Conover's BCE

[Dave Aitel <dave () kof immunityinc com>]

Matthew Conover's BCE talk was very interesting yesterday, and I had a
chance to annoy him a bit more about it at dinner. Basically the idea is
this:

Apply virtualization techniques (code rewriting + page permissions) to run
drivers in usermode. The goal here is to be able to control the driver such
that it does not know it is running under BCE, and be able to analyze it. He
has working code - this was not a theory talk so much as a demonstration and
explanation, as were most of the talks at SyScan. This is a useful dynamic
analysis tool (he demo'd running process explorer under it, which worked),
and if he open sourced it I could see lots of people using it for rootkit
analysis.

One thing he did during his talk that I thought was good was stop every 5-10
slides for questions. With something as technical as this, it's a very good
idea as it kept the audience on the same page.

In order to run a driver in "usermode" he has to emulate a stack and a
Kernel Pool for the driver. So for example, if you do a:

call popme
popme:
   pop eax

Then EAX has a kernel address in it (a "fake eip" if you will), even though
the driver is really running in userspace.

One attack I think would be hard to stop would be for the driver to allocate
kernel Pool data, then go search the kernel pool to make sure their data is
there. If the data is not there, they are running under BCE and it's time to
pretend to be innocous.

I'm sure there's lots of other exciting attacks, but as Kostya says "in the
real world, no one is ever going to attack this thing if you don't give it
out to everyone". On the other hand, I kinda want one so I'm hoping he does.
:>

Today is Shellcode class day. We're giving out our latest shellcode library
for everyone to use to learn how to create shellcode. It's fun for the whole
family!

-dave

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave