Hyper-V in Windows endpoint detection, has always been regarded as the crown jewel that is difficult for the red team to conquer. Therefore, in the underground economy, online game anti-cheat protection heavily utilize Intel VT as the last line of defense to avoid classic BYOVD kernel-level attacks to bypass the protection; However, SOTA anti-cheat protection, in order to achieve better system threat protection than Microsoft's standard design, gradually introduce Hyper-V technology to make numerous kernel-level protection via EXPLOIT AND MANIPULLATION to Windows 10+ NT Kernel objects, under the premise of "effectively bypassing Microsoft's kernel driver-level protection " to beawre the game cheating. But this technology as detection, malicious and effective?

Know yourself and your enemy, you will never be defeated in a hundred battles! In this session, we will guide the audience to play with the Hypervisor detection defences and the system's architectural relationship with them, from dismantling the architecture of Microsoft's VT-based Hyper-V platform to how the anti-cheat protection can manipulate Microsoft's VBS (Virtualisation-Based Security) and Patch Guard to achieve the desired results to forge memory pages in both user/kernel mode. In the end of the session, provides recommendations and guidance on the methods and risks of endpoint detection to introduce such kernel patches as endpoint detection.

To identify a few unique binaries even worth the effort for human experts to analyze from large-scale samples, filter techniques for excluding those highly duplicated program files are essential to reduce the human cost within a restricted period of incident response, such as auto-sandbox emulation or AI detection engine. As VirusTotal reported in 2021 ~90% of 1.5 billion samples are duplicated but still require malware experts to verify due to obfuscation. 

In this work, we proposed a novel neural-network-based symbolic execution LLM, CuIDA, to simulate the analysis strategies of human experts, such as taint analysis of the Use-define chain among unknown API calls. Our method can automatically capture the contextual comprehension of API and successfully uncover those obfuscated behaviors in the most challenging detection dilemma including (a.) dynamic API solver, (b.) shellcode behavior inference, and (c.) commercial packers detection WITHOUT unpacking.

We demonstrate the practicality of this approach on large-scale sanitized binaries which are flagged as obfuscated but few positives on VirusTotal. We surprisingly uncovered up to 67% of binaries that were missed by most vendors in our experiment, by the factor of those threats successfully abuse the flaw of VC.Net detection to evade the scan. Also, this approach shows the inference intelligence on behavior prediction for shellcode without simulation, instead, only by using the data-relationships on the stack to infer the relative unique behaviors involved in the payload.

Moreover, to explore the limitation of our transformer’s contextual comprehension on the obfuscation problem, we evaluate the transformer with state-of-the-art commercial packers, VMProtect and Themida. Our approach successfully forensics-based investigates the original behaviors of the running protected program without unpacking. Furthermore, this approach reveals a few unexpected findings of the protection strategies of the commercial packers themselves. In conclusion, our method explores the possibility of using LLM to sample the reversing experience, analysis strategies of human experts, and success in building robust AI agents on practical obfuscated code understanding.

The popularity of low-orbit satellites for enterprise, civil and critical infrastructures has made the security of satellite communications a growing global concern. As a result, many satellite solution providers are facing the issue and trying to solve it by traffic encryption between user ground devices and high altitude satellites to avoid possible from the ground jamming attacks or even man-in-the-middle hijacking and manipulation, but does encryption really equal to secure?

In this session, we will go along with the audience on a journey to explore terrestrial broadcasting attacks, starting from two academic studies to explore how hackers can find encryption flaws in the hardware and software design architecture of satellite modem products, inject malicious firmware upgrades through man-in-the-middle hijacking and take down the remote execution again after dismantling the satellite communication equipment in a practical manner. We will explore the security costs of modern satellite modulation and demodulation process with its high firmware data transfer capability, the difficulties of man-in-the-middle identification for practical datacom-satellite communication, and how attackers can abuse the combination of these techniques and the possible threats.

Malware Rules - cornerstone of modern security solutions, also as researcher's nightmare. Although it has the characteristics of low false positives and high accuracy, but requires analysts to spend time WEARYGNG GLASSES to find unique strings in binary as pattern to write for detection. Such as it consumes expert time and has become a major pain point for the current security industry. Therefore, whether artificial intelligence can be introduced to solve the problem of writing patterns on large-scale malware has become a consensus issue that the industry is looking forward to, and has also become a hot academic topic of cybersecurity.

In this session, we will start with two innovative studies conducted by AAAAI based on NVIDIA's top-level seminar on how to slice malware binary into semantic sub-patterns from the perspective of Ngram, and extract those high-entropy and developer-specific strings as rules to be effectively detected by a convolutional vision strategy. with a detection rate of 98% in a double-blind test of 800,000 samples, as excellent semantic detection performance. At the end of the session, we summarised the advantages, disadvantages and limitations of this method in products to help the audience to have a strong interest and understanding of this kind of detection technology.