Contents

Obfuscating Application Code 395

Hindering Automation 398

Countering Runtime Composition Analysis 400

8.5 Conclusions 400

Chapter 9 Defeating Live Response . .405

Autonomy: The Coin of the Realm 406

Learning the Hard Way: DDefy 407

The Vendors Wise Up: Memoryze 411

9.1 Live Incident Response: The Basic Process 412

9.2 User-Mode Loaders (UMLs) 417

UMLs That Subvert the Existing APIs 417

The Argument Against Loader API Mods 418

The Windows PE File Format at 10,000 Feet 419

Relative Virtual Addresses 420

PE File Headers 421

The Import Data Section (.idata) 424

The Base Relocation Section (. rel oc) 427

Implementing a Stand-Alone UML 429

9.3 Minimizing Loader Footprint 434

Data Contraception: Ode to The Grugq 434

The Next Step: Loading via Exploit 435

9.4 The Argument Against Stand-Alone PE Loaders 435

Chapter 10 Building Shellcode in C 437

Why Shellcode Rootkits? 438

Does Size Matter ? 439

10.1 User-Mode Shellcode 440

Visual Studio Project Settings 441

Using Relative Addresses 443

Finding Kernel 32. dl 1: Journey into the TEB and PEB 446

Augmenting the Address Table 452

Parsing the kernel32,dll Export Table 453

Extracting the Shellcode 456

The Danger Room 460

xiii