filmov
tv
Callback objects | Yarden Shafir | BSides Delhi 2020
Показать описание
Callback objects - Everything you didn’t know you wanted to hook in the kernel
Whether you’re an attacker, trying to persist and gather information while avoiding detection, or a defender, trying to monitor everything that’s running on a box and staying a step ahead of the attackers, everyone wants to know what’s happening on a machine. Windows has a mechanism that can fulfill all these needs and isn’t getting the attention it deserves – callback objects.
Used by many kernel components and easy to access for 3rd-party drivers, these objects can supply valuable information about various kernel events, internal AV communication, and more.
Even Patch Guard has its own callback!
As helpful as they are, they are mostly ignored by security solutions, making them a great place for rootkits to hide in, where no one is looking.
Yarden Shafir
Yarden Shafir started dancing at the age of 7, and later joined a rhythmic gymnastics team and competed during her teenage years. After her military service, she practiced pole dancing and fell in love with acrobatics. In recent years she performs aerial arts for the circus, trains whenever possible, and teaches lyra and silks in Israel, while also having a rich background of Windows Internals research originally at Sentinel One, followed by her current role as a Software Engineer at CrowdStrike working on various EDR capabilities and EPP features.
Whether you’re an attacker, trying to persist and gather information while avoiding detection, or a defender, trying to monitor everything that’s running on a box and staying a step ahead of the attackers, everyone wants to know what’s happening on a machine. Windows has a mechanism that can fulfill all these needs and isn’t getting the attention it deserves – callback objects.
Used by many kernel components and easy to access for 3rd-party drivers, these objects can supply valuable information about various kernel events, internal AV communication, and more.
Even Patch Guard has its own callback!
As helpful as they are, they are mostly ignored by security solutions, making them a great place for rootkits to hide in, where no one is looking.
Yarden Shafir
Yarden Shafir started dancing at the age of 7, and later joined a rhythmic gymnastics team and competed during her teenage years. After her military service, she practiced pole dancing and fell in love with acrobatics. In recent years she performs aerial arts for the circus, trains whenever possible, and teaches lyra and silks in Israel, while also having a rich background of Windows Internals research originally at Sentinel One, followed by her current role as a Software Engineer at CrowdStrike working on various EDR capabilities and EPP features.
0:44:49
0:49:46
0:41:38
0:33:02
0:39:07
1:14:19
0:01:28
0:24:52
0:04:52
0:41:53
0:49:46
0:26:56
0:03:06
0:01:15
0:44:48
0:50:52
0:50:15
0:33:45
0:07:02
0:08:15
0:47:35
0:22:54
0:47:12
0:43:43