top of page
  • Writer's pictureInfosec In the City (IIC)

Gargoyle Hunting In-Depth — by Aliz Hammond

#IICSG2019 Conference Deep-Tech Track

Day 2 (20 Jun 2019)


@ Breakout Room 1


Detecting certain user-mode code-hiding techniques, such as Josh Lospinoso's 'Gargoyle', is almost impossible from user-space. In this talk, I will examine Gargoyle, and explain how it can be detected from kernel mode. I will first walk through using WinDbg to locate hidden code and then write a Volatility plugin to turn this process into a practical method of detecting real-world attacks — in the process, adding a reliable method of differentiating these from legitimate behavior.

No prior kernel knowledge is needed, but those with a background in WinDbg, Windows internals, forensics, and/or Volatility will get the most from this talk.

40 views0 comments


Post: Blog2_Post
bottom of page