NoSuchCon 2014 – Windows 8.1 Kernel Patch Protection

Hi All!
After 6 months of inactivity I found the time to update my blog. Today I would like to speak about the last NoSuchCon Conference in Paris, where I have had the pleasure to be a speaker.
The presented project has been the following one:
“Understanding and defeating Windows 8.1 Kernel Patch Protections: it’s all about gong fu! (part 2)”

NoSuchCon 2014 - Me speaking :-) ;-)

The talk analyses in details the Kernel Patch Protection implementation of the latest 64 bit version of Windows 8.1, and presents a technology developed entirely by me to disarm it.
Furthermore I have showed another innovative method to use the Patchguard own code to protect an eventual attacker rootkit. I have demonstrated its functionality by showing a working exploit as a proof of concept.

The entire publication is the results of the 3 months of work that I did reversing and analysing the Kernel Patch Protection code of Windows 8.1.
The introductive articles have been published in our old VRT blog:

  1. Snake Campaign: A few words about the Uroburos Rootkit
  2. Exceptional behavior: the Windows 8.1 X64 SEH Implementation
  3. The Windows 8.1 Kernel Patch Protection

I am very happy because my talk has been quite a success. I have received some mails, contacts and requests for all kind of info related my disarm methods, and so on…
Furthermore, an italian specialistic newspaper has written a small article about my project:
Sicurezza di Windows 8.1 usata per proteggere un rootkit
(thanks to Valerio Porcu for the publication)

The NSC conference of this year was very good. I have attended a lot of interesting talks, like the following:

Furthermore I’ve had the chance to meet a lot of skilled and clever researchers. I have even finally seen in person some of my colleagues: Richard, Ryan, Yves, Emmanuel (and my brother, who lives in Paris). We have had great times all together… Thanks guys!

Cisco TALOS @ Paris

Now I plan to reverse and analyse the Kernel Patch Protection code of Windows 10, and I hope to find a way even to disarm the last upgrade of this kind of protection. My target is to present the project to the next REcon conference in Montreal. I hope that I will be accepted! (and maybe even my girlfriend will follow me this time)

That's me at NSC

The talk’s recording has been uploaded to Youtube:
NSC #2 – Andrea Allievi – Understanding and defeating Windows 8.1 patch protections

Stay tuned!

Related Posts

4 thoughts on “NoSuchCon 2014 – Windows 8.1 Kernel Patch Protection

Leave a Reply

Your email address will not be published. Required fields are marked *