After 6 months of inactivity I found the time to update my blog. Today I would like to speak about the last NoSuchCon Conference in Paris, where I have had the pleasure to be a speaker.
The presented project has been the following one:
“Understanding and defeating Windows 8.1 Kernel Patch Protections: it’s all about gong fu! (part 2)”
The talk analyses in details the Kernel Patch Protection implementation of the latest 64 bit version of Windows 8.1, and presents a technology developed entirely by me to disarm it.
Furthermore I have showed another innovative method to use the Patchguard own code to protect an eventual attacker rootkit. I have demonstrated its functionality by showing a working exploit as a proof of concept.
The entire publication is the results of the 3 months of work that I did reversing and analysing the Kernel Patch Protection code of Windows 8.1.
The introductive articles have been published in our old VRT blog:
- Snake Campaign: A few words about the Uroburos Rootkit
- Exceptional behavior: the Windows 8.1 X64 SEH Implementation
- The Windows 8.1 Kernel Patch Protection
I am very happy because my talk has been quite a success. I have received some mails, contacts and requests for all kind of info related my disarm methods, and so on…
Furthermore, an italian specialistic newspaper has written a small article about my project:
Sicurezza di Windows 8.1 usata per proteggere un rootkit
(thanks to Valerio Porcu for the publication)
The NSC conference of this year was very good. I have attended a lot of interesting talks, like the following:
- Benjamin Delpy – Mimikatz Project
- My colleague Richard Johnson – Fuzzing and Patch Analysis: SAGEly Advice
- Peter Hlavaty – Attack on the Core
- Alex Ionescu – Breaking protected processes (very interesting talk)
Furthermore I’ve had the chance to meet a lot of skilled and clever researchers. I have even finally seen in person some of my colleagues: Richard, Ryan, Yves, Emmanuel (and my brother, who lives in Paris). We have had great times all together… Thanks guys!
Now I plan to reverse and analyse the Kernel Patch Protection code of Windows 10, and I hope to find a way even to disarm the last upgrade of this kind of protection. My target is to present the project to the next REcon conference in Montreal. I hope that I will be accepted! (and maybe even my girlfriend will follow me this time)
The talk’s recording has been uploaded to Youtube:
NSC #2 – Andrea Allievi – Understanding and defeating Windows 8.1 patch protections