when e t comes into windows mobile 6
play

When E.T. comes into Windows Mobile 6 a.k.a. PoC(k)ET Cedric - PowerPoint PPT Presentation

Mar 16, 2024 •265 likes •859 views

When E.T. comes into Windows Mobile 6 a.k.a. PoC(k)ET Cedric Halbronn Sogeti / ESEC R&D cedric(at)security-labs.org Hack.lu 2009 Context / Objectives Technical aspects of WM6 Implementation Demo Conclusion Context / Objectives 1

  1. When E.T. comes into Windows Mobile 6 a.k.a. PoC(k)ET Cedric Halbronn Sogeti / ESEC R&D cedric(at)security-labs.org Hack.lu 2009

  2. Context / Objectives Technical aspects of WM6 Implementation Demo Conclusion Context / Objectives 1 Technical aspects of WM6 2 Implementation 3 General architecture Injection Protection Backdoor Services Demo 4 C. Halbronn When E.T. comes into Windows Mobile 6 2/35

  3. Context / Objectives Technical aspects of WM6 Implementation Demo Conclusion Context Who am I? Security researcher working at Sogeti ESEC R&D lab Focusing on mobile security A smartphone? Mobile phone ✲ smartphone Various services PDA, Web, camera, GPS, microphone, etc. Current OS : Symbian, RIM OS, Windows Mobile 6, iPhone OS, Android Studies on mobile phones rootkits capabilities still limited C. Halbronn When E.T. comes into Windows Mobile 6 3/35

  4. Context / Objectives Technical aspects of WM6 Implementation Demo Conclusion Context Who am I? Security researcher working at Sogeti ESEC R&D lab Focusing on mobile security A smartphone? Mobile phone ✲ smartphone Various services PDA, Web, camera, GPS, microphone, etc. Current OS : Symbian, RIM OS, Windows Mobile 6, iPhone OS, Android Studies on mobile phones rootkits capabilities still limited C. Halbronn When E.T. comes into Windows Mobile 6 3/35

  5. Context / Objectives Technical aspects of WM6 Implementation Demo Conclusion Objectives TODO list Develop a rootkit for WM6 What is a “rootkit”? Post-exploitation Components: Injection Protection Backdoor Services Taking into account... Embedded constraints / mobile environment Services on the table C. Halbronn When E.T. comes into Windows Mobile 6 4/35

  6. Context / Objectives Technical aspects of WM6 Implementation Demo Conclusion Objectives TODO list Develop a rootkit for WM6 What is a “rootkit”? Post-exploitation Components: Injection Protection Backdoor Services Taking into account... Embedded constraints / mobile environment Services on the table C. Halbronn When E.T. comes into Windows Mobile 6 4/35

  7. Context / Objectives Technical aspects of WM6 Implementation Demo Conclusion Objectives TODO list Develop a rootkit for WM6 What is a “rootkit”? Post-exploitation Components: Injection Protection Backdoor Services Taking into account... Embedded constraints / mobile environment Services on the table C. Halbronn When E.T. comes into Windows Mobile 6 4/35

  8. Context / Objectives Technical aspects of WM6 Implementation Demo Conclusion Context / Objectives 1 Technical aspects of WM6 2 Implementation 3 General architecture Injection Protection Backdoor Services Demo 4 C. Halbronn When E.T. comes into Windows Mobile 6 5/35

  9. Context / Objectives Technical aspects of WM6 Implementation Demo Conclusion Virtual Memory Address Space Global Virtual Memory Address Space (4GB) C. Halbronn When E.T. comes into Windows Mobile 6 6/35

  10. Context / Objectives Technical aspects of WM6 Implementation Demo Conclusion Loading DLLs Loading DLLs under Windows Mobile 6 C. Halbronn When E.T. comes into Windows Mobile 6 7/35

  11. Context / Objectives Technical aspects of WM6 Implementation Demo Conclusion Security policies Where? Registry: [HKLM \ Security \ Policies \ Policies] Some examples Policy ID Description Auto Run Policy ”2” 0 (allowed to run automatically), 1 (restricted) Unsigned Applications Policy ”1006” 1 (allowed to run), 0 (not allowed to run) Unsigned Prompt Policy ”101A” 0 (user will be prompted), 1 (user will not be prompted) Password Required Policy ”1023” 0 (a password is required), any other (a password is not required) C. Halbronn When E.T. comes into Windows Mobile 6 8/35

