(Lady|)Lord Of The Ring

moment as we get ready for the next speech which is our last deep dive technical Talk of the day before the CDF announcement so the moment we've all been waiting for is almost here now before I invite the next speaker on stage I want you to know this talk is also inspired by some fantastic Tolkien works so the next talk is about lady or Lord of the Ring zero this is a deep dive technical talk after that we're gonna have our CTF announcement now let me know if you had the chance to meet our sponsors did you get swag did you get food did you get stickers anybody want some more stickers too bad I'm out should have been here

earlier all right so this next speaker his name is Ido let me tell you something we had a whole bunch of different speakers backstage today this guy is ice cold he's the coolest speaker we had everybody else was nervous excited not this guy he knows his stuff please help me welcome to the stage thank you come right here it's not for the camera right there yeah so Ito is going to talk to us about being a lady or a Lord take your pick of the Ring zero and he's going to be going deep into all of that stuff he's got experience with kernel development he's got experience with reverse engineering with OS internals uh what do you do on

your free time you know um going to the gym playing drums release code on GitHub as one does okay uh you got everything you needed though yes everybody here ready last technical deep dive of the day until the CTF announcement let's hear it for you doll let him know you're still here oh yeah all right let's go there we go so uh first of all I think besides there for having here thank you all for staying and let's start so my name is Ido I'm doing open source on GitHub and doing some projects related to Invasion related to Kernel development related to injection methods I'm posting it here and there is also a QR code here and for you to follow along

and we will also have a code Snippets but besides that if anyone wants to look at the code of the driver I'm going to use I'm going to use new dog which is my open source root kit and we will I will use it for the demo today I'm also posting blogs and in this URL and about my projects about kernel development and this is in the blog post a lord of the ring zero is what inspired today's talk so what we're going to have today is we're going to learn how to hide our user mode in malware and artifacts we are going to talk about anti-detection about unregistering callbacks about disabling a etwti about IRP hooking what

is IRP we're going to talk about a little about patchgard and DSC and how can we bypass them and some tips about a safe kernel development and a little bit puns on the side so let's start so first of all what is acronym callback and sorry and we're going to talk in this section about what is a kernel callback how if there are the 90 viruses are using kernel callbacks and how it can be used from an offensive point of view and defensive point of view so first of all what is a kernel callback so kernel callback is a mechanism that provides a general way for drivers to get information about events that happen in the end

if for example you want to access some file and you don't have permissions to and someone needs some driver needs to handle it and give you the access denied you're all used to get and if you're trying to create some process and this is for example mini cuts a very known bad process some antivirus will want to inspect it so how they're doing it is via callbacks and all the callbacks known the operating system knows to call the callbacks from a callback list which is there they are installed so in the Callback list there is just a list of all the addresses of the functions that the operating system needs to run and call and execute them one by one

so we are going to talk about the three different types of callbacks today and the first one will be object callback object callback is the Callback that is registered for every event of prayer or post operation for example if you want to open and handle to a process you can call back if a driver registered one and callback of pre-open process will be called we can see here an example of registering and that kind of callback and two callbacks actually one for a pre-opening process and the other one for pre-open thread and we're registering with ob register callbacks and with our registration handle and we're going to get a registration handle and with our altitude this is a unique identifier for

each driver that wants to register callback so this is the example of the pre-opening process go back which I use on my driver needle this code is written on C plus plus and what we're having here is I I wanted to protect process my malicious process from being dumped or accessed by antivirus so I'm checking if someone wants to access my process and if it does I'm just removing the permissions for closing the process terminating that process dumping the process memory reading that process say memory all along and just returning the strict handle so it basically if it wanted to terminate me it can do it anymore we have a lot of type we have a lot of

types of callbacks we have callback type for key operation we have a Type 4 files we have four events for processes threads tokens not all of them are enabled by default but we can enable them we will see later on why we can't really turn them on every person every callback is there consists of a decent structure and which is the object type and it contains the type list which is just linked list to all the other and object types we have the name of the Callback we have the log that we can use to make sure that no one else is using an iterating that object type we have the Callback list and we

have also other members that we won't discuss about today but one picture is worth a thousand word and a demo was with even more so I'm having here a presentation of the prey open processing callback so here we can see that I'm having two shows I have the right trail that I'm using to activate and use my driver and the left shell that is system we can see that I have a process named notepad and I want to protect it let's assume this is mini Cuts this is a some process I want to protect I don't want antiviruses to scan it I don't want anyone to dump it and here I edit it and I show that I'm in fact system and

trying to kill it but I can't I get access denied and when I remove that process from the list we can see that once again I will be able to kill it so here it is right now trying to do the task here and in a second it's a we also have another type notified routines I think that every man red team member in the crowd already heard so much about it but I don't know how many of you actually dug into it so let's do it today so notify routines are three types of routines we have the create process that we say that what it does is get we can get every every preparation of creating process or

terminating process we have one also for Fred and we have one for image loading we don't have anyone for image unloading just image loading so here we also have a little demo and here I didn't use any dog I used the driver of my own and what I'm doing here is just the driver denies the opening of a process called Notepad but if we are antivirus we can do it not for notepad but for known bad processes and that many third actors are using and it can be helpful we can also use it not only just to block the creation of process but we can do it also for for example if we want to examine process

