Intrusion detection and prevention systems monitor a point or set of points such as a network connection. In response, malware authors hide traffic through these points with encryption, encoding, and obfuscation. This presentation will demonstrate a different strategy, based not on another point but on the flexibility to add almost any point dynamically, with a new function call hooking system, capable of intercepting virtually any set of API functions system-wide. This is in contrast to existing HIPS’s, which are limited to functions chosen during design and only monitor certain actions, such as file and registry edits. It uses dynamic code generation to expand on existing hooking techniques, overcoming challenges with different function definitions, architectures, and associated calling conventions.
Matt Weeks has performed research in mathematics in chaos and cryptology, and focuses on information security. He enjoys finding ways to break application security, writing shellcode, and creating post-exploitation techniques. Also known as scriptjunkie, he has developed for the Metasploit framework, wrote the sessionthief MITM tool, has spoken at conferences such as DEFCON and Black Hat, and broke a cryptosystem based on chaos theory. He runs the site http://www.scriptjunkie.us/