Author Archives: AdminDCS

  • 0

Boundhook, Exception Based Kernel-Controlled Usermode Hooking

Category : Cyber-Ark


 | | 

In this article, we’ll present a new hooking technique that we have found during our research work.

Hooking techniques give you control over the way an operating system or a piece of software behaves. Some of the software that utilizes hooks include: application security solutions, system utilities, tools for programming (e.g. interception, debugging, extending software, etc.), malicious software (e.g. rootkits) and many others.

Please note, this is neither an elevation nor an exploitation technique. This technique can be used in a post-exploitation scenario in which the attacker has control over the asset. Since malicious kernel code (rootkits) often seeks to establish persistence in unfriendly territory, stealth technology plays a fundamental role.

Technical Description

The idea behind this BoundHook technique is to cause an exception in a very specific location in a user-mode context and catch the exception to gain control over the thread execution.

To do this, we can use the BOUND instruction, which is part of Intel MPX (Memory Protection Extensions). This instruction is designed to (along with the compiler, runtime libraries and OS support) increase software security by checking pointer references whose normal compile-time intentions are maliciously exploited at runtime due to memory corruption vulnerabilities.

In a nutshell, the BOUND instruction checks an array index against bounds and raises software interrupt 5 if the test fails (32-bit: nt!KiTrap05, 64-bit: nt!KiBoundFault).

Why not just do a comparison, you ask? Because Intel designed this new instruction to generate a fault that will enable the OS to examine the bound check failure.

The instruction’s syntax is as follows –

BOUND r16, m16&16 – Checks if r16 (array index) is within bounds specified by m16&16

BOUND r32, m32&32 – Checks if r32 (array index) is within bounds specified by m32&32

When a bound fault occurs, the trap handler calls nt!KiHandleBound and then executes registered bounds-exception callback routines.

A kernel-mode driver or a shellcode payload running in kernel-mode can register a callback routine for bound faults using nt!KeRegisterBoundCallback. This function is not “exported” by the WDK headers, and a pointer to the function has to be obtained dynamically.

The callback routine has no parameters and should return a BOUND_CALLBACK_STATUS, which is basically:

After completion of the bound fault registration, the kernel-mode code should get a pointer to the user-mode DLL (or any other PE) base address and calculate the address of the function that it’s about to hook.

Obtaining a function address is a simple task and can be accomplished in various ways, for example by parsing the PE header. Please note, parsing an image that is loaded into a specific process should be done in the process’s context or using the appropriate APIs.

Once our code is done calculating the function address, it would be nice to simply start writing to that address. However, because this code resides in read/execute only memory, we are unable to do this.

Windows memory protection relies on the following factors:

  • The R/W flag in PDEs and PTEs (read only = 0, read/write = 1).
  • The U/S flag in PDEs and PTEs (supervisor mode = 0, user mode = 1).
  • The WP flag in the CR0 register (17th bit).

Now, we have a few options. We can either write to that address in a way that would trigger the COW (copy-on-write) protection or, to achieve maximum stealth, we can write directly to the function address in one of two ways. We can either manipulate the CR0 register using __readcr0() and __writecr0(), or we can allocate our own memory descriptor list (MDL) to describe the memory pages and adjust permissions on the MDL using a bitwise OR and the MDL_MAPPED_TO_SYSTEM_VA. The MDL approach will be much more “stealthy”, since it’s completely invisible by design to the current PatchGuard implementation.

First, here’s how we can use the CR0 approach. The CR0 register description, taken from the Intel 64 and IA-32 Architectures Software Developer’s Manual reads:

WP Write Protect (bit 16 of CR0) — When set, inhibits supervisor-level procedures from writing into readonly pages; when clear, allows supervisor-level procedures to write into read-only pages (regardless of the U/S bit setting; see Section 4.1.3 and Section 4.6).

Here is an example of cr0 register manipulation:

Writing directly to the DLL’s COW page will allow us to hook every process on the system that is using this DLL since it will affect the cow-origin page.

