Buffered Code Execution presented at SyScan 2008

by Matthew ( Shok ) Conover,

Tags: Security

Summary : This presentation will cover a new prototype developed in Symantec Resarch Labs to
run kernel-mode drivers from user-mode. This technology is primarily intended to
sandbox a rootkit driver and monitors its activities. Utilizing this technique,
the rootkit driver's activities can be controlled. Rather than utilizing emulation,
the rootkit code is run directly on the native hardware but at ring 3. When the
rootkit tries to utilize privileged instructions or read/write/execute kernel-mode
memory, the faults are captured and proxied into the kernel, allowing the rootkit
to function normally while at the same time preventing the rootkit from escaping
the sandbox. The presentation will discuss the technology behind the prototype
and demo the tool in action.