 I guess some of you weren't out last night with me at Hacker Jeopardy, because you were very quiet. Well, maybe later. This is being filmed for posterity, so I'm going to try to be a little bit politically correct as far as nudity is concerned in this talk. So, I'm Big Easy. Sashi is an interesting story, because he doesn't exist. I put in previously 15 CFPs for DEF CON, and they've been rejected every year for the last 16 years. And this year, they said, oh, we really encourage people to put their handles in and be anonymous when they do the talk. So I used my handle that I've been using for a very long time, and then I invented Sashi, because I thought it'd be cool to see if Sashi could get a talk at DEF CON, even though he's only a web page. So, I've done talks before about different parts of what this is becoming into going all the way back to Black Hat two years ago, and our kernel work that we released at B-Sides last year. And I apologize if my voice is a little rough, but I did win Hacker Jeopardy last night. We didn't fuck it up. So, but I want to say a word about that, because apparently there was a shit storm in Twitter over Hacker Jeopardy and the dick category. And I would like to say that I'm a hacker. I've been coming to DEF CON for longer than I'd like to admit, and I'm an introvert. And DEF CON has always given me a charge to do things, and I hope that I can help get you guys to get a charge, too. And all I want to say about Hacker Jeopardy is when you get completely humiliated on stage in front of thousands of people, how can we say that this is a male-dominated game when I'm being beaten by women and painted green on the stage? But I'm not here to talk about that. I want to talk about this motherfucker. So, like I said, when I wanted to do this talk, and I put it in, just like every other good CFP, we had the idea that it would be really cool if we could do some things, because I was concerned about my privacy. And, you know, I got this from Chris Olson. I don't know if he's in the audience. I want to give him a shout out if he is, if he's out in the cyberspace. What an awesome tweet. And there's a little sock, camera covered with tape, mic cat covered with tape, and his email client is Thunderbird. And this really summarizes what I'd like to say about this idea of, I want my privacy back. Keep your code out of my stack. And, you know, everybody says I might be a little paranoid. So, we put the talk in, and I thought I was going to get rejected, and shockingly, the talk was accepted. And that means that we then had to do a shitload of work, because we actually had to do what we said we were going to do in this CFP. So we looked at a bunch of tools. I kind of included these slides in as you navigate through the framework that we're releasing today. Because we really looked at all the tools that were available regarding what's happening inside the computer. Because I became very interested in what exactly happens when data is generated by peripheral devices such as your keyboard and mouse, and then what's happening to your camera and microphone when you aren't aware that perhaps some processes are using those devices. So we looked at a lot of the tools that were available, including the Neresoft tools. And I used to have a slide with the author of these tools, but I kind of like maybe deleted it accidentally when the speaker goons were yelling at me to get on stage. Is the author of Neresoft tools in the audience? Okay. So, his tools are awesome. And then we all know TCP view from Microsoft. And I looked at these tools and said, these tools are really all cool. But what we want to do is write these tools from source code so that when you compile and run these things, you know exactly what's in the code. So the framework has these things. And I'll get on that later. We also looked previously at IRP Tracker, which is a really great tool that works in 32-bit systems and IRP Mon. And I included the links to that in this talk just so you can have some background as you work and rock through some of the code. But, and here's a screenshot of that. And then we began to research looking at IRP Mon. And one of the things that was really irritating about, not irritating, but you know it's always frustrating when you're on the command line, is about, you know, lots of different errors that happen when you start to hook every driver that you have in your Windows operating system to try and see what's going on. And then you get a lot of weird messages because IRP Mon doesn't last very long. And the other thing is you have to have your computer in test mode to even work this. And it's kind of like a scary mode to be in in Windows. But I got a little bit ahead of myself because this all started from some of the badger research we did where I'm a really paranoid bastard. My family can tell you that I record everything at my house. I have multiple taps running in my house so that I can track everything that's happening on my network. And I know everybody else has a Unix box at home with eight Ethernet interfaces. And we use those, I use those interfaces to keep an eye on some data. We were doing some research and I accidentally left a TCP dump running and captured 1 billion packets in one file. And we looked at things from the inside and the outside. I called the inside because it's inside my protection device and outside. It's very interesting to me that you see more traffic outside of your firewall than inside. And it's cupped up in my screen but not yours. I observed 29,829 destinations outside the firewall. 