Triggering a bound fault is easy. For example, this code will trigger a fault:

Thus, our kernel-mode code that performs the hooking should write a similar assembly code to the place where it wants to get control over the execution of the thread.

For example, if we want to hook KERNELBASE!CreateFileW, we can inject these opcodes to the function’s prologue:

UCHAR opcodes[5]= {0x36, 0x66, 0x62, 0x0C, 0x24};

This is basically: BOUND CX, DWORD PTR SS : [ESP]. In this specific case, we assume that CX will be zero (when used in real code this should be tested for every function) and the top of stack will be greater than zero (as this is a proof of concept and not a released tool).

Now, after writing this to the KERNELBASE!CreateFileW  prologue, when a user-mode thread calls this function our kernel-mode callback function will take control of the thread.

Doing this, gives us a lot of advantages, for example –

  • The hooked page will still be COW, thus anti-malware solutions and researchers doing manual analysis won’t be able to notice that the page has been modified.
  • Most AVs are unaware of this method and probably aren’t addressing it (especially since the page is still COW).
  • A user-mode debugger will not be able to catch this hook. A regular inline hook method makes the hooked routine jump to another user-mode code, but BoundHook’s method traps the execution flow by the kernel bound faults handler.
  • This method is invisible to most PatchGuard (PG) protection mechanisms. The MDL approach to bypass the COW mechanism is not detectable by PG today by design. As for the CR0 modification approach, although the CR0 is protected by PG, since it is modified for a very short period of time, the chance of being caught by PG is minimal.

Proof-of-concept, a call stack of a hooked thread:

We know that BoundHook does not meet Microsoft’s bar to be considered a vulnerability, as machine administrator rights are already compromised. Microsoft’s response on receiving responsible notification of a similar issue from CyberArk (GhostHook) was as follows:

“We have completed our investigation of this issue and have found that it is not a vulnerability but a technique to avoid detection once the machine is already compromised. Because it’s a post-exploitation technique it doesn’t meet the bar for servicing in a security update but we will consider fixing it in a future version of Windows.”

In conclusion, this method will bring new capabilities to both software security vendors and malware writers.



  • 0

Where does a WAF fit in the data path?

Category : F5

Web application firewalls (WAFs) are an integral component of application protection. In addition to being a requirement for complying with PCI-DSS, WAFs are excellent at protecting against the OWASP Top 10. They’re also a go-to solution for addressing zero-day vulnerabilities either through rapid release of signature updates or, in some cases, the use of programmatic functions to virtually patch applications while a long term solution is being deployed.

The question is, where do you put such protection?

There are options, of course. The data path contains multiple insertion points at which a WAF can be deployed. But that doesn’t mean every insertion point is a good idea. Some are less efficient than others, some introduce unacceptable points of failure, and others introduce architectural debt that incurs heavy interest penalties over time.

Ideally, you’ll deploy a WAF behind your load balancing tier. This optimizes for utilization, performance, and reliability while providing the protection necessary for all apps – but particularly for those exposed on the Internet.

Recommended Placement: WAF behind Load Balancing Tier

The resource requirements (CPU and the like) involved in making a load balancing decision are minimal. This is generally why a LB is able to simultaneously support millions of users, and WAFs require more utilization – because they’re inspecting the entire payload and evaluating it against signatures and policies to determine whether the request is valid and safe.

Modern data center models borrow heavily from cloud and its usage based cost structure. Utilization becomes a key factor in operational costs. Higher utilization leads to additional resource requirements, which consumes budgets. Optimizing for utilization is therefore a sound strategy for constraining costs in both the data center and in public cloud environments.


It is common practice to scale WAFs horizontally. That is, you use the LB to scale WAFs. This architectural decision is directly related to utilization. While many WAFs scale well, they can still be overwhelmed by flash traffic or attacks. If the WAF is positioned in front of the LB, you either need another LB tier to separately scale it or you risk impacting performance and availability.

Alternative Placement: WAF in front of One Load Balancing Tier…and behind Another

Performance is a key concern in an application economy. With so many variables and systems interacting with data as it traverses the data path, it can be frustrating to nail down exactly where performance is being bogged down let alone to tune each one without impacting others. As has been noted many times before, as load on a system increases, performance decreases. This is one of the unintended consequences of not optimizing for utilization, and a key reason why seasoned network architects use a 60% utilization threshold on network devices.

