 Do-do-do-do-do-do-do-do Hey, Bill, how do you pronounce your last name? You're not gonna be able to say it, but uh, it's Damir Kapu Do you want me to try it? I Mean, I I don't care. I I won't get offended if you don't say it Looks like we are live. Yep, we seem to be live. All right Welcome everyone I want to Introduce Bill. Bill. I just tried to do your last name in my head and I was not successful at it So I'd like you to say it for everybody if you care to Sure, it's Damir Kapu. All right. Thank you for that. That was uh instead of me murdering that I wanted you to try it So I'm Bill did a talk on demystifying modern Windows root kits This is your opportunity to ask questions of Bill So there are a few questions already coming in through the Track one live QA channel. Let's just go ahead and get started So Ergon asks what is the what are the easiest features? To find that might reveal a modern root kit via static analysis I think a good place to start for a static analysis is going to be the I'm obviously the strings because if they leave any debug strings behind or any unique strings for that specific binary That's a good thing to maybe you know add to your signatures, but another opportunity is going to be The imports of the driver for example of a driver imports a bunch of undocumented functions And that's obviously going to be a little bit more suspicious given that Legitimate drivers tend to try to stick, you know with what's documented and with what's stable So if there's any functions that it imports that is not stable or is it's very you know It's just not really known about it's something to look at So anything undocumented that's getting pulled in you're thinking that's going to be your opportunity for For shenanigans on that side. All right. I Did you Was that pasties? I was gonna say that the potential shenanigans could still be what's in it. That's true So next question from RP TK 2015 did you actually find any p-key when searching in grey hat? Mentioned in the context of using a legitimate key to sign your driver Yes, so um, I didn't of course crack any of them But I mean some of them were pretty obviously related to code signing for example I remember one that had like code signing in its name So it was it was pretty clear that these were probably associated with I code signing in that there was it's potentially If you crack it you could use it for kernel kernel code signing. It all depends on the type of certificate It is and you know what type what vendor it came from and stuff like that But I have definitely I can't confirm that I've seen potentially viable Is the private keys on grey hat? Do you know if there are some keys that are like more trusted than others like some that you can use to sign? Code but there aren't trusted for like kernel level drivers or something like that. I assume a like a Microsoft Signing key is like the golds, but Yeah, yeah, so usually what how it worked is that you have like these Certificate companies that issue these code signing certificates and they work with Microsoft to get what's called a cross-signing certificate So this means that Microsoft says yes, so you can use this This vendor or this roots this root authority can issue certificates for kernel mode code signing just to give you an example there And and so what you can do there is you can so some vendors will don't have a cross-signing Cert and they probably will not work for kernel mode code signing while others do And so there's that's usually the different levels is whether or not the vendor has You know deals with Microsoft or has a cross-signing certificate from Microsoft Where would I look up that information if I wanted to find out more of a specific searcher? Yeah, so I think a Microsoft has like a list of cross-signing certificates on on just there On on MSDN Microsoft documentation. It's yeah, I found a page here. It's like Cross certificates for kernel mode code signing Gotcha, okay, so a follow-up question on that one would be what's a good place to find leak certificates? Were I to decide I needed one? Yeah, so one of the places I mentioned that it's a good place to start for looking for leak certificates is going to be On D is so cheating related forms There's quite a few available there that some of them have been out for years And I still think that so you can use them because a lot of the a lot of anti-virus simply don't have Detections in place for these leak certificates even ones that again have been out for years So if you're out looking for a leak certificate Look at game hacking forums look it like search for leak certificates And then the game hacking forms names and I'm I can guarantee you that you'll find some That's an interesting crossover. It totally makes a ton of sense But I was it's not something that would have come to mind if I was ever gonna go look for that Yeah, especially considering who's making these things and you know who builds a lot of the games out there RPTK has another question there Can you explain a little more about why would the kernel accept a driver signed by an expired certificate? Yes, so when you see a Let's say you go into the digital signature section of a driver and you see a certificate there And it says the certificate has expired. Well, what do you what you're seeing there? When you go to digital signature section is the result of wind verify trust, which is a user mode function Whereas the kernel mode co-signing policy is completely different because that's in in the kernel So what you see returned by the wind verify trust function and rule Generally speaking not always be what the kernel mode co-signing policy