GARGOYLE HUNTING IN-DEPTH: DETECTING 'GARGOYLE'
CODE-HIDING VIA AUTOMATED WINDOWS KERNEL ANALYSIS
Aliz Hammond, MWR InfoSecurity
Detecting certain user-mode code-hiding techniques, such as Josh Lospinoso's 'Gargoyle', is almost impossible from user-space. In this talk, I will examine Gargoyle, and explain how it can be detected from kernel mode. I will first walk through using WinDbg to locate hidden code and then write a Volatility plugin to turn this process into a practical method of detecting real-world attacks — in the process, adding a reliable method of differentiating these from legitimate behavior.
No prior kernel knowledge is needed, but those with a background in WinDbg, Windows internals, forensics, and/or Volatility will get the most from this talk.