or how microsoft s wow64 technology unintentionally fools
play

- or how Microsoft's WOW64 technology unintentionally fools IT - PowerPoint PPT Presentation

May 04, 2023 •30 likes •530 views

- or how Microsoft's WOW64 technology unintentionally fools IT Security analysts Christian Wojner, CERT.at 29.11.2012 1 Wh01am Person Publications Speaker Christian Wojner Papers FIRST Symposium 2010 Malware Analysis, Reverse

  1. - or how Microsoft's WOW64 technology unintentionally fools IT Security analysts Christian Wojner, CERT.at 29.11.2012 1

  2. Wh01am Person Publications Speaker  Christian Wojner  Papers  FIRST Symposium 2010  Malware Analysis, Reverse  Mass Malware Analysis: A DIY Kit  CertVerbund ‐ DE 2010  An Analysis of the Skype IMBot Logic and Engineering, Computer  Deepsec 2010 Forensics Functionality  Teliasonera 2011  The WOW ‐ Effect  CERT.at / GovCERT.gv.at  Joint FIRST/TF ‐ CSIRT  Articles Technical Seminar 2012  CanSecWest 2012  HITB Online Mag  CertVerbund ‐ DE 2012  The Art of DLL Injection  0ct0b3rf3st 2012  Automated Malware Analysis ‐ An Introduction to Minibis  SANS Forensic Summit  HAKIN9 Online Mag Prague 2012  Minibis  Software  Minibis  Bytehist (REMnux)  Densityscout (REMnux)  ProcDOT 29.11.2012 2

  3. Sidenotes ...  Based on a paper I wrote in November 2011  Topic not entirely new but  the implications have been widely underestimated or entirely overseen  In contact with Microsoft  MSRC (Microsoft Response Center)  My impression: Implications were new to them  M$ Forensics and Malware analysts got informed  Tareq, thx for your support! 29.11.2012 3

  4. THIS IS AN AWARENESS TALK! 29.11.2012 4

  5. What's the WOW-Effect?  Not easy to answer in one sentence  Only one person can do this:  It's comparable to an impression of something  Try to explain an impression in one sentence  This talk will transfer this impression to you 29.11.2012 5

  6. A little tale about "Digital Evolution"  Boxes got smaller  Busses got wider  Memory got bigger  CPUs got faster  16 Bit, 32 Bit, and finally 64 Bit systems became the new main ‐ stream  But one problem is and was always around ...  Backwards compatibility => Old things won't die 29.11.2012 6

  7. Once upon a time ... Do you like my new haircut? WOW! It's 64 Bits long! 29.11.2012 7

  8. 8 Manufacturers ... 29.11.2012

  9. 9 Customers ... 29.11.2012

  10. 10 Microsoft ... 29.11.2012

  11. WOW! 29.11.2012 11

  12. WOW - World Of Warcraft?  NO! It has nothing to do with fantasy ... and monsters … … so they say.  WOW: an acronym for … Windows On Windows  WOW64 stands for … Microsoft Windows ‐ 32 ‐ on ‐ Windows ‐ 64 29.11.2012 12

  13. 32 Bit vs. 64 Bit  Major differences for operating systems ...  Registers (32 Bit/64 Bit)  Instructionset (x86/x64)  Size of pointers (4 Byte/8 Byte)  Implications ...  Structures  Objects/Classes  Interfaces  Calls (API) 29.11.2012 13

  14. WOW64 specifics Memory Registry Management CPU, File System Instructionset 29.11.2012 14

  15. A new folder is born  "SysWOW64"  Mini ‐ 32 ‐ Bit ‐ Windows  Holds everything that's necessary for 32 Bit processes  A bitter aftertaste: Confusion, pure ...  System32 => 64 Bit executables  SysWOW64 => 32 Bit executables 29.11.2012 15

  16. File System Redirector  32 Bit applications need to be DIRECTED to use this backpacked 32 Bit Windows  ... or more precisely: REDIRECTED Access to ... ... is redirected to ... Folders %windir%\ System32 \ %windir%\ SysWOW64 \ %windir%\lastgood\ system32 \ %windir%\lastgood\ SysWOW64 \ Files %windir%\ regedit.exe %windir%\SysWOW64\ regedit.exe 29.11.2012 16

  17. An exemplary impact  Live forensics / malware analysis  A typical approach for a potentially infected system: 1. Spot suspicious files 2. Check them against databases a. using local tools b. using online services 3. Interpret findings 29.11.2012 17