checks for and what I mean by that is if the wind verify Trust returns. This is expired or this is revoked There are some reasons that a kernel code That you might be able to sell low that driver is because at the time of signing it was still valid So even without a time stamp it the kernels Just assumes that since this was at some point signed by a valid certificate even if the certificate expired It's still it still should be loaded Yeah, yeah, I think it's mostly going to be for compatibility reasons That's what I I guess assume, but it's it's speculation given that no, I don't work for Microsoft So I don't know the reason I'm sure there's a whole lot of history there so we have a another question Trinsky is asking if you have any interest in creating a road map of resources courses or tutorials on your blog The person can get to your level of reserve reverse engineering competency Yeah, so for that question It's mostly, you know, most of my I guess knowledge comes from just experiencing and the best recommendation I can really give is to I just try things out You know do CTS if you want to learn reverse engineering, you know, do the CTS and really, you know, one of the ways that I go about, you know Looking for even projects or stuff to do is I always stay curious and what I mean by that is if I see some weird Functionality by a program I'm using on like in real life on my living machine I will probably quickly try to check underneath of what's happening here You know, why is it doing this one weird thing and oftentimes I found that that can actually to other issues Like actual security issues. So if you're looking for what, you know, what what projects to do or what to reverse It's really just going to be the software you use in your everyday life And in I don't have any plans to do like a course or something on Just, you know tutorials on how to reverse engineer for example, but it's going to be really going out and finding finding your own projects at that That you find interesting So that you'll continue pursuing it that's that's I guess the trick I did the reason that I was able to learn so fast was because I always did stuff I was always interested in and I was you know in specifically game hacking I love games and I'm bad at games so I had a you know self-interest to continue reverse engineering of these games and Figuring out how they work and maybe how the anti-cheat works and then you'll you'll end up learning a lot from just You know trying out things a try trying to reverse new programs. You might have not had to look that before stuff like that Well a quick step back then so you said you watch as a program does something unusual It's not exactly the words you used but What types of unusual things are you expecting what types of things would sure sure make the radar go off? So just to give you an example of like a vulnerability. I found a few years ago was in the software called Dell support assistant how that worked was when I went to Update my drivers because I installed new SSD I needed drivers for that one machine the website claimed to be able to update my drivers But from the website itself, and I was like how does the website update my drivers? Well, it turns out that Dell pre-installs this software that I basically allows It's own website to communicate with it and install a stuff like updates Well, that's kind of weird You know because allowing a website to have that sort of access and then I reverse engineered it further And I found that the restrictions there weren't quite as strong And I found a way to bypass the restrictions the application had but so the weird part there was Well, it's a website claiming to you know update my drivers. That's that's not normal in the websites It normally can't just do it automatically update my drivers itself You know it might be something I have to install and do it myself, but so in that case that was something weird It's just basically finding these, you know, why does this thing happen? Why did they design it this way? I and it's looking for those logical flaws in their like design or just their code itself Yeah, so this is one that I've actually hit myself RPTK 2015 asking Another question I like keeping coming this dudes. It's pretty or chick. I don't know Could you explained on how secure boot blocks some of the driver signing methods? I've definitely noticed that some drivers work with you EFI and some don't and it's usually a driver signature problem Yeah, so the main issue you're gonna have with secure boot is if if you're like going after Using a leak certificate or if you're buying your own certificate The thing to consider is if the certificate was issued after July 29th 2015 That's the cutoff date Then you're going to need a EV certificate so extended validation certificate on your versions of Windows 10 so what that means is you're going to have to basically the Certificate vendors that give you these certificates the code signing certificates have to you know do extra validation and Typically the certificate is given to you on like a USB drive instead of just sending you to private key file So that you know it for versions of Windows 10 that have secure boot enabled You're basically preventing drivers that aren't signed with an EV certificate To be loaded just because that that's that's the policy it follows and in the in those newer versions And so but if your leak certificate was released before Issued before July 29th 2015 then it will still work on these On these newer builds with the secure boot protection, I guess you call There is sort of an extension of that When I when I encountered this issue there was