Reach the Nirvana : Hijack, Inject, Sleep

The Nirvana Hooking is an instrumentation callback mechanism implemented on Windows for debugging purpose. It works by allowing a user to define a custom callback function that will be called by the KERNEL after each SYSCALL performed by the process. While this method is well known, it has mainly been used to intercept SYSCALL and no specific use of this mechanism has been clearly documented. During this talk, you will see an introduction to Nirvana Hooking: what is it, how is it possible to register a Nirvana Hook, what can be done from this hook. Then, when the basics are explained, you will see how it is possible to weaponize this mechanism through three different use cases : - Syscall hijacking: this is the most common way to use the Nirvana Hook and it allows an attacker to intercept each syscall to perform additional action or change the SYSRET code. - Threadless process injection: see how a Nirvana Hook can be used to achieve threadless injection on a remote process and the limitation. - Sleep obfuscation: when using C2 beacon, the beacon sleep phase is a critical step where EDR can detect the beacon due to unclean stacks, use of specific functions, etc... In this talk you will see how you can leverage Nirvana Hook to get clean sleep obfuscation mechanism.