• Infosec In the City (IIC)

Gargoyle Hunting In-Depth — by Aliz Hammond

#IICSG2019 Conference Deep-Tech Track


Day 2 (20 Jun 2019)

1.30pm—2.15pm

@ Breakout Room 1


[#IICSG2019 Conference Full Schedule]


Abstract

Detecting certain user-mode code-hiding techniques, such as Josh Lospinoso's 'Gargoyle', is almost impossible from user-space. In this talk, I will examine Gargoyle, and explain how it can be detected from kernel mode. I will first walk through using WinDbg to locate hidden code and then write a Volatility plugin to turn this process into a practical method of detecting real-world attacks — in the process, adding a reliable method of differentiating these from legitimate behavior.

No prior kernel knowledge is needed, but those with a background in WinDbg, Windows internals, forensics, and/or Volatility will get the most from this talk.


0 views

Contact Us

Terms of Use | Code of Conduct

All rights reserved.

IIC Productions (Pte. Ltd.) © 2017-2020.