DTRACE- SYSCALL HOOKS- whats the fuzz about? Some people tell me they get confused when they read my ramblings about dtrace. That is understandable - I will try to explain so its understandable for more people:
Show this thread
-
The same factors also make it interesting for rootkits(term describing malware executing in ring 0).
Show this thread
If you redirect the address where the system jumps to execute a given syscall you get perfect conditions to rewrite input/output then call oroginal address. That enables perfect hiding of code that execute on the system.
-
-
When you are in ring0 you can overwrite the address of the handler, this has been abused alot by malware.
Show this thread -
So MS created patchguard, a system that periodically verifies the address have not been from their original content at boot. If tampering is detected- it will halt the system with a BSOD.
Show this thread -
When doing security research being able to see syscalls with arguments is a great help and can speed up reverse engineering process alot. One thing I would like to see is IOCTRL codes- used for many file operations and in general communicating with devices.
Show this thread -
That is possible with dtrace- its special because it enables you to make syscall hooks. The alternative is to write and test sign a driver, and that means any tiny error gives you BSOD. That is why I decided to make it work with dtrace- whatever it takes.
Show this thread -
Here we see explorer use a undocumented functionality- revealed with syscall hookspic.twitter.com/yu3j9m4JTa
Show this thread
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.