  18. Preparations  Example file with MD5 hashes for the upcoming scenarios: The dynamic link library (DLL) " ieapfltr.dll " 32 Bit 64 Bit C:\Windows\SysWOW64\ieapfltr.dll C:\Windows\system32\ieapfltr.dll ee9d715af1b928982f417238b9914484 8eada158d964e3fd1999ad96c9c507ff Malicious! Good! 29.11.2012 18

  19. Impact: MD5 tool  Yet another MD5 tool (32 Bit) Good! Malicious! 32 Bit 64 Bit C:\Windows\SysWOW64\ieapfltr.dll C:\Windows\system32\ieapfltr.dll ee9d715af1b928982f417238b9914484 8eada158d964e3fd1999ad96c9c507ff 29.11.2012 19

  20. Impact: MD5 tool  Yet another MD5 tool (32 Bit) Good! Malicious! 32 Bit 64 Bit C:\Windows\SysWOW64\ieapfltr.dll C:\Windows\system32\ieapfltr.dll ee9d715af1b928982f417238b9914484 8eada158d964e3fd1999ad96c9c507ff 29.11.2012 20

  21. That's the WOW-Effect! 32 Bit Process 29.11.2012 21

  22. The root of our problem ... File System Redirection ... is done centrally! This should be done selectively! 29.11.2012 22

  23. Centrally? Selectively? WTF? ...  Some Background:  2 major things developers learn:  Keep your code modular  Try to avoid redundances Best practice: Changes are done in one "central" location.  That's just the way WOW64 is doing redirection. 29.11.2012 23

  24. Don't compare apples and oranges ...  BUT: This approach is only true when dealing with only one unified view  But here we have two views !  Comparing apples and oranges  Bad idea! Treat Treat executable file executable file as as CODE DATA 29.11.2012 24

  25. How it SHOULD be done ... WOW64 Filesystem Redirector CODE DATA 29.11.2012 25

  26. How it IS done ... WOW64 Filesystem Redirector CODE DATA 29.11.2012 26

  27. CODE or DATA access?  How could Microsoft restrict WOW64 filesystem redirection to "code treatment" only?  My suggestion: They should focus on the specifically "code ‐ flavored" file ‐ handling API functions  LoadLibrary  CreateProcess  ...  ... instead of doing this centrally during PATH handling 29.11.2012 27

  28. Impact: Virus Total  Checking via Virus Total 29.11.2012 28

  29. Impact: Virus Total Good! Malicious! 32 Bit 64 Bit C:\Windows\SysWOW64\ieapfltr.dll C:\Windows\system32\ieapfltr.dll ee9d715af1b928982f417238b9914484 8eada158d964e3fd1999ad96c9c507ff 29.11.2012 29

  30. Browsers?!  Most of the browsers out there are 32 Bit  64 Bit versions are becoming available, eventually.  IE on Windows 7 64 Bit by default 32 Bit  Thinking further ...  Any 64 Bit variants of System32 files on Virus Total? I couldn't find ONE . (November 2011)  Now: Well, the ones I tried.  Implication: Most of us have been fooled by the WOW ‐ Effect? 29.11.2012 30

  31. Filesystem iteration  File ‐ system iterations (FindFirstFile) are also affected by the File System Redirector  So, depending on the scenario  you get wrong files or  entirely miss files 29.11.2012 31

  32. Registry Redirector  Basically similar to Filesystem Redirector  2 coexistent views (32/64)  32 ‐ bit view is inside the 64 ‐ bit view in a special sub ‐ node: Wow6432Node  WOW64 knows 3 Modes to handle Registry access. Specific Registry keys are ...  shared ≡ same object  reflected (< Windows 7 / Server 2008 R2) ≡ same value (automa � cally synchronized)  redirected (  Not so awesome!) 29.11.2012 32