Deploying a WAF behind the LB tier eliminates the need for an upstream designated WAF load balancing tier, which removes an entire layer of network from the equation. While the processing time eliminated may not seem like much, those precious microseconds spent managing connections and scaling WAF services and then doing it again to choose a target app instance/server matters. Eliminating this tier by deploying the WAF behind the LB tier gives back precious microseconds that today’s users will not only notice, but appreciate.


Visibility is a key requirement for security solutions in the data path. Without the ability to inspect the entire flow – including the payload – much of the security functions of a WAF are rendered moot. After all, most malicious code is found in the payload, not in protocol headers. Positioning a WAF behind the LB tier enables decryption of SSL/TLS before traffic is passed on to the WAF for inspection. This is a more desirable architecture because it is likely the load balancer will need visibility into secured traffic anyway, to determine how to properly route requests.

Recommended Configuration: Decryption and Inspection for added Security

All that said, a WAF fits in the data path pretty much anywhere you want it to. It’s an L7 proxy-based security service deployed as an intermediary in the network path. It could ostensibly sit at the edge of the network, if you wanted it to. But if you want to optimize your architecture for performance, reliability, and utilization at the same time, then your best bet is to position that WAF behind the load balancing tier, closer to the application it is protecting.

With the right tools, comprehensive WAF coverage can significantly reduce your exposures, as well as your operating costs. Learn more about protecting your apps from the OWASP Top 10 and other threats by registering for F5’s upcoming webinar, Thursday, October 26 at 10 a.m. PT.



  • 0

Breach Resilience

Category : FireEye

Join Jeff Berg, Sr. Manager of Cyber Threat Intelligence, and Brad Bell, Mandiant Principal Consultant, as they share the role of cyber threat intelligence in strategic security consulting services and why services based on compliance-based best practices and industry standards may not be an effective way to protect your organization against a rapidly evolving threat landscape.

Key takeaways:

• The role cyber threat intelligence plays in strategic security consulting services
• Why services rooted in compliance-based best practices and industry standards aren’t effective
• Case studies where different types of intelligence added value to service portfolio


  • 0

A Predictive “PreCrime” Approach Requires a Human Focus

Category : Forcepoint

In Philip K. Dick’s 1956 “The Minority Report,” murder ceased to occur due to the work of the “PreCrime Division,” that anticipated and prevented killings before they happened. Today, we are only beginning to see the impact of predictive analytics upon cybersecurity – especially for insider threat detection and prevention. Based on user interaction with data, CISOs and their teams emerge as the IT equivalent of a PreCrime Division, empowered to intervene before a violation is ever committed.

In this webcast, we examine the technologies which make predictive analytics valuable, along with ethically minded guidance to strike the balance between vigilance and privacy.

Watch the Webcast

  • 0

Five Reasons Your Digital Experience Management Strategy Could Fail

Category : Riverbed

You can be sure your CEO has digital experience on his or her radar. According to Gartner’s 2017 CEO Survey, CEOs are more focused this year on how technology and product innovation drive company growth. In the last few years of Gartner’s CEO survey, technology has never ranked so high on the list of CEO priorities. So the pressure is on IT to deliver excellent digital experiences. But this is easier said than done. Here are five reasons why your digital experience management strategy could fail.

1. Application complexity

Although Gartner’s survey shows that CEOs are relying on technology to drive growth, it also shows that they rank technology impediments as the #2 internal constraint to growth. How can technology be both a driver of growth and an impediment to it? Application complexity is one major reason. Application performance management is more challenging than ever before.

  • Applications must scale based on demand and remain highly responsive 24/7 across geographies. Innovative applications interact with legacy applications, so IT must support the full portfolio—web, mobile, apps running in the cloud, on virtual infrastructure, and legacy client-server environments.
  • End users and customers no longer interact with static applications at discrete times. They interact continuously with applications whose architectures have evolved to become modular, distributed, and dynamic.

