Nitay Artenstein

Security Researcher, Check Point (Israel)

Paper Title

NDIS Disassembly for Hackers: Reversing Network Drivers at the Lowest Layer

Abstract

There is a Pandora's box hiding at the bottom of Windows' networking stack. And we're about to open it.

As the lowest layer in Windows' networking architecture, NDIS is one of the system's main attack surfaces: This is where you would look for remote code execution vulnerabilities, and where you would implement key rootkit functionality. This is also where you would put in the protective measures to defend against such attacks.

But the NDIS interface is also a bewildering labyrinth of complexity, obscure API calls and low-level details. To make things worse, there is almost no publicly available security research on this part of the system. This has effectively blocked off NDIS as a target for many reverse engineers. Until now.

In the first part of this workshop, we will set the record straight about NDIS: We'll present the key facts that you need to know about this architecture, and bring you up to speed on the best ways to quickly start reversing NDIS drivers. We will demonstrate how to use our tool, an IDA plugin called NDIScovery, to do most of the heavy lifting for you as you start to analyse an NDIS component.

In the second part, we'll dig into the juicy stuff: We'll discover how AV vendors use NDIS to implement backdoor-like functionality on a system, track malware as it hooks critical NDIS functions in an attempt to compromise the system, and testour own NDIS fuzzing toolkit in order to find vulnerabilities in NICs.

Speaker Bio

Nitay Artenstein is a Security Researcher in the fields of reverse engineering, malware analysis, and vulnerability research. He was morphed into a hardcore security geek when he was six and learned how to use a hex editor to cheat his way around his favorite adventure games (his friends never could figure out how he managed to complete King's Quest in half an hour). After a sojourn into the world of media and journalism, he has turned his passion into a career, beginning in 2007 as a pentester in the wild savannas of Africa. These days he works for Check Point, and his idea of a good time generally involves messing with bleeding edge Android malware, reverse engineering Windows device drivers, and discovering bugs in Windows kernel-mode code. He has previously presented his research on Android vulnerabilities at Black Hat.

Copyright © 2023 | Nullcon India | International Security Conference | All Rights Reserved