The use cases for hooking code execution are abundant and this topic is very expansive. EhTracing (pronounced Tracing) is technique that allows monitoring/altering of code execution at a high rate with several distinct advantages.
Full context (registers, stack & system state) hooking can be logged without needing to know a function prototype and changes to execution flow can be made as desired.
Traditional detours like hooking requires a length disassembly engine than direct binary .text segment modifications to insert an intended hook (no changes to binary needed with EhTrace).
Block/Branch stepping enables a simplification of analysis code (does not need to do a full procedure/function graph recognition/traversal). This will feature focus on the use of VEH and the DR7 backdoor in x64 Windows.In a nutshell, EhTrace enables very good performance, in proc debugging and a dead simple RoP hook primitive. Some neat graphics and visualizations will be made some of the early examples up at https://github.com/K2/EhTrace
This novel implementation for hookers establishes a model for small purpose built block-fighting primitives to be used in order to analyze & do battle, code vs. code.
As a special bonus “round 3 FIGHT!” we will see a hypervisor DoS that will cause a total lockup for most hypervisors (100%+ utilization per CORE). This goes to show that emulating or even adapting a hypervisor to a full CPU feature set is exceedingly hard and it’s unlikely that a sandbox/hypervisor/emulator will be a comprehensive solution to evade detection from adversarial code for some time.
Let’s have some fun block fighting with some loose boxed hookers!
K2 likes to poke around at security cyber stuff, writing tools and exploits to get an understanding of what’s easy, hard and fun/profit! He’s written and contributed to books, papers and spent time at security conferences over the years.
K2 currently works with IOActive and enjoys a diverse and challenging role analyzing some of the most complex software systems around.