Tweet
Stephen Eckels - STrace - A DTrace on windows reimplementation.
Stephen Eckels, Senior Reverse Engineer, Mandiant LLC., He/Him
Presentation Title: STrace - A DTrace on windows reimplementation.
Open to alternative titles.
Length of presentation: 45 minutes
Demo, Tool
I'll document the kernel tracing APIs in modern versions of windows, implemented to support Microsofts' port of the ‘DTrace’ system to windows. This system provides an officially supported mechanism to perform system call interception that is patchguard compatible, but not secure boot compatible. Alongside the history and details of DTrace this talk will also cover a C and Rust based reimplementation of the system that I call STrace. This reimplementation allows users to write custom plugin dlls which are manually mapped to the kernel address space. These plugins can then log all system calls, or perform any side effects before and after system call execution by invoking the typical kernel driver APIs – if desired.
SPEAKER BIO:
Stephen Eckels, is a reverse engineer that explores blue team tooling and regularly sees front line malware. Stephen has published past tools such as GoReSym - a golang symbol recovery tool, and written extensively about many forms of hooking including hooking the wow64 layer. Stephen maintains the open source hooking library PolyHook, some of his other work is public on the Mandiant blog!
https://twitter.com/stevemk14ebr
https://www.linkedin.com/in/stephen-eckels-995211102
REFRENCES:
* @JonasLyk for pointing me at DTrace and discussing its issues with me
* [Orguz Kartal's Post](https://www.oguzkartal.net/blog/inde...trace-support/)
* [Alex Ionescu's Post](https://www.alex-ionescu.com/?p=358)
* [MS Blog One](https://techcommunity.microsoft.com/...ws/ba-p/362902)
* [MS Blog Two](https://techcommunity.microsoft.com/...s/ba-p/1127929)
* [DTrace Language Documentation](https://illumos.org/books/dtrace/chp-actsub.html)
* [Rust Kernel Driver Example](https://github.com/pravic/winapi-kmd-rs)
* [Rust Kernel Driver Blog](https://not-matthias.github.io/kernel-driver-with-rust/)
* [Process Explorer StackTrace](https://blog.airesoft.co.uk/2009/02/...er-way-part-3/)
* [Process Hacker StackTrace](https://github.com/processhacker/pro.../thread.c#L339)
Stephen Eckels, Senior Reverse Engineer, Mandiant LLC., He/Him
Presentation Title: STrace - A DTrace on windows reimplementation.
Open to alternative titles.
Length of presentation: 45 minutes
Demo, Tool
I'll document the kernel tracing APIs in modern versions of windows, implemented to support Microsofts' port of the ‘DTrace’ system to windows. This system provides an officially supported mechanism to perform system call interception that is patchguard compatible, but not secure boot compatible. Alongside the history and details of DTrace this talk will also cover a C and Rust based reimplementation of the system that I call STrace. This reimplementation allows users to write custom plugin dlls which are manually mapped to the kernel address space. These plugins can then log all system calls, or perform any side effects before and after system call execution by invoking the typical kernel driver APIs – if desired.
SPEAKER BIO:
Stephen Eckels, is a reverse engineer that explores blue team tooling and regularly sees front line malware. Stephen has published past tools such as GoReSym - a golang symbol recovery tool, and written extensively about many forms of hooking including hooking the wow64 layer. Stephen maintains the open source hooking library PolyHook, some of his other work is public on the Mandiant blog!
https://twitter.com/stevemk14ebr
https://www.linkedin.com/in/stephen-eckels-995211102
REFRENCES:
* @JonasLyk for pointing me at DTrace and discussing its issues with me
* [Orguz Kartal's Post](https://www.oguzkartal.net/blog/inde...trace-support/)
* [Alex Ionescu's Post](https://www.alex-ionescu.com/?p=358)
* [MS Blog One](https://techcommunity.microsoft.com/...ws/ba-p/362902)
* [MS Blog Two](https://techcommunity.microsoft.com/...s/ba-p/1127929)
* [DTrace Language Documentation](https://illumos.org/books/dtrace/chp-actsub.html)
* [Rust Kernel Driver Example](https://github.com/pravic/winapi-kmd-rs)
* [Rust Kernel Driver Blog](https://not-matthias.github.io/kernel-driver-with-rust/)
* [Process Explorer StackTrace](https://blog.airesoft.co.uk/2009/02/...er-way-part-3/)
* [Process Hacker StackTrace](https://github.com/processhacker/pro.../thread.c#L339)