  33. Redirected Keys Registry ‐ Key Before Since Windows 7 and Windows 7 and Server 2008 R2 Server 2008 R2 HKLM\SOFTWARE Redirected Redirected HKLM\SOFTWARE\Classes Redirected and reflected Shared HKLM\SOFTWARE\Classes\Appid Redirected and reflected Shared HKLM\SOFTWARE\Classes\CLSID Redirected and reflected Redirected HKLM\SOFTWARE\Classes\DirectShow Redirected and reflected Redirected HKLM\SOFTWARE\Classes\Interface Redirected and reflected Redirected HKLM\SOFTWARE\Classes\Media Type Redirected and reflected Redirected HKLM\SOFTWARE\Classes\MediaFoundation Redirected and reflected Redirected HKLM\SOFTWARE\Clients Redirected Shared HKLM\SOFTWARE\Microsoft\COM3 Redirected and reflected Shared HKLM\SOFTWARE\Microsoft\EventSystem Redirected and reflected Shared HKLM\SOFTWARE\Microsoft\Notepad\DefaultFonts Redirected Shared HKLM\SOFTWARE\Microsoft\OLE Redirected and reflected Shared HKLM\SOFTWARE\Microsoft\RPC Redirected and reflected Shared HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths Redirected Shared HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers Redirected Shared HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons Redirected Shared HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\KindMap Redirected Shared HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\PreviewHandlers Redirected Shared HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Console Redirected Shared HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontLink Redirected Shared HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Gre_Initialize Redirected Shared HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options Redirected Shared HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Language Pack Redirected Shared HKCU\SOFTWARE\Classes Redirected and reflected Shared HKCU\SOFTWARE\Classes\Appid Redirected and reflected Shared HKCU\SOFTWARE\Classes\CLSID Redirected and reflected Redirected HKCU\SOFTWARE\Classes\DirectShow Redirected and reflected Redirected HKCU\SOFTWARE\Classes\Interface Redirected and reflected Redirected HKCU\SOFTWARE\Classes\Media Type Redirected and reflected Redirected HKCU\SOFTWARE\Classes\MediaFoundation Redirected and reflected Redirected 29.11.2012 33

  34. 34 "Damn autocorrect!" 29.11.2012

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Harbin Institute of Technology Microsoft Research Asia Microsoft Advanced Technology Center

Harbin Institute of Technology Microsoft Research Asia Microsoft Advanced Technology Center

ACM MM 2010 Dong Liu , Xian-Sheng Hua, Meng Wang and Hong-Jiang Zhang Harbin Institute of Technology Microsoft Research Asia Microsoft Advanced Technology Center medici chapel, Firenze, Italy... Loggia dei lanzi, sword, honeymoon, ...

313 views • 29 slides
Fools Gold: Understanding the Linguistic Features of Deception and Humour Through April

Fools Gold: Understanding the Linguistic Features of Deception and Humour Through April

Fools Gold: Understanding the Linguistic Features of Deception and Humour Through April Fools Hoaxes Ed Dearden e.dearden@lancaster.ac.uk Hell Planet Why do we care about April Fools? False Information But where does April

930 views • 79 slides
Gold and Fools Gold: Successes, Failures, and Futures in Computer Systems Research Butler

Gold and Fools Gold: Successes, Failures, and Futures in Computer Systems Research Butler

Gold and Fools Gold: Successes, Failures, and Futures in Computer Systems Research Butler Lampson Microsoft Usenix Annual Meeting June 2, 2006 Context: Moores Law and Friends months 10 years 6/2006 6/2006 cost for 2 x best

539 views • 29 slides
ARBITRATION AGREEMENTS ARE YOU UNINTENTIONALLY DELEGATING CLASS ARBITRABILITY TO THE

ARBITRATION AGREEMENTS ARE YOU UNINTENTIONALLY DELEGATING CLASS ARBITRABILITY TO THE

ARBITRATION AGREEMENTS ARE YOU UNINTENTIONALLY DELEGATING CLASS ARBITRABILITY TO THE ARBITRATOR? Martin E. Burke Partner (Tampa and Birmingham) October 17, 2019 Prefatory Remarks Who decides whether to allow arbitration of class

176 views • 13 slides
Microsoft Healthcare Evangelist Facilitating Engagement: Incorporating Modern Technology in

Microsoft Healthcare Evangelist Facilitating Engagement: Incorporating Modern Technology in

Microsoft Healthcare Evangelist Facilitating Engagement: Incorporating Modern Technology in Healthcare Environments July 26, 2019 Analytics &amp; Consumerization Reshaping Industries Microsoft Invests $5 Billion In IoT Our goal is to give

417 views • 17 slides
5.2 Microsoft Excel Microsoft Excel Microsoft Excel is the spreadsheet component of the