29,525 reserve, Resolvia Reserve Lookup. So they had good DNS. So a couple of years later I look back at this again and I notice that the traffic coming out of my web connections was up four times and it was very disturbing because you'll be opening a web browser and moving around the mouse inside the screen and then you've got TCP connections opening all over the internet. And the data is all secured and you have no idea what it is, this data is. And where is it going? And then I forgot to remove the bullet at the bottom. But is it 1984 because our mouse movements are being tracked? What about keystrokes? I started thinking what about the microphone and video because there's a huge amount of bloat. Everything in the traces that are running now is just a bit bloated. And somehow this slide got popped into here. You know, looking at IRP and then previous projects like IRP Tracker was limited because it didn't have 64 bits. But there's a great start in this with Martin Drab. Thank God I wrote his name in the slides because I couldn't remember it. I burned all of my remembering points last night. So Martin has done a great job with IRP Mon starting this. But it's got a couple of things that were a bit of some downfalls if you actually wanted to inject data between, say, the keyboard and the browser. Because the idea is if I'm not using my keyboard and I want to send keystrokes to the browser anyway and if somebody wants to collect that and fill up their cloud with it, that's their own business because they shouldn't be peeking inside my window anyway. And we needed more precise data and information. And then this is really irritating. There's a little screen popping up in front of my slide here. Device calls needed. We needed to have an in-memory data store of device calls. And IRP Mon was a great start, but then we went on and we've been writing things from scratch just like everything else that we're going to be releasing. So we wanted to instrument the process list. And we were specifically interested initially in the keyboard, mouse, microphone and video. Some of these are easier than others, though, especially the microphone and video are a little more complicated. But what processes are actually interested in your mouse movements and then what network traffic is then generated as a result of those calls? And then we wanted to be able to correlate those calls back into the IRP request just to find out where does the forking occur? Because a lot of the forking occurs inside the browser. And so that would require something like a browser plugin. And we really didn't want to support multiple browser plugins because there are many, many different browsers. So it's been a very difficult challenge making a decision about where you actually want to put a man in the middle. And then we also had the big question about why do we start in Windows 7, 8 when there's Windows 10? We're building this framework from scratch and right now it's just Windows 10 because it's very scary to me what Windows 10 is doing, especially in terms of how much data is coming out, how much of my personal data is coming out in Windows 10. And then we really wanted to meet our adversary at his own level of abstraction because it really helps us find making breaches of privacy easier to look at and intercept because we have two goals with the project is we want to maybe inject false data from our devices into the cloud and we also want it to assert our privacy and block certain connections inside our operating system. So peeling back this level of abstraction proved to be very challenging to us as we became very familiar with the screen over and over again working on this software including until about 15 minutes ago and we just kept trying over and over again to come up with some things that would actually compile and run. And in the meantime I got sucked into playing Hacker Jeopardy this weekend which has been a very interesting weekend for me to say the least. But you didn't come here to necessarily see me talk about this stuff and I really wanted to take a page back from old school DEF CON and anybody remember the GTE door? So I talked about pulling the processes and so the code for that kind of looks like this. I want to say 90% at least of the code I'm showing today is already included in the CD. This is pulling the process list. So this is the code that we wrote from scratch to get the processes like you would see from Process Explorer. And the reason again like I said we do this is because we wanted to provide two things to users of our software is that there was some kind of assurance there was nothing in the software that you didn't know about and it's not necessarily anything groundbreaking but it just gives you a level of assurance because you want to be able to assert things with some kind of authority inside your own operating system that you have some modicum of privacy so that you don't have to tape up your microphone jack and your camera like paranoid people do from the beginning of our talk. But don't panic. There is a UI. So the team is bigger than me and one of my co-researchers, Kate Davis, happens to be a UI expert and we're in alpha right now with a UI that will take all of our code and allow you to, we're going to visualize the data streams and allow you to click on individual data streams in a UI and not know anything about assembly programming, for example. But if the demo works out we will see the client actually have it running in my computer right now. But more code first. So there's a command line client that's going to be included in the release and this is kind of like the code from that to pull up what we built a net filter since we don't know where the data forks inside the browser and we didn't want to spend a lot of, we didn't have the time to go into every browser and figure out where this was this summer and then if anybody wants to help I'd welcome them in the project. So we built a net filter that sat between everything and the