  12. Context / Objectives Technical aspects of WM6 Implementation Demo Conclusion Security policies Where? Registry: [HKLM \ Security \ Policies \ Policies] Some examples Policy ID Description Auto Run Policy ”2” 0 (allowed to run automatically), 1 (restricted) Unsigned Applications Policy ”1006” 1 (allowed to run), 0 (not allowed to run) Unsigned Prompt Policy ”101A” 0 (user will be prompted), 1 (user will not be prompted) Password Required Policy ”1023” 0 (a password is required), any other (a password is not required) C. Halbronn When E.T. comes into Windows Mobile 6 8/35

  13. Context / Objectives Technical aspects of WM6 Implementation Demo Conclusion Application signing Stores for code execution Privileged store: privileged execution trust authorities Unprivileged store: unprivileged execution trust authorities SPC (Software Publisher Certificates) store: trust authorities for CAB installation ✲ sign DLLs, EXEs or CABs and put certificate in right store Stores for SSL chain validation, NOTHING to do with code execution MY: end-user personal certificates CA: intermediary certification authorities certificates ROOT: root (self-signed) certificates C. Halbronn When E.T. comes into Windows Mobile 6 9/35

  14. Context / Objectives Technical aspects of WM6 Implementation Demo Conclusion Application signing Stores for code execution Privileged store: privileged execution trust authorities Unprivileged store: unprivileged execution trust authorities SPC (Software Publisher Certificates) store: trust authorities for CAB installation ✲ sign DLLs, EXEs or CABs and put certificate in right store Stores for SSL chain validation, NOTHING to do with code execution MY: end-user personal certificates CA: intermediary certification authorities certificates ROOT: root (self-signed) certificates C. Halbronn When E.T. comes into Windows Mobile 6 9/35

  15. Context / Objectives General architecture Technical aspects of WM6 Injection Implementation Protection Demo Backdoor Conclusion Services Context / Objectives 1 Technical aspects of WM6 2 Implementation 3 General architecture Injection Protection Backdoor Services Demo 4 C. Halbronn When E.T. comes into Windows Mobile 6 10/35

  16. Context / Objectives General architecture Technical aspects of WM6 Injection Implementation Protection Demo Backdoor Conclusion Services Plan Context / Objectives 1 Technical aspects of WM6 2 Implementation 3 General architecture Injection Protection Backdoor Services Demo 4 C. Halbronn When E.T. comes into Windows Mobile 6 11/35

  17. Context / Objectives General architecture Technical aspects of WM6 Injection Implementation Protection Demo Backdoor Conclusion Services Technical choices Architecture Hide its presence from phone’s user Expatriate information Technical choices 32-process limit ✲ Single .EXE multi-threads DLLs impact ✲ limit their size Battery usage ✲ limit actions when needed Heterogeneous environment C. Halbronn When E.T. comes into Windows Mobile 6 12/35

  18. Context / Objectives General architecture Technical aspects of WM6 Injection Implementation Protection Demo Backdoor Conclusion Services Technical choices Architecture Hide its presence from phone’s user Expatriate information Technical choices 32-process limit ✲ Single .EXE multi-threads DLLs impact ✲ limit their size Battery usage ✲ limit actions when needed Heterogeneous environment C. Halbronn When E.T. comes into Windows Mobile 6 12/35

  19. Context / Objectives General architecture Technical aspects of WM6 Injection Implementation Protection Demo Backdoor Conclusion Services Architecture Rootkit general architecture C. Halbronn When E.T. comes into Windows Mobile 6 13/35

  20. Context / Objectives General architecture Technical aspects of WM6 Injection Implementation Protection Demo Backdoor Conclusion Services Plan Context / Objectives 1 Technical aspects of WM6 2 Implementation 3 General architecture Injection Protection Backdoor Services Demo 4 C. Halbronn When E.T. comes into Windows Mobile 6 14/35

  21. Context / Objectives General architecture Technical aspects of WM6 Injection Implementation Protection Demo Backdoor Conclusion Services Rootkit injection Injection methods Smartphone access Vulnerability exploit ✲ Ex: MMS handler in WM2003 WAP Push message Web link ✲ Ex: Etisalat operator in the United Arab Emirates (UAE) for Blackberries OTA provisioning Our context Pop-up Smartphone access Unsigned CAB ✲ Pop-up C. Halbronn When E.T. comes into Windows Mobile 6 15/35

