Archive for October, 2012

Hoarder, HIPS bypasses, and Ambush

I gave an updated Ambush Presentation at Derbycon today… On the attack side, I demonstrated Hoarder, which is a proof of concept to bypass standard hook-based host intrusion prevention systems by avoiding making any calls to OS DLLs at all, and only making raw syscalls to the kernel. It works in two steps. First, the getdlls program opens the target executable and recursively reads it and all of its required DLLs into C language byte arrays.

No Comments