Memory scanning is a defensive necessity on Windows systems. Microsoft has not provided executable memory manager kernel callbacks and user-mode hooks are fragile, so defenders have deployed periodic memory scanning to compensate. Attackers have responded by obfuscating their code during periods of inactivity to avoid these scanners. Gargoyle was the first public example, but many toolkits have implemented variations since.
In this talk, we describe three approaches to uncovering such hidden shellcode.....
By: John Uhlmann
Full Abstract and Presentation Materials:
www.blackhat.com/asia-23/brie...