  22. Context / Objectives General architecture Technical aspects of WM6 Injection Implementation Protection Demo Backdoor Conclusion Services Rootkit injection Injection methods Smartphone access Vulnerability exploit ✲ Ex: MMS handler in WM2003 WAP Push message Web link ✲ Ex: Etisalat operator in the United Arab Emirates (UAE) for Blackberries OTA provisioning Our context Pop-up Smartphone access Unsigned CAB ✲ Pop-up C. Halbronn When E.T. comes into Windows Mobile 6 15/35

  23. Context / Objectives General architecture Technical aspects of WM6 Injection Implementation Protection Demo Backdoor Conclusion Services Plan Context / Objectives 1 Technical aspects of WM6 2 Implementation 3 General architecture Injection Protection Backdoor Services Demo 4 C. Halbronn When E.T. comes into Windows Mobile 6 16/35

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Windows Not just for houses Windows 1-10 Windows Server Essentially a jacked up windows 8 box

Windows Not just for houses Windows 1-10 Windows Server Essentially a jacked up windows 8 box

Windows Not just for houses Windows 1-10 Windows Server Essentially a jacked up windows 8 box - Still GUI based - Still makes no sense - No start menu :( - (Install classic shell)... trust me... Windows Server What can it do? - Email

1.06k views • 37 slides
Usability and Small Screens SWEN-444 iPhone Android Windows Phone 8 The phrase mobile

Usability and Small Screens SWEN-444 iPhone Android Windows Phone 8 The phrase mobile

Usability and Small Screens SWEN-444 iPhone Android Windows Phone 8 The phrase mobile usability is pretty much an oxymoron. It's neither easy nor pleasant to use the Web on mobile devices. designing for mobile is hard

337 views • 14 slides
SECURITY CHALLENGES FOR INTERNET TECHNOLOGIES ON MOBILE DEVICES Key Questions 1. How are Web

SECURITY CHALLENGES FOR INTERNET TECHNOLOGIES ON MOBILE DEVICES Key Questions 1. How are Web

Anil Dhawan, Program Manager Rich Internet Applications Windows Mobile [anild@microsoft.com] Geir Olsen, Program Manager Security for Windows Mobile [geiro@microsoft.com] Microsoft Corp SECURITY CHALLENGES FOR INTERNET TECHNOLOGIES ON

454 views • 6 slides
Windows Not Just For Houses Everyone Uses Windows! Versions of Windows 10 There are multiple

Windows Not Just For Houses Everyone Uses Windows! Versions of Windows 10 There are multiple

Windows Not Just For Houses Everyone Uses Windows! Versions of Windows 10 There are multiple different versions of Windows 10 that support different features The version of Windows that we will be using is Enterprise edition This

973 views • 53 slides
Mobile Web Applications using HTML5 L. Cotfas 14 Dec. 2011 Reasons for mobile web development

Mobile Web Applications using HTML5 L. Cotfas 14 Dec. 2011 Reasons for mobile web development

Mobile Web Applications using HTML5 L. Cotfas 14 Dec. 2011 Reasons for mobile web development Many different platforms: Android, IPhone, Symbian, Windows Phone/ Mobile, MeeGo (only a few of them) Reasons for mobile web development

435 views • 31 slides
Windows 8 Heap Internals Windows 8 Heap Internals Windows 8 Heap Internals INTRODUCTION Windows 8

Windows 8 Heap Internals Windows 8 Heap Internals Windows 8 Heap Internals INTRODUCTION Windows 8

Windows 8 Heap Internals Windows 8 Heap Internals Windows 8 Heap Internals INTRODUCTION Windows 8 Heap Internals Who Chris Valasek (@nudehaberdasher) Sr. Research Scientist Coverity Tarjei Mandt (@kernelpool) Vulnerability

1.33k views • 91 slides
Ubiquitous and Mobile Computing CS 528: A Survey of Mobile Malware in the Wild Alex Fortier

Ubiquitous and Mobile Computing CS 528: A Survey of Mobile Malware in the Wild Alex Fortier

Ubiquitous and Mobile Computing CS 528: A Survey of Mobile Malware in the Wild Alex Fortier Computer Science Dept. Worcester Polytechnic Institute (WPI) What is mobile malware? Targeted at Android, iOS, Symbian (discontinued), Windows Phone

