Security companies are increasing their focus on behavior based detection to convict malicious software but thanks to Microsoft's Kernel Patch Protection (a.k.a. PatchGuard) vendors must rely on user-mode hooks in order to capture behavior telemetry. User-mode hooking is dead. At BlackHat US 2016, the “Captain Hook” talk revealed there were multiple serious security issues in AV hooking -- we'll put the final nail in the coffin (and the second eyepatch on Captain Hook) by showing how trivial it is to bypass user-mode hooks. In this presentation, we will demonstrate and release a universal user-mode unhooking tool that can be included in any binary to blind security software from monitoring API calls and perform heuristic behavior analysis.Back to Open CFP
I assume that last sentence implies: ***preventing*** security software from performing behavior analysis.
I assume the talk will demo a few security software showing pre / post universal unhooking tool?
Does Crowdstrike / FireEye use user-land hooks?
We are pleased to announce the Call For Papers for INFILTRATE 2018 is now open. If you would like to present and have an offense-focused-fresh-content presentation, please submit an abstract, Bio and headshot to firstname.lastname@example.org. This information will be included on our Open CFP site, here, where the public can vote on which presentations they are most interested in seeing at INFILTRATE. Call for papers will close on December 14th, 2017. Shortly after this date, the winning speakers will be notified.
Some of the benefits of speaking at INFILTRATE are: