This course teaches learners how to utilize the Process Reimaging technique to bypass Windows Defender detection and achieve the same impact as Process Hollowing or Process Doppelganging. The course covers reversing vulnerable Windows Kernel APIs, understanding attack vectors, and providing recommendations for protecting Endpoint Products against Process Reimaging. The intended audience for this course includes cybersecurity professionals interested in endpoint security solutions and defense evasion techniques.
In NTDLL I Trust - Process Reimaging and Endpoint Security Solution Bypass - E. Carroll - Hack in Paris - 2019
Hack in Paris via YouTube
Overview
Syllabus
Introduction
Relevance
attribution
about me
Agenda
What is Process Reimaging
AV Scanners
Process Reimaging
Mitre Attack Framework
Game of Thrones
Process Doppelganger
AP
Process Re Imaging
Weaponized Process Re Imaging
Summary
Image File Pointer Field
Summary Table
Attack vectors
Get process image
Run process
Rename process
Demo
Recap
Pros and Cons
Impact
Endpoint Security Solution
Protection Recommendations
Microsoft Update
Conclusion
Taught by
Hack in Paris
