Hi All!
After 6 months of inactivity I found the time to update my blog. Today I would like to speak about the last NoSuchCon Conference in Paris, where I have had the pleasure to be a speaker.
The presented project has been the following one:
“Understanding and defeating Windows 8.1 Kernel Patch Protections: it’s all about gong fu! (part 2)”

NoSuchCon 2014 - Me speaking :-) ;-)

The talk analyses in details the Kernel Patch Protection implementation of the latest 64 bit version of Windows 8.1, and presents a technology developed entirely by me to disarm it.
Furthermore I have showed another innovative method to use the Patchguard own code to protect an eventual attacker rootkit. I have demonstrated its functionality by showing a working exploit as a proof of concept.

The entire publication is the results of the 3 months of work that I did reversing and analysing the Kernel Patch Protection code of Windows 8.1.
The introductive articles have been published in our old VRT blog:

  1. Snake Campaign: A few words about the Uroburos Rootkit
  2. Exceptional behavior: the Windows 8.1 X64 SEH Implementation
  3. The Windows 8.1 Kernel Patch Protection

I am very happy because my talk has been quite a success. I have received some mails, contacts and requests for all kind of info related my disarm methods, and so on…
Furthermore, an italian specialistic newspaper has written a small article about my project:
Sicurezza di Windows 8.1 usata per proteggere un rootkit
(thanks to Valerio Porcu for the publication)

The NSC conference of this year was very good. I have attended a lot of interesting talks, like the following:

Furthermore I’ve had the chance to meet a lot of skilled and clever researchers. I have even finally seen in person some of my colleagues: Richard, Ryan, Yves, Emmanuel (and my brother, who lives in Paris). We have had great times all together… Thanks guys!

Cisco TALOS @ Paris

Now I plan to reverse and analyse the Kernel Patch Protection code of Windows 10, and I hope to find a way even to disarm the last upgrade of this kind of protection. My target is to present the project to the next REcon conference in Montreal. I hope that I will be accepted! (and maybe even my girlfriend will follow me this time)

That's me at NSC

The talk’s recording has been uploaded to Youtube:
NSC #2 – Andrea Allievi – Understanding and defeating Windows 8.1 patch protections

Stay tuned!

AaLl86

By AaLl86

4 thoughts on “NoSuchCon 2014 – Windows 8.1 Kernel Patch Protection”
  1. […] => Windows 8.1 Kernel Patch Protection. 29/12/2014. «After 6 months of inactivity I found the time to update my blog. Today I would like to speak about the last NoSuchCon Conference in Paris, where I have had the pleasure to be a speaker. The presented project has been the following one: “Understanding and defeating Windows 8.1 Kernel Patch Protections: it’s all about gong fu! (part 2)” (…).» Date du début du mois dernier, mais je voulais le consigner pour le retrouver. Source : http://www.andrea-allievi.com/blog/nosuchcon-2014-windows-8-1-kernel-patch-protection/ […]

Leave a Reply

Your email address will not be published.