5.2 Microsoft Excel Microsoft Excel Microsoft Excel is the spreadsheet component of the

5.2 Microsoft Excel Microsoft Excel Microsoft Excel is the spreadsheet component of the Microsoft Office Suite. It is used primarily to enter, edit, format, sort, perform mathematical computations, save, retrieve and print numeric

717 views • 32 slides
Judicious Selection of Training Data in Assisting Microsoft AI &amp; Research, Technology Bombay

Judicious Selection of Training Data in Assisting Microsoft AI &amp; Research, Technology Bombay

Judicious Selection of Training Data in Assisting Microsoft AI &amp; Research, Technology Bombay Indian Institute Of CFILT Lab, Pushpak Bhattacharyya ankunchu@microsoft.com Hyderabad, India Anoop Kunchukuttan Language for Multilingual

1.27k views • 37 slides
Microsoft Partners Agenda 2:00-2:30pm Registration 2:30-3:00pm SME Technology Programme

Microsoft Partners Agenda 2:00-2:30pm Registration 2:30-3:00pm SME Technology Programme

Microsoft Partners Agenda 2:00-2:30pm Registration 2:30-3:00pm SME Technology Programme Highlight 3:00-3:30pm Partnering with ISV to enrich your SME offers 3:30-3:45pm Break 3:45-4:15pm Modernize SME Technology infrastructure with

661 views • 49 slides
Enhancing 21 st Century Technology Skills with a 1:1 Tablet Initiative and Microsoft Office 365

Enhancing 21 st Century Technology Skills with a 1:1 Tablet Initiative and Microsoft Office 365

Enhancing 21 st Century Technology Skills with a 1:1 Tablet Initiative and Microsoft Office 365 Dr. Michael Otaigbe, School Board Dr. Steven L. Walts, Superintendent Keith Imon, Associate Superintendent of Communications and Technology

610 views • 43 slides
6/18/2018 Sunday, April 1 This is Easter AND April Fools Day! If you believe in the resurrection

6/18/2018 Sunday, April 1 This is Easter AND April Fools Day! If you believe in the resurrection

6/18/2018 Sunday, April 1 This is Easter AND April Fools Day! If you believe in the resurrection of Jesus, are you some sort of April Fool? Hope or Hoax? Some women claim the tomb is empty, and angels announced to them that Jesus is alive

205 views • 4 slides
Proverbs 1:32 For the waywardness of the simple will kill them, and the complacency of fools will

Proverbs 1:32 For the waywardness of the simple will kill them, and the complacency of fools will

Proverbs 1:32 For the waywardness of the simple will kill them, and the complacency of fools will destroy them; Proverbs 18:21 The tongue has the power of life and death, and those who love it will eat its fruit. 1. The power of our words

719 views • 38 slides
4.2 Microsoft Word Microsoft Word is the word processing component of the Microsoft Office

4.2 Microsoft Word Microsoft Word is the word processing component of the Microsoft Office

4.2 Microsoft Word Microsoft Word is the word processing component of the Microsoft Office Suite It is used primarily to enter, edit, format, save, retrieve and print documents Objectives Identify the main components of the user

399 views • 29 slides
Realizing Value From the Data Presented by Bhasker Joshi Microsoft Corporation

Realizing Value From the Data Presented by Bhasker Joshi Microsoft Corporation

Realizing Value From the Data Presented by Bhasker Joshi Microsoft Corporation bhasker.joshi@microsoft.com Agenda Technology and Trends OSIsoft Microsoft Alliance Real World Examples 2 Technologies and Trends Ubiquitous

255 views • 21 slides
Proverbs 1:7 NIV The fear of the LORD is the beginning of knowledge, but fools despise wisdom and

Proverbs 1:7 NIV The fear of the LORD is the beginning of knowledge, but fools despise wisdom and

Proverbs 1:7 NIV The fear of the LORD is the beginning of knowledge, but fools despise wisdom and instruction. Proverbs 1:2-4 AT 2 to learn wisdom and discipline, to understand words of insight 3 to acquire the discipline of good judgment,

594 views • 21 slides
In the Kingdom of Fools by A.K. Ramanujan Presentation Module - I A. K. Ramanujan Indian

In the Kingdom of Fools by A.K. Ramanujan Presentation Module - I A. K. Ramanujan Indian

In the Kingdom of Fools by A.K. Ramanujan Presentation Module - I A. K. Ramanujan Indian poet Description Attipate Krishnaswami Ramanujan was an Indian poet and scholar of Indian literature who wrote in both English and Kannada. Ramanujan