when it is created and search for any type of of a malicious Shell Code or any other thing that can point that this process is illegitimate the last type of callback is a registry callback resistance callback happens every time there is a registering operation so how we can register it is by giving the function that will handle this registry operations we can give it altitude which like we said is the driver's unique identifier and we can give it we will we can give it contact we we will get context sorry and we will get also cookie which we can use later to unregister that callback so this is the function that handles the all the registry operations in my driver

and which I chose to handle print delete key pre delete value setting value querying value anyone can guess what what can we use for I don't know for query value no one okay so we can use it for example if someone wants to iterate or check if some value exists a very common registry key from Red teams and protectors is the wrong key which all know and love or hate depends on your side and what we can do is still put our malware there but hide it and that everyone that wants to query that value and check if there is someone something under the ranky we can just hide down malware from there and this is exactly what

this function does so this function is checking if the color is a if someone wants to do operation on the user mode object and if it does it continues and we're getting the registry key name and then the registry and value and doing some validations to make sure we're not crashing the computer and then we're trying to find it on some list that I defined and that you can add your registry and keys your registered values to there and just protect your your item for example in this in this case the volume and we can see that if we find that item on that list we're returning status not found this is another demo as we can see we

have here on under our run key we have Gandalf saying fly you fools and let's assume this is in Gandalf this is a malicious one and we want to hide it from the user so as you can see I hide I hid it and then it's no longer there we can no longer see it but once I restore it we can see it once again

we saw that kobex gives a lot of information we're getting information about for example processes registering threads loading dlls we're getting tons of information that we as Muslim were developments this time won't want this information to exist so what can we do how can we find this callback and unregister it and just blind that spot of anti-malware vendors we're going to talk about this today right now and and and we will also have some nice demo of unregistering the WD filter driver which is the windows Defenders Finland driver like we said earlier callback all the callbacks are stored within the Callback list so it means that what we can do is just iterate that list

and find if the Callback that we want to unregister matches the image base of the kernel driver that we want to and to remove so let's say we want to remove the Callback of a Windows Defender what what can we do what we can do is listing all the callbacks finding the Callback that we want and connecting it to Windows Defender by finding the image base of a Windows Defender and see that it Maps so this is the demo for the demo I chose all being on OB callbacks we can see here that I'm querying all the pre or pre-opening handle phone processes we can see the value of wdd filter here and here we are removing it with little

legs and after we will remove it we see that it was replaced with another callback pointing to my driver that callback does essentially nothing and because the callback of WD filter driver will net will never be called win all the detections that relies on that callback will also never be fired but this isn't all in the kernel we can do lots of stuff not only callbacks what also what else we can do well we can use also another thing called etwti which let's go a little a little bit back and explain what is etw so etw is a mechanism that Windows provides us to log and to and to trace all kind of events that happens on the operating

system whether this is user logon whether this is and some application the trend or something that crashed but what is etwti well etw consists of providers each provider is responsible for handling and logging the information for that provided for example there's a provider that called etwti or etw threat intelligence that its whole purpose is to log events related to security so if there are some interesting stuff like remote writing to virtual memory this can implies on something bad or remote queuing APC which is a very common method to inject cell code etwti can give you that that information and help the Defenders to get more insights create more detections and deny the execution of the malware

so how can we desalinate each provider is made out of destruct the etw break entry it contains within it the etwgyd entry that contains within it the trace enable info and in this Trace enable info there is a little value here called is enabled so what we can do is just zeroed it and everything that uses that provider won't be able to use it because it's seemingly disabled how we can do it for real and not just the flashing lights and I want to show some code so this is the code that can be used and we can how we can do it is by choosing some function that is close to that provider object

that we want to get and then are great and then we can use a signature that we found of that object insert it within the kernel near that function to find it find the struct of the enable information and just copy the value 0 to is enabled if you want to zero it or if we want to start we can copy the original value let's talk about the other thing here ifp hooking so there's a lot of information and I hope that and if you want this presentation will be published so don't worry so IRP hooking is let's talk about about something previously which is the driver object driver object is the object that represents each driver

on the Kernel it contains the initialization function the unloading function and some the device object and also something called major function major function as you can see this is array of some IRP functions but what is IRP IRP is the standard of communicating from the user mode to the kernel to a specific driver and from driver to speak with another driver so it made that packet is made out of two parts the header which is a that stores some information of the original request and this stack location that contains the juicy stuff the user mode the system buffer that there we can provide information the ioctl if you heard about it which is some code that is used for the device i

o control which is a way to communicate with the driver so a very so like we're saying there is some functions here in the major function in the major function array that each each function here should handle a different IRP how we can use it we can use it for data for our advantage to hook it we can replace it with some our malicious IRP Handler to handle that that function and run some code that we want with the data that the user or other drivers provided to us a very common IRP hooks are hooking of the device control which is used to communicate with the driver IRP irpmg right irpmg rape mg stands for major

