1、#SECTORCA BlackHatEventsEvading in Plain Sight:How Adversaries Beat User-ModeProtection Engines for Over A Decade#SECTORCA BlackHatEventsOmri Misgav Independent Security Researcher Reverse engineering,OS internals and malware research Previously Head of FortiGuard Research IL Fortinet Past speaker a
2、t DEFCON,AVAR,BSidesLV and othersP.S.know a cool place for bungy jumping?Feel free to share About Mein/omri-misgav#SECTORCA BlackHatEvents Introduction Hook Evasion tactic Argument Forgery tactic Engine Disarming tactic ConclusionsAgenda*No AI was used while preparing this session#SECTORCA BlackHatE
3、vents1.Obscure context1.Blend in execution chainIntro Evasion Strategiesexplorer.exeword.exe%TEMP%MsMpEng.exe%TEMP%mpsvc.dllExecuteExecuteLoad#SECTORCA BlackHatEvents1.Obscure context1.Blend in execution chain2.Break execution chainexplorer.exeoutlook.exemalware.exeScheduled tasksvchost.exemalware.e
4、xeIntro Evasion StrategiesExecuteExecuteExecuteCreate#SECTORCA BlackHatEvents1.Obscure context1.Blend in execution chain2.Break execution chain2.Hinder visibilityIntro Evasion StrategiesHKLMSYSTEMCurrentControlSetS%Temp%driver.sysexplorer.exechrome.exemalware.exeExecuteExecuteWriteRead ReadWrite#SEC
5、TORCA BlackHatEvents User-mode monitoringInstrumentationHooking Why?Simple,stableLack of Patch ProtectionFull contextIntro Endpoint Security Solutions Architecture OverviewPRODUCT.dlllibrary.dllntoskrnl.exeAMSIPRODUCT.exePRODUCT.sysETW/Event LogKernel spaceUser spaceETW/Event Logapp.exeProducerconsu
6、merInline operationCommunication channel#SECTORCA BlackHatEvents A data structure that stores information about the active subroutines of an applicationIntro Call Stackntdll.dllNtDeviceIoControlFilewininet.dllInternetOpenUrlWInternetOpenUrlAInternalInternetOpenUrlAnetwork_driver.syssend_packethandle