316 views • 8 slides
Living in a fools wireless - secured paradise Stefan Kiese Topics Wireless (consumer)

Living in a fools wireless - secured paradise Stefan Kiese Topics Wireless (consumer)

Living in a fools wireless - secured paradise Stefan Kiese Topics Wireless (consumer) alarm systems Hardware Software Hacking it ;) 2015/10/02 Stefan Kiese 2 About me Security Analyst @ ERNW Heidelberg, Germany

690 views • 23 slides
Outline Introduction and background How we got where we are today How we got where we

Outline Introduction and background How we got where we are today How we got where we

Criteria Towards Metrics for Benchmarking Template Protection Algorithms Koen Simoens K.U.Leuven COSIC 3 rd Edward van der Meulen Seminar Heverlee, 7 December 2011 Outline Introduction and background How we got where we are today

540 views • 35 slides
SPELLING AND GRAMMAR Know the statutory guidelines for each year group. Know the expectations

SPELLING AND GRAMMAR Know the statutory guidelines for each year group. Know the expectations

SPELLING AND GRAMMAR Know the statutory guidelines for each year group. Know the expectations across the whole school Know what the statutory tests look like for spelling and grammar To understand further the importance of spelling and

448 views • 31 slides
Discussion Topics and Ego Networks on Twitter Emma S. Spiro University of California, Irvine

Discussion Topics and Ego Networks on Twitter Emma S. Spiro University of California, Irvine

Discussion Topics and Ego Networks on Twitter Emma S. Spiro University of California, Irvine Department of Sociology Presented at MURI AHM May 25, 2010 This material is based on research supported by the Office of Naval Research under award

615 views • 25 slides
REVERSE THE CURSE (GENESIS 3) WHERE DID SATAN AND SIN COME FROM? GENESIS 3:1 NOW THE SERPENT

REVERSE THE CURSE (GENESIS 3) WHERE DID SATAN AND SIN COME FROM? GENESIS 3:1 NOW THE SERPENT

REVERSE THE CURSE (GENESIS 3) WHERE DID SATAN AND SIN COME FROM? GENESIS 3:1 NOW THE SERPENT WAS MORE CRAFTY THAN ANY OTHER BEAST OF THE FIELD THAT THE LORD GOD HAD MADE. THROWBACK ALL SIN IS SIMPLY SATANISM. @chipdean THROWBACK EVERY

425 views • 39 slides
Metrics in MMP Development and Operations Larry Mellon GDC, Spring 2004 Talk Checklist

Metrics in MMP Development and Operations Larry Mellon GDC, Spring 2004 Talk Checklist

Metrics in MMP Development and Operations Larry Mellon GDC, Spring 2004 Talk Checklist Outline complete Key Points complete Text draft complete Rehearsals incomplete Add Visuals during Rehearsals incomplete Neck down

393 views • 25 slides
Some recent progress in geometric methods for instability of Hamiltonian systems. Rafael de la

Some recent progress in geometric methods for instability of Hamiltonian systems. Rafael de la

Some recent progress in geometric methods for instability of Hamiltonian systems. Rafael de la Llave Georgia Institute of Technology Rome, Feb 2019 Report on joint work with M. Capinski, M. Gidea, T.M. Seara and work of other people. Rafael

955 views • 72 slides
NP Completeness Tractability Polynomial time Stephen Cook Leonid Levin Richard Karp

NP Completeness Tractability Polynomial time Stephen Cook Leonid Levin Richard Karp

NP Completeness Tractability Polynomial time Stephen Cook Leonid Levin Richard Karp Computation vs. verification Power of non-determinism Encodings Transformations &amp; reducibilities P vs. NP Completeness

1.13k views • 99 slides
Assassin Bugs Biodiversity, Diet and Phylogenetics Yeo Huiqing Supervisors: Professor Rudolf

Assassin Bugs Biodiversity, Diet and Phylogenetics Yeo Huiqing Supervisors: Professor Rudolf

Assassin Bugs Biodiversity, Diet and Phylogenetics Yeo Huiqing Supervisors: Professor Rudolf Meier Dr. Hwang Wei Song Department of Biological Sciences, Lee Kong Chian Natural History Museum, University Scholars Programme, NUS Piercing,

359 views • 18 slides

More recommend