Blackout: What Really Happened... presented at BlackHatDC 2007

by Jamie Butler, Kris Kendall,


Summary : Malicious software authors use code injection techniques to avoid detection, bypass host-level security controls, thwart the efforts of human analysts, and make traditional memory forensics ineffective. Often a forensic examiner or incident response analyst may not know the weaknesses of the tools they are using or the advantage the attacker has over those tools by hiding in certain locations.
This session provides a detailed exploration of code injection attacks and novel countermeasures, including:
The technical details of code injection starting with basic user land techniques and continuing through to the most advanced kernel injection techniques faced today.
Case study of captured malware that reveals how these techniques are used in real world situations.
Discussion of current memory forensic strengths and weaknesses.
New memory forensic analysis techniques for determining if a potential victim machine has been infected via code injection.
Post acquisition analysis.