2. The expanding population of end users

End User Experience Management is also more complex. Customers aren’t the only ones whose digital experience matters. The Gartner definition of Digital Experience Monitoring also includes employees, partners, and suppliers. If that weren’t enough of a challenge, the advent of IoT requires IT to ensure an excellent digital experience for machines as well!

3. Different teams have different goals

According to a recent EMA Digital Experience Management report, 59% of enterprise leaders agree that IT and the business share the responsibility for Digital Experience Management. Although they share responsibility for ensuring excellent digital experience, groups within IT and the business have specific needs which vary greatly, depending on their roles.

  • Business executives must ensure they meet goals for revenue, customer satisfaction, and workforce productivity.
  • IT executives need to staff their teams efficiently to architect and support digital business initiatives, ensure technology investments are made appropriately, and hold IT vendors accountable to SLAs that meet customer objectives.
  • IT and Network Operations teams must ensure the network and infrastructure can support new services, identify and resolve issues quickly, and understand the impact of problems on digital experience.
  • DevOps teams must release new apps and digital services quickly, identify and resolve issues in test and QA, and ensure excellent application performance perform in real-world environments.
  • Cloud architects need to plan, design, and implement the infrastructure to support new services, and scale up and down as demand changes.
  • End User Services teams require visibility into the digital experience of customers, employees, partners, and suppliers to identify and triage issues before users call to complain.

4. A variety of analytics are required to measure success

“You can’t manage what you can’t measure.” Management expert Peter Digital Experience AnalyticsDrucker’s famous saying applies equally well to tracking the success of a Digital Experience Management initiative. With varying responsibilities, each group in IT and the business requires different metrics and analytics to indicate their progress in achieving their Digital Experience Management goals.

Digital Experience Monitoring tools must therefore supply a broad set of business and technical analytics, such as application performance, network performance, infrastructure capacity analysis, and end user productivity across the extended enterprise.

5. The IT monitoring visibility gap

IT-Monitoring-Visibility-GapAs IT organizations respond to CEO priorities and roll out new services to drive growth, they need a cross-domain understanding of applications, the networks and infrastructure on which they run, and the impact they have on end user experience.

But the typical enterprise has from 4-15 different network monitoring tools, which complicates troubleshooting, change management, and other aspects of service level management. While these tools provide insight into the performance and availability of their particular domain, they lack visibility into the actual digital experience of customers, the workforce, partners and suppliers.

Addressing Digital Experience Management challenges

An effective Digital Experience Management approach closes this visibility gap and enables you to measure the end user experience of the entire population of end users. Each group within IT and the business gets the metrics and analytics they need to ensure a successful digital experience outcome.

When it comes to meeting or exceeding your CEO’s expectations for driving growth, the key is to ensure you have an effective Digital Experience Management strategy. Failing to do so could mean lost revenue, lost productivity, and even irreparable damage to a company brand. In the next few weeks, we’ll extend this Digital Experience Management series to show you how Riverbed SteelCentral can help.


Author: Mike Marks

  • 0

KRACK Attack, How Secure is Your Wi-fi Connection?

Category : Check Point

A cybersecurity researcher of KU Leuven in Belgium, Mathy Vanhoef, has revealed a flaw in Wi-Fi’s WPA2’s cryptographic protocols. The discovery is alarming as the WPA2 protocol, the most common and secure Wi-Fi access protocol since 2004, is trusted by all for keeping Wi-Fi connections safe.

The attack, known as a ‘KRACK Attack’ (Key Reinstallation Attack) works by allowing the attacker to decrypt a user’s data without needing to crack or know the actual Wi-Fi network’s password. The attacker does this by decrypting the secure Wi-Fi connection and turning it into an unencrypted, and hence unsecure, HotSpot. For this reason, merely changing the Wi-Fi network password will not prevent or mitigate such an attack from taking place. However, a limitation of KRACK attacks is that they can only be carried out by an attacker who is within actual physical proximity of the targeted Wi-Fi network.