network interface cards. And then if you're a command line kind of guy this is kind of like the code that pulls up the net filter so that you can shunt the processes that you deem undesirable or the TCP connections that, for example, if you're going to foo.com or example.com and then you notice there's four other TCP connections going to third party site collection companies you can just choose to shunt those connections and your connection to foo.com will work just fine. So some of this was written by Sasha who by the way Sasha is a collection of folks that help me because this is a project that's bigger than one person and shout out goes to Sasha you know who you are but we wanted to make sure that we were providing you with clear and concise code that had a lot of comments in it so you knew what exactly all of this stuff was doing so you understood at least perfectly if you're not a programmer what the code was doing if you were interested in that kind of thing hiding and overusing privileges is rampant inside the operating system right now so this is a call out function from the net filter and again it's probably a wall of text or a real eye chart here I really just included this in the CD so that you could get a chance to see what was in the code and maybe actually show up to the talk so apparently I didn't do very well because there's not a lot of people here but oops look at me I went too far so if you wanted to add a filter that references a call out as documented in the Windows driver kit you need to do some things we need to call to the register and do some other calls and then I've got some slides later that go into a little more detail on this I do want to introduce Sasha a little bit if you actually go to this web address right now you can see this web page so when you get the code and you want to try it out you can actually see how the man in the middle works and due to some internet difficulties because we are at DEF CON I'm not actually going to demo this part there's a lot of risk involved in that but I do have some screen shots of what the site kind of looks like so in the upper left hand corner X, Y coordinates and that would be where your mouse pointer is and the box underneath that is a frame for keystrokes and then you can turn on the video and microphone but I suggest that you mute your device because there's a bit of feedback involved we didn't get that worked out in the code before the release but if you hit the mute button you can see the little blue in the bottom left hand corner would strobe to let you know that the microphone is still being streamed to the application and you can actually put the website in the background and notice that the video and mouse are still being streamed to the application even though you moved an application to the foreground and the web browser is in the background and then the website is just out there so that when I've used a lot of tools that were released for years and wanted to really provide something that you could go to and then we're also going to release the code for this web page so that you can just run it locally but it kind of looks like when you intercept keystrokes they'll appear in the little box as showed up there in the upper left hand corner and then I'm going to flash back for a second it's www.kadego.com slash sashie so and again I'm talking really fast so that's good so the tool chain completely consists of a UI client and something we call the Kona silage they're both still in alpha they kind of work maybe on my computer but they're not ready to be released yet and then there's been as always in a talk last minute circumstances I'd hope that the UI client would be a little further ahead especially pulling up a lot of the pieces of code and we were going to compile everything so that we had a nice binary but there was an unfortunate accident that prevented one of the coders from finishing their code so we're just going to move right past that but the framework will be released when it's ready and I imagine it will be ready soon TM the source code is ready to go and it's probably going to go whenever I can find a safe internet connection again and then you'll need your reading glasses for the wall of text that describes how you would actually do the injection and then what we do or what we decided on is the best place to put for injection right now because it's cool is to build a net filter a filter in the driver and this is a lot of explanation about exactly what's going on in the code these slides are literally 32 minutes old the people that were helping me we were awake all night and actually split up across the property so I apologize for the formatting of these slides and we'll put the slides into the release which is probably going to happen later today so you can get an idea I don't want to see you read this but this comes straight out of the Microsoft site they have very good instructions on how to actually write these filter drivers and the structure for it kind of looks like this and at least this is a little bit less of an IHR here at the top we have a bunch of filters in the upper level device filter drivers as we push down towards the bus driver and the code for how you would want to either intercept the calls that are going out into the operating system and then perhaps inject into them kind of looks like this where and then I didn't bring my glasses either because the code is really a wall of text to me too but I'm going to be releasing this code with everything else later on today hopefully this code that we're looking at right here is building the net filter and then being able to from here we can manipulate all of the data from the keyboard to the upper layer of the windows the callback function that we show here as we I've already