Presentation title Hibernation File Attack Presentation Abstract. VISIBLE TO: Reviewers and paid attendees. IF ACCEPTED: Web site, printed conference guide. The idea behind the hibernation file attack is to inject code into the hibernation file when the system is hibernated. The unsigned code will be written into hibernation file directly before Windows starts - and when Windows processes a system resume, the modified kernel will be loaded. The injection is done via an own modified Master Boot Record. The MBR is executed before winresume.exe and is able to modify the hibernation file (hiberfil.sys) via its own file system drivers (FAT and NTFS). The MBR will be written to disk by a normal application using raw sector access. Presentation outline that shows the logical progression of your presentation. VISIBLE TO: Reviewers and paid attendees. IF ACCEPTED: Web site, printed conference guide. 1. discussing the theory (what, how) 2. how to attack the hibernation file (problems, solutions) 3. live demonstration 4. talking about general considerations (how it can be used, how to prevent, etc.) 5. questions, comments What do you hope attendees will gain from the presentation? VISIBLE TO: Reviewers and paid attendees. IF ACCEPTED: Web site, printed conference guide. More knowledge about the Windows hibernation file and how it can be used for injecting unsigned code into kernel. Additionally, the according Windows internals will be discussed and explained. The attendee will also learn how to write a Master Boot Record infector and how the Master Boot Record can be used to compromise Windows security. Technical details about the whole process among general operating system development will be presented. Additional details. VISIBLE ONLY TO Reviewers. Provide any supporting details, 0-day specifics or content you only want the Reviewers to see. The hibernation file attack is a successor of the pagefile attack by Joanna Rutkowska. I also want to go behind the hibernation file attack and discuss solutions how to make such software more reliable and successful. To show an example, I am using the vdl ("virus-description language", http://www.research.ibm.com/antivirus//SciPapers/Chess/CHESS3/chess3-node5.html) for defining values to be patched in the hibernation file, and I'm working on automatic MBR restoring methods. Select presentation time in minutes. VISIBLE TO: Reviewers and paid attendees. IF ACCEPTED: Web site, printed conference guide. 150 / later changed to 75 Describe three reason why this is a quality Black Hat Presentation. VISIBLE TO: Reviewers and paid attendees. 1. It shows a novel and sophisticated infection method not used before. 2. It is a successor of the pagefile attack presented by Joanna Rutkowska; the attendee will gain a clear sight of similarities and how old attack vectors can be used for new ones. 3. A live demonstration will be performed, to show that the hibernation file attack works in real life. Check any that apply Has this presentation been previously presented (Not 100% new content)? VISIBLE TO: Reviewers and paid attendees. No Are you releasing a new tool(s)? VISIBLE TO: Reviewers and paid attendees. IF ACCEPTED: Web site, printed conference guide. Yes Are you releasing a new vulnerability? VISIBLE TO: Reviewers and paid attendees. IF ACCEPTED: Web site, printed conference guide. Yes Is there a live demonstration? VISIBLE TO: Reviewers and paid attendees. IF ACCEPTED: Web site, printed conference guide. Yes Is there audience participation? VISIBLE TO: Reviewers and paid attendees. IF ACCEPTED: Web site, printed conference guide. No Do you have any additional requirements we need to meet for you to present? -