected code regions: the UEFI firmware and System Management Mode (SMM). UEFI is the replacement for conventional BIOS and has the responsibility of initializing the platform. SMM is a powerful mode of execution on Intel CPUs that is even more privileged than a hypervisor. Because of their powerful positions, SMM and UEFI are protected by a variety of hardware mechanisms. In this talk, Rafal Wojtczuk and Corey Kallenberg team up to disclose several prevalent vulnerabilities that result in SMM runtime breakin as well as arbitrary reflash of the UEFI firmware.
In 2009 Rafal Wojtczuk and Alexander Tereshkin described the first publicly presented BIOS reflash exploit. Then in 2013 Corey Kallenberg presented the second instance of this class of vulnerability with an exploit targeting Dell BIOS. Now, in 2014, Rafal and Corey have joined forces to complete the destruction of the jedi^H^H BIOS.
The UEFI firmware is normally the first code to execute on the CPU, putting it in a powerful position to subvert other components of the platform. Because of its security critical nature, the UEFI code resides on a flash chip that is protected against arbitrary writes via a number of chipset protection mechanisms. Besides initializing the platform and bootstrapping to an operating system, UEFI is also charged with instantiating the all powerful System Management Mode (SMM). SMM is neither readable or writeable by any other code on the platform. In fact, SMM has the ability to read and write hypervisor protected memory, but the converse is not true! These properties make SMM an ideal place to store a rootkit. Similar to the UEFI firmware, because of these security critical properties, there are hardware mechanisms that protect the integrity and confidentiality of SMM.
This talk will explore attack surface against SMM and UEFI that has not previously been discussed. We will highlight a bug in one of the critical hardware protection mechanisms that results in a compromise of the firmware. We will also directly target a part of the UEFI specification that provides SMM exploitation opportunities. The vulnerabilities disclosed and their corresponding exploits are both prevalent among UEFI systems and reliably exploitable.
The consequences of these vulnerabilities include hypervisor and TXT subversion, bricking of the victim platform, insertion of powerful rootkits, secure boot break, among other possibilities.
...
https://www.youtube.com/watch?v=12NApRC8ZXc
Enjoy the videos and music you love, upload original content, and share it all with friends, family, and the world on YouTube.
...
https://www.youtube.com/watch?v=Q6DxZEt4u0M
Enjoy the videos and music you love, upload original content, and share it all with friends, family, and the world on YouTube.
...
https://www.youtube.com/watch?v=cKQsHzLvMqw
Buying Supreme is even harder when most of your competitors are AI. The era of bot purchasing has arrived and more often than not, purchasing shoes, shirts, and swag, requires shell scripting. We will look at how simplistic (and how complicated) purchasing bots have become, how to write them, and what companies are trying to do to fight them, and why they’re failing at conquering the machines.
...
https://www.youtube.com/watch?v=GQsK_FHPF7c
Enjoy the videos and music you love, upload original content, and share it all with friends, family, and the world on YouTube.
...
https://www.youtube.com/watch?v=qBG-n03Qr4w