Playing Malware Injection with Exploit thoughts

Conference:  Defcon 26



The presentation discusses various vulnerabilities in Windows operating system and how they can be exploited by hackers.
  • Windows 10 process creation vulnerability
  • Windows data window data vulnerability
  • OLE jump enter event vulnerability
One of the vulnerabilities discussed is the Windows 10 process creation vulnerability, where a hacker can inject a shellcode into a target process by modifying the LDR delcatty RTO users variable. Another vulnerability is the Windows data window data vulnerability, where a hacker can inject a fake V table and modify the V table address using the set window long API. The OLE jump enter event vulnerability allows a hacker to modify the V table address by using the set of wabi API and inject a jegging gelevent of Explorer.


In the past, when hackers did malicious program code injection, they used to adopt RunPE, AtomBombing, cross-process creation threads, and other approaches. They could forge their own execution program as any critical system service. However with increasing process of anti-virus techniques, these sensitive approaches have been gradually proactively killed. Therefore, hackers began to aim at another place, namely memory-level weakness, due to the breakages of critical system service itself. This agenda will simply introduce a new memory injection technique that emerged after 2013, PowerLoadEx. Based on this concept, three new injection methods will be disclosed as well. These makes good use of the memory vulnerability in Windows to inject malicious behavior into system critical services. The content will cover Windows reverse analysis, memory weakness analysis, how to use and utilize, and so on. The relevant PoC will be released at the end of the agenda.