like the major function that we saw earlier and irpmg directory for NTFS to hide some directories and some data and what I will show you today is how we can hide a file not hide but block access to as we can see there is a file here called Sauron and we want to Let's assume this is our malicious file and we want to block access to

sorry so what we can do is use our driver to block to add it to the list and try to to delete it with a system shell and after we're failing we can remove it from the list and you know the drill it will be deleted that's nice and all we can do a lot of stuff from the kernel and this is just the tip of the iceberg so who's stopping us what is stopping us from doing a complete Havoc because the complete havoc in the kernel well there is patch guard in DSC each of them is supposed to give protection on other aspects of of the kernel so patch guard or kernel batch protection is a mechanism that was

introduced on Windows XP for a 64-bit only it is meant to to protect critical structures on the Kernel how it does it is by just crashing the the whole system is doing kamikaza with a error code a zero hex 109 it is initialized on boot and is ran in a random time intervals just to see what he does for example we can see the object type which we if you remember we saw it earlier hint so like I said we can't really enable a file objective type callback because the kernel eventually patch God will detect it and crush the system and we don't want it we also see here IRP allocator modification which is just the file

protection I showed earlier and like we saw we can't really use it because again will detect it and will cross the system we don't really like pentagon so what can we do with it what we can do with it is very this is a one way to and to disable pentagon this is and this what I will show today of course there are many more ways and some better some less so in this way we are loading a boot kit and the tools a specific function that is called right after the operating system is loaded but not yet run so we can modify it nothing protects it so we can modify it and find the windows

kernel base find the functions that initialize stretch guard and just patch the patagon another thing so okay we can somehow still do very damaging stuff regardless of fetch God we can do and we can register callbacks we can basically dominate the user mode and sometimes also things in the kernel mode like the unregistering callbacks I showed earlier so what is stopping us from actually doing that well there's another mitigation called DC DC is also introduced in Windows XP for 64 bits it's meant to prevent drivers from being loaded in the first place unsigned drivers of course the signature is not your normal executable signature you need a special signature from Microsoft for that it is initialized by the Windows boot

manager and triggered by driver loading however we can patch it we can Patch It by getting the CI dll best address which is the code Integrity Base address getting the CI initialized address which is a function that contains a very special object called CI options and then just touch patch it and mounting DC as disabled so we can load our driver and this is a very common method that is used widely especially nowadays on a bring your own vulnerable driver attacks to load another driver okay we talked a little bit about the DC patching the patch guard the the kernel from offensive side of you from defensive side of you let's talk it about from the programmatic side of you

so in here I want to note several things the first thing when you write a driver is to never trust the user mode data always assume it's state and tainted maybe this is some these are the don't want to any harm maybe this is a malicious user so take that in mind check the length of what you're getting check the destruct that you're getting if you're getting distract is exactly what you want and if it is a struct don't only check this that this is the stock that you want check also its members because if people will only even do that thing that little thing so many vulnerabilities could have been prevented remember to always use locks locks are

important they are there for a reason so make sure to use them to prevent all any kind of time of access time of a use vulnerabilities race conditions and so on and where you're accessing usable data make sure to use these functions probe for read and probe for write what is what it does is make sure that you can actually access that area and not crashing the system by accessing that location but you will need to do some addressing check before that to make sure this is within that range because right is examining the area and if you know that you have a potentially dangerous code you are doing some mem copy or from user mode buffer

use try and accept you have it all you have to do is use it if it isn't some critical problem though you can catch that exception and handle it on by yourself so we got a little faster to the end of the talk I wanted to give some time for questions but a little bit before that let's summarize what we had today so we learned some different ways to hide our user mode malware and add and artifacts we learned how to unregister and how unregistering callbacks walk we learned how to disable its WTI we learned what is IRP and IRP hooking we learned the very basic of the basic kernel mitigations we got some safe kernel development tips

and we enjoyed some pictures so before I'm saying close before I saying the summary for that talk any questions

yes

from stuff like that teach you like is it always possible to protect some stuff using these techniques well so the question is that game game cheaters often use a drivers to manipulate the anti-cheat and the anti-chita mechanisms and is this always an option well it depends on what you're doing if you're doing game cheating I'm not doing game cheating but if you are the the race there and the armed race is very different because the anti-cheat and mechanisms can focus on very specific things and so it has some capabilities that usually the antivirus and India Industries are getting a bit later so will it work on a on some on another driver of an anti-jit

I don't know but I'm assuming that it won't work in the end this is an armed race and the the information security is doing because of its nature is doing things a little bit later this is this isn't a new thing but it is an old gym because it got some attention right now in the past a few months years and yeah is there any other questions okay so we have thank you one simply does not say thank you without a meme well done and I like it that you mix the um Lord of the Rings oh yeah of course sorry thank you so much for uh for a moment I wanted to say Game of Thrones

but that's a different effort oh yeah yeah I was just confused Tuesday it happens it's a long day all right thank you so much Ido for being with us I hope you all learned a lot of lessons for me though let's smile to the camera right here shlomi all right now even though we have a small gift for you token of our appreciation go on over there now