a Registry flag that you could set that was Sort of bypassed it. It was unattended upgrade. It was from Windows 7 to Windows 10 upgrade Did you try playing around with that to see if you might Like I know most because the least certificates like you can just the ones publicly available are issued before that cut-off date So, yeah, I mean it's like there's like almost all of them are issued Yeah, I mean at least right now, you know the least certificates I used was when when I found it was issued before that date So I haven't actually found the least certificate that was issued after it yet So it's easy enough to find it that you haven't had to hunt down that possible other way to get it done Right, right, right And so there's a quite different quite a number of ways you can approach the problem of you know getting your driver loaded and at at that point Well, if you if you don't even need to look into it, you know other ways there. It's it's not it's a non-issue I guess you call but it's something to keep in mind, you know going forward once those least certificates start to run out You're probably gonna run into that issue of that date restriction And at that point I'd probably recommend you have the second method of Loading a driver and abusing a another legitimate driver that has been signed with like an EV certificate But again, the problem with that in my talk I mentioned it is that you cannot run into a lot of stability issues when abusing another driver and trying to load your Own just because there's oftentimes going to be stability concerns like race conditions That makes sense So Trunsky is asking did you test your route kit against any of the top EDRs? No, I didn't but the one of the I took EDRs into consideration when designing the application and for example, how I hook Communication between the AFD driver and user mode applications. I always went for methods that would try to Make it as expensive as possible to detect Because I feel like that's the best approaches. I not security through obscurity it's going to be how can I make the Antivirus have to go through an it very expensive and time-consuming process to detect me because oftentimes they'll reconsider for those reasons or another another perspective might be how can I Cause compatibility issues like if there's an application that already does these suspicious operations Maybe I can go in like impersonate that application and the antivirus would have to accept it because the legitimate application also does suspicious operations Trigger bad false positives that they can't work around themselves Right, right, right or it's very difficult to detect around that Yeah, it makes sense. Yeah, I mean I feel like a lot of security is just making the other side do more work to get to the same goal so RPTK asks another question here and there were some Some method you're able to see there were not HVCI compatible, can you please explain a little bit about HVCI mitigations? Yes, so the HVCI let me look what it stands for. It's like you have virtualization based protection of code integrity So essentially what it does is it's a mitigation if you have virtualization enabled you should be able to enable it That basically makes it so the once the driver is loaded into memory Especially it's executable sections. It can never again have those executable sections set to writeable The memory fly memory protections will it will never be able to see be writable for that Memory page because it's an executable section. So essentially it prevents code hooking for example Or basically modifying the actual bytes of the driver's executable code That makes sense Okay, so I Apparently miss this. Can you talk a little bit about your piece major project and how it compares to specter? Sure, so piece maker was a Basically, it was a proof of concept EDR that I wrote a few months ago Which was basically the opposite of what I'm doing now instead of writing a real kid I wrote a driver to detect malware and The way I mean the biggest difference between the two is the fact that one of them is a blue teaming Defense application while the other one is a root kit But when it how does it compare? Well a piece maker is going to be I believe it's a little bit less efficient in general And I followed a stricter code design policy for myself In in this latest one So I mean it those are I guess how it compares, but they're two different projects for two different reasons That's fair So speaking about other projects and other places you might want to push this research You already mentioned a little bit about a gap of the upgrade process for If you end up running out of certificates that were signed before the cutoff date What other interesting things are out there for somebody who wants to do research in the same field that you're in? What would you recommend for somebody who is looking for a neat project to jump in and start working? So for I guess neat projects of Where to start it would first of all be um If you're interested in learning more about the windows kernel or the internals of the windows operating system The best recommendation I have is besides experience is going to be some of the books out there include the windows internals Seventh edition is the latest one that really goes into depth about the internals of the windows operating system but it's really going to be finding a way to make security interesting for you or make learning interesting to you and That's the best way I can recommend. I guess of how to what's the best way to go about learning these difficult topics is Is to gamify it and is to incentivize the research itself But yeah in general