Windows Defender’s malware emulator presents an incredibly attractive attack surface - a remotely reachable, unsandboxed, SYSTEM-privileged, Turing Complete runtime; where a single exploit can provide initial RCE, privilege escalation, and antivirus bypass. As demonstrated by Tavis Ormandy (Project Zero issues 1260 and 1282), vulnerabilities in the emulator’s native code-implemented Windows API emulation routines can be used by malware to exploit the engine from within. Deep within Defender's ~45k function MpEngine.dll, these functions are challenging to attack. Defender runs within an undebuggable protected process; provides no output other than malware identification; and the emulator’s WinAPI functions are only reachable by PE files under active dynamic analysis - and thereby not easily reachable with traditional fuzzers. By hooking and abusing MpEngine.dll functions, we can open up the emulator for easy fuzzing - I’ll present a framework I built for that purpose. We’ll discuss Defender emulator internals; the results of fuzzing research; engineering challenges associated with building the fuzzer and programmatically interacting with Defender; and emulator evasion tricks discovered along the way.Back to Open CFP
We are pleased to announce the Call For Papers for INFILTRATE 2018 is now open. If you would like to present and have an offense-focused-fresh-content presentation, please submit an abstract, Bio and headshot to email@example.com. This information will be included on our Open CFP site, here, where the public can vote on which presentations they are most interested in seeing at INFILTRATE. Call for papers will close on December 14th, 2017. Shortly after this date, the winning speakers will be notified.
Some of the benefits of speaking at INFILTRATE are: