Presentation is loading. Please wait.

Presentation is loading. Please wait.

CSC 497/583 Advanced Topics in Computer Security

Published byEmilia Andreasson Modified over 5 years ago

Similar presentations

Presentation on theme: "CSC 497/583 Advanced Topics in Computer Security"— Presentation transcript:

1 CSC 497/583 Advanced Topics in Computer Security
Class12 CSC 497/583 Advanced Topics in Computer Security Modern Malware Analysis Hooks Si Chen

2 Overview Hooks Definition Message Hook Message Hook Chain
Message Hook Example 1 – Keyboard Event Hook IAT Hook IAT Hook Basics IAT Hook Example – A ”Big” MessageBox

3 Hooks A hook is a point in the system message-handling mechanism where an application can install a subroutine to monitor the message traffic in the system and process certain types of messages before they reach the target window procedure.

4 Message Hook

5 Message Hook The system supports many different types of hooks; each type provides access to a different aspect of its message-handling mechanism. 

6 Message Hook Chain A hook chain is a list of pointers to special, application-defined callback functions called hook procedures. When a message occurs that is associated with a particular type of hook, the system passes the message to each hook procedure referenced in the hook chain, one after the other.

7 Message Hook Example Download Hook.zip from our course website, unzip it (password: infected) Try HookMain.exe

8 Message Hook

9 Analysis Source Code In this example, we use two files:
HookMain.exe  Launch the attack KeyHook.dll  Provide “Hook” function

10 LoadDLL() HookStart() HookStop() UnloadDLL()

11

12 Analysis Source Code g_hHook = SetWindowsHookEx(WH_KEYBOARD, KeyboardProc, g_hInstance, 0);

13 Analysis Source Code

14 Analysis Source Code g_hHook = SetWindowsHookEx(WH_KEYBOARD, KeyboardProc, g_hInstance, 0);

15 Message Hook

16 Analysis Source Code

17 IAT Hook

18 IAT (Import Address Table)
Check class 5 IAT (Import Address Table) Quick Review

19 Load PE file (Notepad.exe) into Memory

20 Look up IAT Table with PEview

21 Implicit Linking and IAT (Import Address Table)
Notepad.exe Call CreateFileW()  Call 0x  Call 0x7C810CD9 Call 0x Look up IAT Table Function Name IAT Address Real Address CreateFileW() 0x 0x7C810CD9 When the application was first compiled, it was designed so that all API calls will NOT use direct hardcoded addresses but rather work through a function pointer. This was accomplished through the use of an import address table. This is a table of function pointers filled in by the windows loader as the dlls are loaded. 

22 IAT (Import Address Table)
Why IAT?

23 IAT (Import Address Table)
Support different Windows Version (9X, 2K, XP, Vista, 7, 8, 10) Call CreateFileW() --> Call 0x Look up XP IAT Table Function Name IAT Address Real Address CreateFileW() 0x 0x7C810CD9 Windows 7 Function Name IAT Address Real Address CreateFileW() 0x 0x7C81FFFF

24 IAT (Import Address Table)
Support DLL Relocation

25 IAT Hook Example Download IATHookMsgBox.zip Unzip and run it

26 Analysis IAT Hook Example
Use Ollydbg

27 Q & A

Download ppt "CSC 497/583 Advanced Topics in Computer Security"

Similar presentations

Lesson 10: Starting Windows Applications start an application program move between open application programs start an application using the Run command.

Lesson 10: Starting Windows Applications start an application program move between open application programs start an application using the Run command.
3. Loaders & Linkers1 Chapter III: Loaders and Linkers Chapter goal: r To realize how a source program be loaded into memory m Loading m Relocation m Linking.

3. Loaders & Linkers1 Chapter III: Loaders and Linkers Chapter goal: r To realize how a source program be loaded into memory m Loading m Relocation m Linking.
Operating System Security : David Phillips A Study of Windows Rootkits.

Operating System Security : David Phillips A Study of Windows Rootkits.
CSUF Chapter 3.2 1. CSUF Operating Systems Security 2.

CSUF Chapter CSUF Operating Systems Security 2.
Andrew Roths Fermin J. Serna MSRC Engineering and MSEC Science Microsoft Corporation.

Andrew Roths Fermin J. Serna MSRC Engineering and MSEC Science Microsoft Corporation.
Section 3.2: Operating Systems Security

Section 3.2: Operating Systems Security
Windows Rootkits – Userland API Hooking Robert Vinson – IT Security Analyst – University of Iowa 09/06/06.

Windows Rootkits – Userland API Hooking Robert Vinson – IT Security Analyst – University of Iowa 09/06/06.
Figure 2.8 Compiler phases. 2.8.1 Compiling. Figure 2.9 Object module. 2.8.2 Linking.

Figure 2.8 Compiler phases Compiling. Figure 2.9 Object module Linking.
Loader- Machine Independent Loader Features

Loader- Machine Independent Loader Features
Tanenbaum, Structured Computer Organization, Fifth Edition, (c) 2006 Pearson Education, Inc. All rights reserved. 0-13-148521-0 The Assembly Language Level.

Tanenbaum, Structured Computer Organization, Fifth Edition, (c) 2006 Pearson Education, Inc. All rights reserved The Assembly Language Level.
1 ANTI VIRUS UPDATING. 2 Anti Virus Software: There are as many hackers today as there are software developers. Cyber crime has been recognized as needing.

1 ANTI VIRUS UPDATING. 2 Anti Virus Software: There are as many hackers today as there are software developers. Cyber crime has been recognized as needing.
Chapter 15: Security (Part 1). The Security Problem Security must consider external environment of the system, and protect the system resources Intruders.

Chapter 15: Security (Part 1). The Security Problem Security must consider external environment of the system, and protect the system resources Intruders.
SURVEY VIEWER HYPACK 2013. Sending SURVEY Windows Across the Network to Non-HYPACK Computers. HYPACK Computer Non-HYPACK Computer Running SURVEY VIEWER.

SURVEY VIEWER HYPACK Sending SURVEY Windows Across the Network to Non-HYPACK Computers. HYPACK Computer Non-HYPACK Computer Running SURVEY VIEWER.
October 22, 2008 CSC 682 Security Analysis of the Diebold AccuVote – TS Voting Machine Feldman, Halderman and Felten Presented by: Ryan Lehan.

October 22, 2008 CSC 682 Security Analysis of the Diebold AccuVote – TS Voting Machine Feldman, Halderman and Felten Presented by: Ryan Lehan.
Importing outside DLLs into.Net platform and using them By Anupama Atmakur.

Importing outside DLLs into.Net platform and using them By Anupama Atmakur.
 This tool needs to be installed on your terminal before you start the registration process.  The tool can be downloaded from the web or can be installed.

 This tool needs to be installed on your terminal before you start the registration process.  The tool can be downloaded from the web or can be installed.
Rootkits in Windows XP  What they are and how they work.

Rootkits in Windows XP  What they are and how they work.
Prepared by Fareeha Lecturer DCS IIUI 1 Windows API.

Prepared by Fareeha Lecturer DCS IIUI 1 Windows API.
An approach to on the fly activation and deactivation of virtualization-based security systems Denis Efremov Pavel Iakovenko

An approach to on the fly activation and deactivation of virtualization-based security systems Denis Efremov Pavel Iakovenko
Credit Union National Association Installing and Uploading Project Zip Code.

Credit Union National Association Installing and Uploading Project Zip Code.

Similar presentations

Ads by Google