Login Papers Register

Need an account to vote? Register to attend at gsec.hitb.org/sg2018/
Deadline is 30th June 2018!

<< previous next >>

Deep Hooks: Monitoring Native Execution in WoW64 Applications

Yarden Shafir & Assaf Carlsbad

2 vote(s)

WoW64 processes have a complete 32-bit subsystem inside of them, in charge of supplying the 32-bit application with everything it needs to execute on a 64-bit OS. But eventually, the communication with the 64-bit environment itself is done by the 64-bit portion of the process, often neglected by security products. Mostly, only monitoring the 32-bit subsystem is enough, but bypasses techniques such as the notorious "Heaven's Gate" prove that this approach is far from perfect.

In this talk, we wish to present the possibility of injecting 64-bit DLLs into WoW64 processes and use these to hook 64-bit APIs. This task introduces some unique challenges, which we will discuss in detail. We will present several injection methods, including a couple of novel modifications for existing ones, that enable injecting a 64-bit DLL into a WoW64 process. We will then demonstrate the adjustments we made to an out-of-the-box hooking engine to make it able to hook 64-bit APIs in the process. Some changes in new Windows versions, such as the introducing of CFG and the changes to some API functions, made this task more challenging, and we will show how we researched these and solved these issues, making this hooking technique useful on all currently available Windows versions.

We have published a series of three blog posts about this research:

https://www.sentinelone.com/blog/deep-hooks-monitoring-native-execution-wow64-applications-part-1/
https://www.sentinelone.com/blog/deep-hooks-monitoring-native-execution-wow64-applications-part-2/
https://www.sentinelone.com/blog/deep-hooks-monitoring-native-execution-wow64-applications-part-3/

===

Yarden Shafir - I'm a security researcher working in infosec in the past few years. Currently I'm a member of the research group at SentinelOne. My interests include diving deep into OS internals, reverse engineering things which shouldn't have been compiled in the first place, researching exploit mitigations, and causing blue screens.In my spare time I perform in the circus, specializing in aerial acrobatics.

---

Assaf Carlsbad - I'm a security researcher, and part of the research group at Sentinel one, having been working in the infosec industry for nearly ten years. As part of my work I conduct on a daily basis security research which span over malware analysis, reverse engineering and implementing exploit mitigation techniques. Prior to joining SentinelOne, I spent several years in elite technology unit in the IDF.