it's it's going to be most of most of your Experience and knowledge is going to come from experience and just playing with things trying new things and for it for projects You could do it's it's really it varies you can try looking at like reversing drivers for vulnerabilities in their I octal interface That's what I've I started with at least And you can try to find a way to abuse those drivers Like the abuse legitimate drivers portion if you're looking for some drivers to I guess that might be vulnerable a lot of OEM drivers Have security issues in them. I'm I'm just always shocked just look on it's I've become desensitized to it Just almost every OEM driver has something questionable in it And I guess so that's that's the place to start if you're looking for vulnerable drivers It almost sounds like as you're approaching these projects looking The new thing pops out at you. Maybe not from Getting a depth into a I'm gonna find all of the drivers out there But what are you you're looking for other things you're learning everything you can and then The the context for your next project kind of filters out from that Or do you find that you have to you have to go searching for what you're going to attack next? So in general not even just like Windows kernel stuff I generally don't search for projects to do again It's just finding stuff that might be interesting like you know if a program's doing something suspicious there you go That's a project right there find out why it's doing that thing or anything similar that's doing that could be called into question But for Windows kernel, you know one thing I do is I'm I try to get part of the Viral scanning platforms out there like when I am part of is like hybrid analysis And what I'll do is I'll occasionally search for drivers on there and download them and just take a quick peek under the hood And you can see see what's going on there And so that's a good place to I guess find these driver files if you're trying to search for them Sorry go ahead I was gonna say are like are those already infected drivers or these just like a reference or these just like tons of driver Like repository kind of thing. It's just a repository like these aren't necessarily bad drivers or vulnerable drivers These are just Potent like might be legitimate drivers. Well, so it's just a driver repository Have you looked at any other driver infections just to see how they are doing those hooks to Get basically similar ideas and work back from like the attack side rather than being like, oh, this is weird Said like oh, this is an active attack. How are they doing this could this apply to other situations? So basically do you look at malware or do you just look for new things in weird drivers? I look for new things in weird drivers. I don't specifically just look at like drivers I know that are malicious What I do is, you know, I'll reverse engineer like I said OEM drivers And that that's a starting point. Those are legitimate and so And I'll just look into what I can find is there first of all is like auditing attack surface is finding out What can you actually talk to and then it's finding out now? You know what you can talk to what are the access controls in place that limit? How much you can talk to the application and you know, it's going from there It's it's that type of investigation of you know, what can you access and how can you manipulate what you can access? So truansky asked a question that fits into kind of the direction we I was pointing there How do you balance your personal life and doing research so you're clearly deeply involved in this at what point? Do you at what point is this all you do and how do you fit in the rest of the stuff you want to do with your life? Yes, so well specifically how I manage my time is going to it The big thing is, you know over the summer. I didn't do most my most my research was performed bodies in school So before you know any internship or summer of work. So it's going to be in school I've just I've got too much free time And so I just spend that time researching or you know, I spend some of that time trying to research things And it's different, you know, if you have a full-time job I don't know if I have a recommendation for you because a fact is I know how it like 40 hours a week is rough You know, you'll probably be tired When you get home so a you know doing research then they can be difficult sometimes and so I don't know if I have any Recommendations specifically to that but in general I try to use this to a free time I have as much as possible like a valuably I guess and And and since I have so much free time in school, you know, I dedicate a portion of that to doing my own research That's awesome So not that we want to point towards anything specific But you did mention that there were some CTF's out there that are good at training resources Maybe this is a good time for you to say. Do you have a favorite CTF for teaching this type of material other than You know, you were talking about the windows windows internal stuff that you can read the 30 pound book So it's actually really unfortunate. I find that a lot of CTF's don't really focus on windows related challenges It's really rare. You'll see like an actual challenge. That's dedicated about windows internals It's usually, you know, like if it's if it's like a binary exploitation thing Generally speaking, I see it being like a Linux application, right? Maybe running even on the arm architecture, but I just rarely see I don't have any good CTS recommend for windows related stuff Just because oftentimes you probably won't see windows related stuff You won one of