DEFCON 20: Detecting Reflective Injection
https://www.ispeech.org
Speaker: ANDREW KING CONTRACT RESEARCHER, GRAYHAT RESEARCH, LLC
This talk will focus on detecting reflective injection with some mildly humorous notes and bypassing said protections until vendors start actually working on this problem. It seems amazing that reflective injection still works. Why is that? Because programmers are lazy. They don't want to write new engines, they want to write definitions for an engine that already exists. So what do we do about it? Release a $5 tool that does what $50 AV has failed epically at for several years now...oh and it took me a week or so...Alternately, you could license it to vendors since their programmers are lazy.
Andrew King is a recent graduate. He has been a hobbyist for many years, but has only recently tried to transition into information security as a job field. A previous talk was given at ToorCon on polymorphism as it relates to definitions. He wrote a set of articles demonstrating implementation of simple internal to function encoding and decoding. Additional code will be released to demonstrate automation of binary patching to use this method without using a debugger. It is not a fully functional evasion tool, but it does demonstrate pushing this level of obfuscation into a more automated arena. Adding a couple of small code sections could turn this in to a usable evasion tool.
Twitter: @aking1012
For more information visit: http://bit.ly/defcon20_information
To download the video visit: http://bit.ly/defcon20_videos
Playlist DEFCON 20: http://bit.ly/defcon20_playlist
2012-11-14 15:00:54
source
Gloss