507 views • 17 slides
DeepSec 2011 Windows Pwn 7 OEM Owned Every Mobile? Alex Plaskett November 2011 Main

DeepSec 2011 Windows Pwn 7 OEM Owned Every Mobile? Alex Plaskett November 2011 Main

DeepSec 2011 Windows Pwn 7 OEM Owned Every Mobile? Alex Plaskett November 2011 Main Objectives Provide a brief overview of WP7 OS and the security model Allow developers / security professionals to understand the platform

1.06k views • 86 slides
mc-a ISSUED DATE McAlpine Architecture PC (T) E-mail: 34-26 Street 212.366 .0700

mc-a ISSUED DATE McAlpine Architecture PC (T) E-mail: 34-26 Street 212.366 .0700

WINDOWS TO BE REPLACED, APT. 508/509 UPPER SASH OF BATHROOM WINDOW WINDOWS TO BE REPLACED, APT. 508/509 WINDOWS TO BE REPLACED, APT. 508/509 WINDOWS TO BE REPLACED, APT. 508/509 WITH LOUVER IN PLACE OF GLASS FOR A/C mc-a mc-a mc-a mc-a

217 views • 8 slides
Windows NT Security Windows 95, 3.1, 3.11 are basically DOS and they have no security

Windows NT Security Windows 95, 3.1, 3.11 are basically DOS and they have no security

Windows NT Security Windows 95, 3.1, 3.11 are basically DOS and they have no security whatsoever. Windows NT has security features, especially as a computer in a network. Security of Windows NT should be understood correctly. In

592 views • 31 slides
Windows 10 Microsoft Lunch & Learn 55% SMBs support a mobile workforce Alignment with MB

Windows 10 Microsoft Lunch & Learn 55% SMBs support a mobile workforce Alignment with MB

Windows 10 Microsoft Lunch & Learn 55% SMBs support a mobile workforce Alignment with MB 81% AMI-Partners GM 2H 2013 Business Strategy SB 73% 97M devices in 2013 AMI-Partners GM 2H 2013 Growing to 147M in 2018 43% of SMB employees

303 views • 3 slides
Roadmap for Section B A Brief History of Windows and Linux Comparing the Windows and Linux kernel

Roadmap for Section B A Brief History of Windows and Linux Comparing the Windows and Linux kernel

Unit OS B: Comparing the Linux and Windows Kernels Windows Operating System Internals - by David A. Solomon and Mark E. Russinovich with Andreas Polze Roadmap for Section B A Brief History of Windows and Linux Comparing the Windows and Linux

430 views • 25 slides
1. 2. 3. 1. 2. 3. Windows 10 IoT Core Universal Windows Platform (UWP) Microsoft Azure v7

1. 2. 3. 1. 2. 3. Windows 10 IoT Core Universal Windows Platform (UWP) Microsoft Azure v7

1. 2. 3. 1. 2. 3. Windows 10 IoT Core Universal Windows Platform (UWP) Microsoft Azure v7 v8 Windows Embedded Standard One core Multiple SKUs v8. Windows Embedded 1 Windows 10 Windows Embedded Handheld Converged OS kernel Converged

1.08k views • 60 slides
Windows 8/RT and Wine Admittedly not usually ARM-specific Ridiculous Terminology MS

Windows 8/RT and Wine Admittedly not usually ARM-specific Ridiculous Terminology MS

Windows 8/RT and Wine Admittedly not usually ARM-specific Ridiculous Terminology MS introduced a mess of new terms for Windows 8, and I have to go through them so we dont get confused. Windows RT: An edition of Windows 8 that runs on

389 views • 8 slides
DEVICES Geoffrey Zweig Outline What is Mobile Voice search? An example: Live Search for

DEVICES Geoffrey Zweig Outline What is Mobile Voice search? An example: Live Search for

Microsoft Research ---- Lang Tech 2008 VOICE SEARCH ON MOBILE DEVICES Geoffrey Zweig Outline What is Mobile Voice search? An example: Live Search for Windows Mobile Why is it important? The Competitive Landscape Basic

913 views • 48 slides
26.1 FUNDAMENTAL WINDOWS SECURITY ARCHITECTURE Anyone who wants to understand Windows security