them I can I know I can mention that it's pretty good It's I guess you call my favorite CTF overall is the flare flare on reversing CTF They have some really interesting challenges there, you know, it's not just gonna be windows stuff It's gonna be, you know, reversing a bunch of different architectures and applications figuring out what they do It's it's it's one of the favorite ones I participate in so Also, I mean, I guess that also kind of exposes like that that CTF sounds awesome It seems like any for anyone that's watching that there's a gap in the community windows CTF's There you go Next Defcon Talk Well, so what's next for you if you could pick which direction you would point for your for your next research topic Um, that's simple to say I honestly don't have the next direction. I don't have the next project I I'm I get I kind of just go with the flow. I see it really is literally just a Looking at the everyday software I use and then if I know that I just tend to notice stuff I like this is weird and that's how I how I go about doing it for this specific for my talk How I came up with it. I guess you could say is Is our schools or our schools security club a red team needed a new we wanted new malware to use against our best blue team competitors So we run competitions where we do like we simulate a corporate environment And you have a red team that tries to maintain persistence and a blue team that tries to kick you out blue teams also have like uptime and these challenges that they have to keep services up while the red team tries to mess with them and so There was just a need there for me to develop some tooling against the kids are top blue teamers And so that's why I decided to look into this, you know, maybe like two birds with one stone type thing You know, I thought it'd be interesting. I know and so there's educational resources about root kids out there like books I know for sure But I haven't really seen open-source tooling around You know when the kernel level windows or kids out there, it's rare to see it. So I thought it would actually be a pretty interesting project Yeah, looks like it turned out that way Did you did you end up crushing the blue team with this? Yes, yes, definitely I remember having conversations about, you know, like When I when I suggested that I was abusing legitimate communication explaining to these blue teamers How is doing things? They were really confused about, you know, like how would you abuse a legitimate port on my machine? Because they were of course looking for malware and I was using so they have to have certain services uptime, right? So they have to have these services always up So I was just using that fact to get into their machine because they could like take down that service as so even if they knew and they didn't That I was abusing these legitimate services for communication You know, they they would firewall everything except for those services and I'd still be able to get access Because you know going a community game through their services. So yeah, it was it was a really fun time Um One person is asking for a clarification on the ctf like where they can find it the flare on They found flare hyphen on dot com Yeah, it is it is the flare on flare hyphen dot com is the one I mentioned And another question from rptk 2015 In the resources you proposed reactos. Could you explain a little bit about that? Yes, sure. So reactos is a essentially a bunch of and engineers reverse engineer to windows kernel and Wrote it one to one I wouldn't say obviously it's not one to one a hundred percent, but it's actually like insanely accurate Of the actual windows kernel. So it's it's kind of like an open source windows kernel Uh, you'll find that a lot of the functions in the actual kernel has been re-implemented in there a lot It follows the same structure. It's it's it's it's just quite literally an open source clone of windows Um, and it's an amazing resource because uh, sometimes you'll find, you know Undocumented functions. You don't know what it does and luckily you can go to the reactos Project and just take a look at the source of that because people have spent hours reversing that one function for you Now some of this is going to be outdated because the reactos kernel Replicates the xp kernel. Um, but still the core functionality is going to be pretty similar Excellent. So we are right at the end of our scheduled time. Is there anything else you'd like to impart upon us before we We call it for the day Yeah, I mean not really I I appreciate everyone for coming out to my talk. Um, you know, keep in mind that that uh Rukits are I even I'd like more red teamers to start using windows kernel level rukits And going that route because I think there's a some Interesting, you know more advanced actors use it and I feel like more red teamers need to start Like simulating those advanced actors that have been using these root kit techniques for years I just feel like, you know, we have so much. We have such a good community for a user mode malware But we rarely see much for kernel mode. If that makes sense. So I guess that's a parting message is Please start looking into it because um, the real adverts adversaries out there already have this ready to go That makes sense. Well, we'll get you to post all of your contact information into track one and let people Find you wherever you tell them that they can find you and I really appreciate that you gave us some time today to Both give that presentation and then spend this time in the q&a So, um, thank you very much and hopefully we'll see more from you soon Yep, have a good one. Thank you, bill