Trustworthy Computing * Reverse engineers agree on that! - - PowerPoint PPT Presentation

trustworthy computing reverse engineers agree on that
SMART_READER_LITE
LIVE PREVIEW

Trustworthy Computing * Reverse engineers agree on that! - - PowerPoint PPT Presentation

Sep 20, 2022 110 likes •757 views

Trustworthy Computing * Reverse engineers agree on that! Trustworthy Computing Trustworthy Computing Trustworthy Computing Trustworthy Computing Trustworthy Computing Trustworthy Computing *

slide-1
SLIDE 1
slide-2
SLIDE 2

Trustworthy Computing

slide-3
SLIDE 3

Trustworthy Computing * Reverse engineers agree on that!

slide-4
SLIDE 4

Trustworthy Computing

slide-5
SLIDE 5

Trustworthy Computing

slide-6
SLIDE 6

Trustworthy Computing

slide-7
SLIDE 7

Trustworthy Computing

slide-8
SLIDE 8

Trustworthy Computing

slide-9
SLIDE 9

Trustworthy Computing * http://technet.microsoft.com/en-us/library/dd837644(v=WS.10).aspx

slide-10
SLIDE 10

Trustworthy Computing

slide-11
SLIDE 11

Trustworthy Computing

slide-12
SLIDE 12

Trustworthy Computing

SetProcessDEPPolicy

slide-13
SLIDE 13

Trustworthy Computing

slide-14
SLIDE 14

ntdll!NtMapViewOfSection

Trustworthy Computing

slide-15
SLIDE 15

Trustworthy Computing

slide-16
SLIDE 16

Trustworthy Computing

slide-17
SLIDE 17

Trustworthy Computing

slide-18
SLIDE 18

Trustworthy Computing

slide-19
SLIDE 19

Trustworthy Computing

slide-20
SLIDE 20

Trustworthy Computing

slide-21
SLIDE 21

Trustworthy Computing

slide-22
SLIDE 22

Trustworthy Computing

slide-23
SLIDE 23

Trustworthy Computing * https://code.google.com/p/ropguard/

slide-24
SLIDE 24

Trustworthy Computing

Note: EMET 4.0 implements ROP mitigations for 32-bit processes only

slide-25
SLIDE 25

Trustworthy Computing

slide-26
SLIDE 26

Trustworthy Computing

slide-27
SLIDE 27

Trustworthy Computing

slide-28
SLIDE 28

Trustworthy Computing * http://research.microsoft.com/en-us/projects/detours/

slide-29
SLIDE 29

Trustworthy Computing

slide-30
SLIDE 30

Trustworthy Computing

slide-31
SLIDE 31

kernel32!VirtualAllocEx()

Trustworthy Computing

slide-32
SLIDE 32

Trustworthy Computing

slide-33
SLIDE 33

Trustworthy Computing

slide-34
SLIDE 34

Trustworthy Computing

slide-35
SLIDE 35

Trustworthy Computing

slide-36
SLIDE 36

Trustworthy Computing

slide-37
SLIDE 37

Trustworthy Computing

slide-38
SLIDE 38

CALL kernel32!VirtualAlloc ; <- target

Trustworthy Computing

slide-39
SLIDE 39

RET RET

Trustworthy Computing

slide-40
SLIDE 40

Trustworthy Computing

slide-41
SLIDE 41

Trustworthy Computing

slide-42
SLIDE 42

Trustworthy Computing

slide-43
SLIDE 43

Trustworthy Computing

slide-44
SLIDE 44

Trustworthy Computing

slide-45
SLIDE 45

Trustworthy Computing

slide-46
SLIDE 46

Trustworthy Computing

slide-47
SLIDE 47

Trustworthy Computing

slide-48
SLIDE 48

Trustworthy Computing

API call to VirtualAlloc() happens at 0x6D970A6A thus triggering EXEC flow simulation

slide-49
SLIDE 49

Trustworthy Computing

slide-50
SLIDE 50

Trustworthy Computing

slide-51
SLIDE 51

Trustworthy Computing

slide-52
SLIDE 52

Trustworthy Computing

Load library checks

slide-53
SLIDE 53

Trustworthy Computing

Memory protection change

slide-54
SLIDE 54

Trustworthy Computing

slide-55
SLIDE 55

1. 2. 3.

Trustworthy Computing

slide-56
SLIDE 56

Trustworthy Computing

slide-57
SLIDE 57

Trustworthy Computing

slide-58
SLIDE 58

Trustworthy Computing

slide-59
SLIDE 59

Trustworthy Computing * http://msdn.microsoft.com/en-us/library/windows/desktop/aa382405(v=vs.85).aspx

slide-60
SLIDE 60

http://blogs.technet.com/b/srd/archive/2013/ 05/08/emet-4-0-s-certificate-trust- feature.aspx http://blogs.technet.com/b/srd/archive/2013/ 04/18/introducing-emet-v4-beta.aspx

Trustworthy Computing

slide-61
SLIDE 61

Trustworthy Computing

slide-62
SLIDE 62

emet_feedback@microsoft.com

Trustworthy Computing

slide-63
SLIDE 63

Trustworthy Computing