23C3 - 1.5

23rd Chaos Communication Congress
Who can you trust?

Speakers
Alan Bradley
Schedule
Day 3
Room Saal 4
Start time 21:45
Duration 01:00
Info
ID 1688
Event type Lecture
Track Hacking
Language English
Feedback

Rootkits as Reversing Tools

An Anonymous Talk

This talk will cover two rootkits used as reverse engineering tools, one rootkit support library, one IDA plugin, and talk setup material. The talk itself will be given over VOIP and VNC running over the Tor network to demonstrate a proof of concept on anonymous public speech.

This talk will present Tron, an extension of the Shadow Walker memory cloaker technique. Tron is a kernel driver who can cloak userland memory, and provides an API that allows the user to cloak arbitrary process memory, set permissions, signal changes of trust, conceal DLLs, and read/write hidden memory. An accompanying IDA plugin that uses this API to conceal software breakpoints will be discussed, and Another Debugger Hiding Driver, or ADHD will be presented as well.

While these tools have many legitimate uses from malware analysis to legal reverse engineering and program modding, it is possible that Tron in particular can be used as a component of a "copyright circumvention device", which renders it prohibited by the USA DMCA. For this reason, but more so out of a desire to demonstrate a "proof of concept" for how to anonymously speak publicly, the speaker will be giving the talk over VOIP and VNC relayed through the Tor network. In addition to taking questions over VOIP, the speaker will also be briefly available on IRC afterwords for questions + discussion about Tron, reverse engineering, and the speech setup.