CYBERSEC 2022 uses cookies to provide you with the best user experience possible. By continuing to use this site, you agree to the terms in our Privacy Policy. I Agree
SESSION
09/20 14:45 - 15:15 Threat Research Forum
Modern Malware Evasion Strategies: Bypass Real-Time Protection in Temporal Pincer Methods
Real-Time Protection is an essential design for all modern anti-virus and endpoint protection, which scans the executed binaries, detects and blocks the malware immediately. To achieve this protection, the security vendors have used APIs provided by Microsoft to embed their hooks at the Ring0 kernel level. However, is that game of cat and mouse over? ;)
In this session, we will reverse engineer the Windows OS. To understand the Process Creation, Userland IRP, and Kernel Driver design for learning the modern attacker's strategies to escape virus-scan.At the end of the session, we will use several PoC as examples used in the wild to demonstrate how attackers can abuse the issue of scanning timeline, to launch temporal pincher move to avoid anti-virus scan, and we will provide suggestions on mitigation measures and suggestions on select security products for users .
SPEAKER
Sheng-Hao Ma (@aaaddress1) is currently working as a threat researcher at TXOne Networks, specializing in Windows reverse engineering analysis for over 10 years. In addition, he is currently a member of CHROOT, an information security community in Taiwan. He has also served as a speaker and instructor for various international conferences and organizations such as DEFCON, HITB, Black Hat USA, VXCON, HITCON, ROOTCON, Ministry of National Defense, and Ministry of Education. He is also the author of the popular security book "Windows APT Warfare: The Definitive Guide for Malware Researchers".