A Logo

Feel free to include my content in your page via my
RSS feed

Help Irongeek.com pay for
bandwidth and research equipment:

Subscribestar or Patreon

Search Irongeek.com:

Irongeek Button
Social-engineer-training Button

Help Irongeek.com pay for bandwidth and research equipment:


Matt Weeks: "Ambush - Catching Intruders At Any Point"(BSides Las Vegas 2012) (Hacking Illustrated Series InfoSec Tutorial Videos)

Matt Weeks: "Ambush - Catching Intruders At Any Point"

Intrusion detection and prevention systems monitor a point or set of points such as a network connection. In response, malware authors hide traffic through these points with encryption, encoding, and obfuscation. This presentation will demonstrate a different strategy, based not on another point but on the flexibility to add almost any point dynamically, with a new function call hooking system, capable of intercepting virtually any set of API functions system-wide. This is in contrast to existing HIPS's, which are limited to functions chosen during design and only monitor certain actions, such as file and registry edits. It uses dynamic code generation to expand on existing hooking techniques, overcoming challenges with different function definitions, architectures, and associated calling conventions.

This presentation will demonstrate the ability to configure signatures on everything from the highest to the lowest level API's, catching whole classes of malware. It can prevent exploitation of certain vulnerabilities and identify shellcode, keylogging, remote control, and HTTPS-encrypted communications regardless of code obfuscation. Pentesters, red teams, and malware authors used to worry about getting caught while writing to disk. Now, no action is safe. The implementation, the Ambush Host Intrusion Prevention System, will be released open-source.


Back to BSides Las Vegas 2012 video list

Printable version of this article

15 most recent posts on Irongeek.com:

If you would like to republish one of the articles from this site on your webpage or print journal please contact IronGeek.

Copyright 2020, IronGeek
Louisville / Kentuckiana Information Security Enthusiast