Memory-safety related implementation errors are the most common vulnerabilities used by attackers to gain control over the execution-flow of an application. By exploiting these vulnerabilities, an attacker can transfer an applications’s execution-flow to the code they have injected. This technique is increasingly used by attackers in today’s breaches.
Unfortunately, most defenders have no idea how code injection really works. It’s challenging to investigate attackers using code injection if you don’t understand what attackers are doing. Most defenders know that code injection exist but hope that endpoint protection products will take care of it.
In this talk, we’ll start by covering the basics of code injection, moving into advanced topics that evade many traditional forensics techniques. You will also get introduced to the operation of fileless malware.