It should be noted though that the WPA protocol encrypts only the physical medium between a user’s device and the Wi-Fi connection it is joined to. Furthermore, all secured apps and websites do now use some sort of end-to-end encryption protocol such as HTTPS, which is designed to work over unsecured channels (such as unencrypted Wi-Fi connections). As a result, the only way to access this secure traffic is by performing an additional SSL Man-In-The-Middle (SSL MITM) attack.

Fortunately, SSL MITM attacks are already detected and protected by Check Point’s SandBlast Mobile on both iOS and Android devices by immediately alerting the user and blocking all corporate assets. SandBlast Mobile also helps to verify that mobile devices on your network are in compliance with the latest OS versions and security patches. You may request a demo of SandBlast Mobile here.

In addition, Check Point’s Capsule Cloud provides a worldwide service that secures remote PCs and laptops in any location against SSL MITM attacks, allowing users to connect to the internet securely in any Wi-Fi environment. Depending on an organization’s requirements, the same level of security can also be acquired through Check Point’s VPN.

In response to these recent WPA2 vulnerabilities, as illustrated by Vanhoef’s KRACK attack, we advise all mobile users to ensure they have installed a mobile security solution such as SandBlast Mobile and accept any software updates that their mobile provider issues.

Check Point Wireless products are not vulnerable:


  • 0

Joining Forces for Cybersecurity Openness – Cisco pxGrid and McAfee OpenDXL

Category : Cisco

Interoperation of two leading security integration frameworks delivers unprecedented breadth in multi-vendor collaboration.  Simplifies security vendor integration for customers.

There is strength in numbers.  Here the strength is in the number 2, because it equals almost 100.  Funny math you say?  Well let me explain.

Here the “2” is Cisco and McAfee, two leaders in cybersecurity.  Our respective leadership areas in the industry are attributable in no small part to our openness to integration with 3rd party security platforms.  We have each forged a broad path for cross-vendor integration via our respective security fabrics, Cisco pxGrid and McAfee OpenDXL.  As cybersecurity industry analyst Eric Parizo of IT analyst firm GlobalData (formerly Current Analysis) put it in his report on Security Product Integration Frameworks, “Security product integration frameworks (SPIF) have the potential to change the game.”  He has also intimated throughout his research that cybersecurity practitioners would be best served if Cisco and McAfee would just work together on this stuff.  This is where the “100” comes in.

Cisco and McAfee agree with GlobalData, and the joint customers who have told us the same… that we should enable pxGrid and OpenDXL to interoperate so we can better solve cybersecurity issues they face.  A key component of that is enabling the components of multi-vendor security networks to coordinate their information sharing and threat response.  Interoperation of pxGrid and OpenDXL provides a hefty down payment on that by bringing together our respective cybersecurity ecosystems.  And that is where “100” comes in.  Because the collaboration of “2” with Cisco and McAfee delivers just shy of 100 (98 at last count) pxGrid and OpenDXL partner products that can interoperate via each framework.

While we think bringing pxGrid and OpenDXL together enables material long-term impact on cybersecurity operations and effectiveness, it also has immediate positive impact.  Here’s what it does today:

Employ a Vendor Ecosystem for Threat Response

The “100” can be put to work today on network and endpoint threat response.  Integration between pxGrid and OpenDXL enables our respective threat response ecosystems to collaborate via Cisco® Identity Services Engine (ISE) and McAfee® ePolicy Orchestrator® (ePO).  When a threat response partner takes an automated or manual threat response action via pxGrid or OpenDXL, that response is captured and relayed between ISE and ePO for appropriate Rapid Threat Containment action on the Cisco network or remediation at the McAfee ePO-managed endpoint.  This enables a broad threat response ecosystem composed of almost 100 vendors from every type of security technology.

A common use-case for this is threat response from a SIEM console.  A security analyst decides that a threat event in her SIEM requires immediate action.  If that SIEM vendor is either a pxGrid or DXL partner (pretty much all are), a threat mitigation or investigation action can be launched directly from the SIEM console and executed on both the network via Cisco ISE and on the endpoint via McAfee ePO.  Pretty powerful.

