Asia-24-Yair-magicdot-a-hackers-magic-show-of-disappearing-dots-and-spaces.pdf

《Asia-24-Yair-magicdot-a-hackers-magic-show-of-disappearing-dots-and-spaces.pdf》由会员分享，可在线阅读，更多相关《Asia-24-Yair-magicdot-a-hackers-magic-show-of-disappearing-dots-and-spaces.pdf（67页珍藏版）》请在三个皮匠报告上搜索。

1、Security Research Team Lead at SafeBreach6+years in security researchLinux,embedded and some Android research3 years Windows researchCreator of Aikido Wiper,DoubleDriveOr YairAgendaWindows Known Issue IntroductionResearch GoalsPost-Exploitation TechniquesVulnerabilitiesCVEs+FixesTakeawaysGitHub+Q&AW

2、indows BackwardsCompatibilityMore than 1.4 billion active devicesMy first encounter with“MagicMicrosofts DocumentationDo not end a file or directory name with a space or a period.Although the underlying file system may support such names,the Windows shell and user interface does not.However,it is ac

3、ceptable to specify a period as the first character of a name.For example,“.temp”.Normal(DOS)toNT Path ConversionWin32 APIs path arguments are normal DOS paths.Conversion is needed.RtlpDosPathNameToRelativeNtPathName()C:UsersUserDocumentsexample.txt?C:UsersUserDocumentsexample.txtNormal(DOS)to NT Pa

4、th ConversionRtlpDosPathNameToRelativeNtPathName()Removes:Trailing dots from any path elementTrailing spaces from the last path elementNT PathDOS Path?C:exampleexampleC:exampleexample.?C:exampleexampleC:exampleexample?C:exampleexampleC:exampleexample?C:exampleexampleC:exampleexample?C:exampleexample

5、C:example.example?C:exampleexampleC:exampleexample“The Definitive Guide on Win32 to NT Path Conversion”by James Forshaw with Google Project Zerohttps:/ Research GoalRootkit-like abilitiesUtilize the issue for concealmentsTypical RootkitsPrimary Goal ConcealmentsTypesUser-SpaceKernelKernel RootkitKer

6、nel Rootkit RequirementsAbility to run in the kernel:Admin Privileges+Handle Obstacles:Driver Signature EnforcementDriver Block ListHVCIUser-Space RootkitUser-Space RootkitRequirementsAbility to write or run code in all processes:Admin PrivilegesSomething is MissingHow can unprivileged malwares conc