12. Morph Your Malware! by Sebastian Feldmann
Вставка
- Опубліковано 28 сер 2022
- This talk outlines the state of the art of implementing and hiding offensive tools as position independent code and how to apply key-less polymorphism to evade signatures.
We will then identify infected processes by fingerprinting abnormal system calls, threads or callstacks and bypass detection.
This talk outlines the state of the art of loading and hiding offensive tools in memory and methods defenders can use to fingerprint infected processes.
It will be demonstrated, how attackers load their tooling in memory using (reflective) PE-Loaders and which evasion strategies are typically used to circumvent defensive concepts such as memory scanners, userland hooks and certain kernel callbacks.
Next, detection ideas to fingerprint the usage of direct systemcalls using Sysmon or the "Hooking Nirvana"-technique will be shared along with a new way to bypass userland hooks.
While a tool which is successfully unpacked and running in memory has bypassed the first layers of a detection stack, it can still be found at runtime by fingerprinting suspicious memory artifacts or abnormal threads and callstacks.
This talk will thus present metrics which defenders can apply and combine to identify infected processes based on memory scanning and fingerprinting suspicious callstacks or abnormal threadstates.
It will then be shown how the presented detection metrics can also be bypassed by blending in false-positives of memory scanners or using concepts such as sleep masks or callstack spoofing.
Finally it will be demonstrated, how the concept of Position Independent Code (=PIC) can be combined with key-less polymorphism to avoid static signatures of memory scanners.
The talk will close with the release of two new tools, demonstrating the power of PIC and key-less polymorphism.
Awesome talk! Many thanks for sharing!
after six month did you become hacker
I really enjoyed watching this thanks
Time tag - sleeping beacon disadv:
18:55