Weird-Machine Motivated Practical Page Table Shellcode & Finding Out What's Running on Your System

DEF CON 22

Presented by: Shane Macaulay
Date: Sunday August 10, 2014
Time: 13:00 - 13:50
Location: Track 3

Windows7 & Server 2008R2 and earlier kernels contain significant executable regions available for abuse. These regions are great hiding places and more; e.g. Using PTE shellcode from ring3 to induce code into ring0. Hiding rootkits with encoded and decoded page table entries.

Additional ranges/vectors, Kernel Shim Engine, ACPI/AML, boot-up resources & artifacts will also be shown to be useful for code gadgets.

Understanding the state of affairs with the changes between Win7/8 and what exposures were closed and which may remain. APT threats abuse many of these areas to avoid inspection.

By the end of this session will also show you how to walk a page table, why Windows8 makes life easier, what to look for and how to obtain a comprehensive understanding of what possible code is hiding/running on your computer.

Final thoughts on using a VM memory snapshot to fully describe/understand any possible code running on a Windows system.

Shane Macaulay

Shane “K2” Macaulay last DEF CON presentation was an offensive tool ADMmutate during DEF CON 9 but has more recently been focused on defensive techniques and helped develop an APT detection service (http://blockwatch.ioactive.com) used to protect Microsoft OS platforms. Shane has spent time finding ways to fully understand the state of system code to understand “What is actually running on your computer?” to aid in forensic analysis, incident response and enterprise protection capacities. Shane is currently employed by IOActive as Directory of Cloud Security and has presented at many previous security conferences/venues.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats