Recent Posts
Archives

AI BEA CTO Cybersecurity DefCon32 Devoxx DevoxxBE2023 DevoxxBE2024 DevoxxFR DevoxxGR2025 DevoxxGreece2025 DevoxxPL2022 DevoxxPoland DevoxxUK2024 DevoxxUS2017 Docker Eclipse EJB GWT Hibernate IntelliJ IDEA Java Jetty JMS Jonathan Lalou JSF Kotlin Kubernetes Maven Maven 2 Microservices Mule Mule ESB Oracle OxidizeConf2024 Python recommendation RustLang Security Spring SQL Tomcat tutorial Weblogic Weblogic 10

Posts Tagged ‘BramwellBrizendine’

PostHeaderIcon [DefCon32] Process Injection Attacks with ROP

Author: Jonathan Lalou

Advanced return-oriented programming (ROP) opens new frontiers in process injection, and Bramwell Brizendine and Shiva Shashank Kusuma, from Verona Lab, present a robust methodology to master it. Their talk details chaining complex Windows APIs via ROP, overcoming challenges like string comparison in memory-constrained environments. By introducing a universal solution for identifying target processes, Bramwell and Shiva provide reusable patterns for reliable injection, demonstrated through a live exploit of Winamp.

ROP Challenges in Process Injection

Bramwell outlines the intricacies of ROP-based process injection, which requires chaining multiple WinAPIs with precise parameter handling. Unlike traditional injection, ROP lacks direct string comparison capabilities due to missing gadgets. Their novel solution constructs an enumeration function purely in ROP, enabling precise identification of target processes like Winamp by process ID (PID), a breakthrough for reliable injection.

Building Reusable API Patterns

Shiva details their creation of diverse patterns for WinAPIs, leveraging the PUSHAD instruction for flexibility. For APIs lacking PUSHAD patterns, they employ a “sniper” approach, meticulously crafting alternatives. Their demo walks through injecting shellcode into Winamp, using CreateToolhelp32Snapshot, EnumProcesses, and CreateRemoteThread, with memory permissions adjusted via NtMapViewOfSection. This structured approach ensures reproducibility across different targets.

Practical Demonstration and Tools

The live demo showcases their ROP-based injection, starting with a snapshot of running processes, enumerating to find Winamp’s PID, and injecting shellcode via remote thread creation. Their ROProcket tool, designed for ROP and jump-oriented programming, supports this methodology, offering templates for researchers to adapt. Bramwell emphasizes the goal of providing a scalable framework, not just a one-off exploit.

Implications for Security Research

By sharing their patterns and tools, Bramwell and Shiva empower researchers to explore ROP-based injection systematically. They highlight the need for defenses against such techniques, as early-stage injections can evade EDR systems. Their work invites further innovation in ROP methodologies, urging the community to build on their open-source contributions for enhanced security testing.

Links:

Posted in en-US | Tags: , , , , , , , | No Comments »
(c) 2008 Jonathan Lalou's Blog
All Rights Reserved.

Powered by WordPress and WordPress Theme | Host-euro.