Week 3: Software measurements to detect cheating (4/10)
Week 4-10: Projects and BlackHat rootkit lectures
G. Hoglund, "Hacking World of Warcraft", Black Hat 2006. (4/15)*
Supervisor controller on remote system that sends commands interpreted by "implant"
Network communication directly to kernel
Hardware debugger breakpoint (DR0-7)
Trap frame modification to gain control of main game thread (that also runs Warden)
Memory cloaking/uncloaking of implanted code via page table tampering
Interpreter performs direct function calls of game code
Int 3 at end of implant to restore and recloak
J. Butler, K. Kendall, "Blackout: What Really Happened...", Black Hat 2007. (4/22)
Code injection techniques
Reconstruction of kernel state without platform knowledge
N. Harbour, "Stealth Secrets of the Malware Ninjas", Black Hat 2007. (4/29)*
More extensive code injection techniques with source code
M. Burdach, "Physical Memory Forensics", Black Hat 2006. (5/6).
In-memory malware (Meterpreter, Syscall proxying)
Extensive description of virtual-to-physcial, physical-to-virtual mappings in Linux/Windows.
J. Lindsay, "Attacking the Windows Kernel", Black Hat 2007.
T. Ptacek, P. Ferrie, N. Lawson, "Don't tell Joanna, The Virtualized Rootkit is Dead", Black Hat 2007.
D. Litchfield, "Defeating the Stack Based Buffer Overflow Prevention Mechanism of Microsoft Windows 2003 Server", Black Hat 2003. (Structured Exception Handler exploits). pdf.
D. Litchfield, "SEH Overwrites Simplified", Black Hat Forums, October 2007. pdf.