SIEM partner using pxGrid/DXL interoperability to execute threat response actions.

Integration of Cisco ISE and McAfee ePO for Threat Response

Similar to above, ISE and ePO can directly collaborate on threat response by informing each other when one has taken a threat response action so that the other can take an appropriate action according to its respective policy.  This delivers more effective threat response by allowing the endpoint and network to take automated or manual actions as appropriate for the threat conditions. 

Consistent Network Access and Endpoint Control Policy with Cisco ISE and McAfee ePO

Collaboration between ISE and ePO also enables comprehensive network-attached endpoint visibility and network access policy.  ISE, by serving as a gatekeeper for every user/device trying to access the network, possesses a wealth of user identity, endpoint device and network context.  ISE can share via pxGrid its network-attached endpoint session inventory with McAfee OpenDXL, which then relays the information to McAfee ePO.  This provides ePO with visibility to endpoints that it may not know about thus allowing ePO to make determinations about whether or not to bring those newly discovered endpoints under management.  Similarly, Cisco ISE can detect whether an endpoint has McAfee ePO installed and create network access policy based on its presence.

Looking more broadly beyond these specific integrations, Cisco continues to be active in the IETF Security Automation and Continuous Monitoring (SACM) and Managed Incident Lightweight Exchange (MILE) workgroups to drive standardized methods of enabling exchange of monitoring telemetry between security platforms.   Furthermore Cisco continues to drive a “simple, open, automated” approach to security by implementing integrations based on pxGrid and other methods within the Cisco Security portfolio.  Coordinated threat detection, investigation and containment are enabled through Cisco architectural integrations like Talos threat intelligence leveraged across our portfolio, system-wide malware protection with AMP EverywhereUmbrella Enforcement from the cloud, and Cisco’s own Rapid Threat Containment solutions–between ISE, Firepower NGFW, Stealthwatch, and AMP.

Cross-platform integration is critical to securing the networks that run our schools, businesses, government…our world.  Whether you are a customer deploying security platforms, a vendor partner or start-up integrating security platforms, or a services integration partner building unique security service offerings an open integration environment is a necessity.  Collaboration between Cisco pxGrid and McAfee OpenDXL helps toward those ends.


Author: Scott Pope

  • 0

Download the Citrix Ransomware kit

Category : Citrix

Are you reducing your attack surface so ransomware attacks are minimized?  Can you quickly recover without paying a ransom?  Yes you can.  Learn how.

With this kit you will learn how to:

  • Publish virtualized, sandboxed and hardened browsers and email clients
  • Utilize Hypervisor Introspection (HVI) to detect ransomware techniques
  • Protect mobile devices against attacks with containerization
  • Provide a secure and robust enterprise data sync and sharing service

Complete the form

  • 0

MobileIron adds Apple macOS features to its enterprise mobility management tools

Category : Mobile Iron

The Apple Release from MobileIron gives a nod to enterprises that are increasingly adopting Macs but not managing them through central IT systems.

MobileIron launched its Apple Release that will integrate the macOS and add zero day compatibility support for iOS 11, which will launch in September.

The Apple Release from MobileIron gives a nod to enterprises that are increasingly adopting Macs, but not managing them through central IT systems.

MobileIron’s Apple Release will allow data protection on the Mac by securing application delivery and configurations. MobileIron Tunnel, which provides per app VPNs, is included along with cloud trusted access tools.

Apple Release features will include:

  • macOS support for the MobileIron Access and Tunnel tools
  • Policies to define which apps employees can download
  • MobileIron app distribution tools for the macOS as well as Apple’s Volume Purchase Program and Device Enrollment Program
  • In-house app support for software not in Apple’s Mac App Store
  • Pre-defined compliance actions
  • Restrictions through Sierra 10.12 release
  • And custom configurations

MobileIron supports Android, iOS, macOS, and Windows 10 for its enterprise mobility management platform.


  • 0

Introducing Elio

Category : NetApp

Meet Elio, NetApp’s new virtual support assistant with IBM Watson cognitive computing, part of Digital Support.