described but then we can also create an event in the OS to call and pass fake data so the idea is this is a user driven action so from the UI or from the command line if your kung fu is that way you can direct the keyboard to type things either from a flat file or just randomly for anyone who's interested in listening and the way I feel about this is if somebody wants to listen to what I'm typing on my keyboard and I fill up their hard drives or if we all get together and fill up their hard drives and monkey with their grand plan for advertising and making us forget about the things that are important fuck them we all need to do something about this because it's running out of control I want my privacy back I don't want to have to worry about going into a Word document and having other people see what I'm typing into that document or even notepad or something like that or if I type into a chat window having a company decide that they would like to keep what was in the chat window even though I deleted it and never sent it to anybody it's something that's personal and I'd like that to stay inside and we want to really try to provide you tools that helps you do that and just one guy one paranoid guy like me doing this is not going to be enough and we need everybody to really sit and do this which is why we're developing the UI and it's been a very long process when I do this so the problem really is in the visualization the client is kind of all there but there's no compiled code hooked to it yet and this is one of the things where I need to apologize for not finishing in time but there was unfortunate circumstances that prevented the finishing of this code and it will be finished the visualizations and what we see is approximately 60 to 150 processes that can be easily visualized and then the primary author of the UI is one of my co-researchers her name is Kate Davis she's also at the University of Illinois I work at the University of Illinois during the day as well this talk is not and the pinworm framework is my job this is a hobby that I do at night like I've always done and the University has nothing involved with this presentation whatsoever as I accidentally said where I worked not that it's a big deal people know where I work but so the UI is there the code is not compiled into it yet and Kate can get to that when the crisis abates so you know we rely on IRP a little bit for a sniff for instruments and device so we can understand how to build a structure around anything that you might be interested in getting in the middle provide a framework for cut and pasting code and writing your own customized injectors for data and anything that you might see fit inside the computer the HTTP server code to display the metadata and you can until somebody maybe hacks my Sashi website out of existence it will be online for you to look at or you can just run it locally and hack away at injecting metadata into the little website and then we included the man in the middle code for the interception of this data so that you can insert your privacy or perhaps send white noise when you're not using a particular device so I'm going to take the tinfoil hat off now I think weird Al for being so gracious and let me steal this picture and I want to thank you so did I make it in 45 minutes good so it might be questions I don't know there was a demo of the actual injection and the movie was made an hour ago and it was going to be sent to me but I was intercepted by these guys wanted to make sure I was going to make it the stage on time so I'll get the movie of the actual injection out as soon as possible I know that it exists I just didn't get to it in time I don't know I ask for questions I don't see anybody standing so did it suck I mean holy shit it seemed that I don't need my voice anymore where do you see the most pernicious exfiltration of data is it from your keyboard from the observations of the cameras things are hidden in the mouse that you don't realize you're giving away what bothers you most about the privacy in the computer well that's an interesting question two things first off the thing that was really alarming to me and it took the slides out for it you can easily google this there are many companies that commercially provide a heat map of where all the users mouse strokes go and this is a tool that is being commercially offered by a lot of different companies oh these are the places where everybody goes and I can understand that functionally as a website I think that that data is interesting but as a user it really creeps me out because I don't want anybody to know where my mouse is I don't want anybody to know that it's not their business but I think the answer to the question is the microphone to be frank the microphone is so scary I had to redact parts of my talk there is a lot going on there and it will be very eye-opening when you run the code on your computer especially with the microphone thanks for the question and again either I sucked or everybody is like what the fuck just happened now I want to say I survived a B-sized talk Wednesday where I released a different set of open source software I sat next to Dan Kaminski Friday night I drank 8 beers in 30 minutes I sat next to Banshee last night drank 10 beers I was up all night last night and I think I made it to at least 31 minutes of talk without sucking too bad and but holy shit it's Sunday I know everybody is all wracked out fuck I know I am I think I survived it so I want to thank you guys it has been a pleasure to be at DEF CON for the last 16 years as a user and I would like to thank every goon that has made this possible they are the true stars of the show and just as a parting shot who can be louder you guys or me no contest I'll see you at the award ceremony