26.1 FUNDAMENTAL WINDOWS SECURITY ARCHITECTURE Anyone who wants to understand Windows security

CHAPTER 26 W INDOWS S ECURITY 26.1 FUNDAMENTAL WINDOWS SECURITY ARCHITECTURE.................. 2 26.2 WINDOWS VULNERABILITIES ................................................. 18 26.3 WINDOWS SECURITY DEFENSES

537 views • 43 slides
Machine Virtualization: Efficient Hypervisors, Stealthy Malware Muli Ben-Yehuda Technion &

Machine Virtualization: Efficient Hypervisors, Stealthy Malware Muli Ben-Yehuda Technion &

Machine Virtualization: Efficient Hypervisors, Stealthy Malware Muli Ben-Yehuda Technion & Hypervisor Technologies and Consulting Ltd Muli Ben-Yehuda (Technion & Hypervisor) Efficient Hypervisors, Stealthy Malware Cyberday, 2013 1 /

553 views • 21 slides
eKimono: Detecting Rootkits inside Virtual Machines DeepSec 2009, 19th-20th/11/2009 Nguyen Anh

eKimono: Detecting Rootkits inside Virtual Machines DeepSec 2009, 19th-20th/11/2009 Nguyen Anh

eKimono: Detecting Rootkits inside Virtual Machines DeepSec 2009, 19th-20th/11/2009 Nguyen Anh Quynh, Kuniyasu Suzaki, Ruo Ando The National institute of Advanced Industrial Science & Technology (AIST), Japan 1 Who am I? NGUYEN Anh

639 views • 59 slides
Code Integrity Protection Mechanisms Ralf Hund Thorsten Holz Felix C. Freiling

Code Integrity Protection Mechanisms Ralf Hund Thorsten Holz Felix C. Freiling

University of Mannheim, Germany Laboratory for Dependable Distributed Systems Return-Oriented Rootkits: Bypassing Kernel Code Integrity Protection Mechanisms Ralf Hund Thorsten Holz Felix C. Freiling University of Mannheim

497 views • 22 slides
Math 5490 9/29/2014 Glacial Cycles Math 5490 September 29, 2014 The Big Picture Topics in

Math 5490 9/29/2014 Glacial Cycles Math 5490 September 29, 2014 The Big Picture Topics in

Math 5490 9/29/2014 Glacial Cycles Math 5490 September 29, 2014 The Big Picture Topics in Applied Mathematics: Introduction to the Mathematics of Climate Mondays and Wednesdays 2:30 3:45

370 views • 9 slides
Guest-Transparent Instruction Authentication Dannie M. Stanley for Self-Patching Kernels Purdue

Guest-Transparent Instruction Authentication Dannie M. Stanley for Self-Patching Kernels Purdue

Guest-Transparent Instruction Authentication Dannie M. Stanley for Self-Patching Kernels Purdue University / CERIAS 09/20/12 Dannie Stanley Rick Porter Shane Snyder Zhui Deng Systems & Security Research CERDEC Applied Communication

434 views • 39 slides
4/22/2009 Virtualization Memory virtualization Process feels like it has its own address

4/22/2009 Virtualization Memory virtualization Process feels like it has its own address

4/22/2009 Virtualization Memory virtualization Process feels like it has its own address space Created by MMU, configured by OS Distributed Systems Storage virtualization Logical view of disks connected to a machine

407 views • 3 slides
Linux Rootkit Conclusion Adrien schischi Schildknecht July 17, 2015 Linux Rootkit

Linux Rootkit Conclusion Adrien schischi Schildknecht July 17, 2015 Linux Rootkit

Linux Rootkit Adrien schischi Schildknecht IDT hooking Syscall hooking Linux Rootkit Conclusion Adrien schischi Schildknecht July 17, 2015 Linux Rootkit Adrien schischi Schildknecht IDT hooking Syscall hooking

297 views • 17 slides
Advances in PassiveDNS Replication FIRST 24, Malta 19 June 2012 Architecture: Robert Edmonds

Advances in PassiveDNS Replication FIRST 24, Malta 19 June 2012 Architecture: Robert Edmonds

Advances in PassiveDNS Replication FIRST 24, Malta 19 June 2012 Architecture: Robert Edmonds Presented by: Eric Ziegast Internet Systems Consortium, Inc. Agenda Review of PassiveDNS Replication How it works, Why it's useful, History,

884 views • 39 slides

More recommend