Satoshi Tanda & Timo Kreuzer

Software Engineer at Crowdstrike, Inc.

Talk Title

Hypervisors in Your Toolbox: Monitoring and Controlling System Events with HyperPlatform

Abstract

Virtualization software has been extensively used for security research, and countless of analysis systems based on virtualization technology (VT) have been invented for more than a decade. Regardless, there is no suitable hypervisor as a platform to develop such VT-based analysis systems on Windows. Lightweight hypervisors for Windows often lack support for modern platforms, and comprehensive, consumer-oriented hypervisors and emulators are either overly intricate to quickly take advantage of VT or excessively slow for day-to-day usage.

This talk presents HyperPlatform, a thin hypervisor for Windows. Using Intel VT-x and extended page tables, this platform provides researchers ability to flexibly handle a new class of system events and rapidly implement hypervisor-based tools with high compatibility and efficiency. In this talk, we will also discuss challenges and considerations in productionizing hypervisors for the consumer/enterprise market based on our experience.

Speaker Bio

Satoshi Tanda has seven years of experience in reverse engineering threats and Windows internals, and devotes himself to writing tools for security research. He spoke about his reverse engineering tools at BlueHat v16, REcon 2016 and 2011. He works at CrowdStrike as a Software Engineer. Before CrowdStrike, he worked for Sophos as a Threat Researcher focusing on behavior-based malware detection on Windows.

Timo Kreuzer has been a contributor to the ReactOS project since 2007, with major areas of work being gdi, win32k, font driver, kernel, memory manager, hal, x64 port, and build system. He worked for PathScale on the win32 port of their compiler and currently works for CrowdStrike as a Software Engineer.

Copyright © 2023 | Nullcon India | International Security Conference | All Rights Reserved