GARGOYLE HUNTING IN-DEPTH: DETECTING 'GARGOYLE'
CODE-HIDING VIA AUTOMATED WINDOWS KERNEL ANALYSIS

Aliz Hammond, MWR InfoSecurity

Detecting certain user-mode code-hiding techniques, such as Josh Lospinoso's 'Gargoyle', is almost impossible from user-space. In this talk, I will examine Gargoyle, and explain how it can be detected from kernel mode. I will first walk through using WinDbg to locate hidden code and then write a Volatility plugin to turn this process into a practical method of detecting real-world attacks — in the process, adding a reliable method of differentiating these from legitimate behavior.

No prior kernel knowledge is needed, but those with a background in WinDbg, Windows internals, forensics, and/or Volatility will get the most from this talk.

Infosec in the City. Copyright © 2017-2019
IIC Productions (Pte. Ltd.). All rights reserved.

  • @infoseccity
  • @infosec_city

Contact Us  |  Join Our Mailing List   |  Follow Us :