Black Hat Briefings, Las Vegas 2006 [audio] Presentations From The Security Conference

"Hotpatching is a common technique for modifying the behavior of a closed source applications and operating systems. It is not new, and has been used by old-school DOS viruses, spyware, and many security products. This presentation will focus on one particular application of hotpatching: the development of third-party security patches in the absence of source code or vendor support, as illustrated by Ilfak Guilfanov’s unofficial fix for the WMF vulnerability in December of 2005. The presentation will begin with an overview of common hotpatching implementations, including Microsoft’s hotpatching support in Windows 2003, the standard 5-byte jump overwrite and dynamic binary translation systems. I will talk briefly about the deployment and compatibility issues surrounding third party security patches, before getting technical and delving deep into the process of hotpatch development. I will present techniques for exploit-guided debugging and reverse engineering of vulnerable functions, as well as code for hot