My opinions in media
E2EE in modern messengers: [15.07.16] [Geekbrains] [RU] linkMessengers security, E2EE: [28.06.16] [Gazeta.RU] [RU] linkNemucod + TeslaCrypt campaign: [22.03.16] [Gizmodo India] [ENG]Â linkApple v FBI...
View ArticleClik here to view.
Remsec driver analysis
Remsec or Cremes malware already was perfectly described by Kaspersky in their report. Symantec also did a blog post about it. This sophisticated malware toolkit refers to so-called state-sponsored...
View ArticleClik here to view.
Remsec driver analysis - Part 2
In previous blog post I've described 32-bit driver that has been used by attackers who are behind Strider cybergroup. I also pointed that from my point of view the driver was developed by skilled guys,...
View ArticleClik here to view.
Remsec driver analysis - Part 3
In two previous blog posts I've described 32-bit plugin that was mentioned by Kaspersky in their technical analysis. The plugin is called kgate and it has some interesting features, including,...
View ArticleClik here to view.
Remsec driver analysis - Agnitum driver exploitation
In previous three parts of "Remsec driver analysis" research I've tried to show, how Remsec (aka Cremes) Ring 0 code works and how it is loaded into a system. We already know that attackers were...
View ArticleClik here to view.
A note about Sednit rootkit
Sednit cyberespionage group is already a well-known for AVers & security community. It is also known as APT28, Fancy Bear, Pawn Storm, Sofacy. Wide range of various researches show for us that this...
View ArticleClik here to view.
Clik here to view.
Wingbird rootkit analysis
In previous blog posts I've described rootkits that have been used by so-called state-sponsored actors for infecting their victims, providing malware persistence and achieving SYSTEM privileges into a...
View ArticleClik here to view.
Finfisher rootkit analysis
My previous blog post was dedicated to very interesting malware that is called Wingbird. This malware has been used by NEODYMIUM cyber espionage group and contains rootkit to execute sensitive and...
View ArticleClik here to view.
EquationDrug rootkit analysis (mstcp32.sys)
Malware arsenal that have been used by very sophisticated & so-called state-sponsored cyber group named "Equation Group" already was perfectly described by Kaspersky in their report. As always, it...
View ArticleClik here to view.
Stuxnet drivers: detailed analysis
There has passed already a lot of time since the publication of various detailed researches about Stuxnet and its components. All top AV vendors wrote own comprehensive papers, which reveal major...
View ArticleClik here to view.
GrayFish rootkit analysis
Earlier in this year, I published research of the rootkit that belong to famous state-sponsored cybergroup called "Equation Group". Analyzed rootkit actually represents one of the Windows kernel mode...
View ArticleClik here to view.
Windows 10 RS5 introduces a new Software PTE type
As we already know, Microsoft tries to roll out a new security features (aka exploit mitigations) with each release of Windows 10 (RS_X). In previous releases was spotted a built into the OS EMET (aka...
View ArticleClik here to view.
What is a Proto-PTE and how Windows VMM works with it
A Proto-PTE (Prototype PTE, PPTE) is a basic block of the Windows VMM (Virtual Memory Manager) for help of which the OS can work with memory-mapped files (or Sections in the Native/NT kernel API...
View ArticleClik here to view.
Why Google Chrome runs so much processes
Reading some topics at the Internet, it became clear that I'm not alone who have wondered why Google Chrome web browser (on Windows) runs too much processes even if one or two tabs have been opened in...
View ArticleClik here to view.
RIP Vitalik aka VK_Intel
https://www.darkreading.com/careers-and-people/vitali-kremez-dead-apparent-scuba-diving-accident
View ArticleClik here to view.
Inside the Windows Cache Manager
IntroductionThe cache is an integral part of the operating system and its hybrid kernel. Roughly speaking, it's just a virtual memory region in the kernel address space, on which the Cache Manager maps...
View ArticleClik here to view.
Dissecting Windows Section Objects
Instead of introductionWe can't imagine Windows without section objects (or file mapping objects in terms of Windows API) and hardly can we find a Windows kernel subsystem that doesn't address it. The...
View ArticleClik here to view.
Ky1vstar cyberattack - under the hood of the malicious scripts
The attack overviewIn mid-December, it was revealed that a devastating cyberattack hit Ukr@ine's biggest telecommunications company. The attack disabled the company's services for days (!), leaving...
View ArticleClik here to view.
GMER - the art of exposing Windows rootkits in kernel mode
📌 Chapters:IntroductionSome basic termsHowtoExploring Win11 disk subsystemSet up a secure environmentOverview of the driverPatching kernel dataSecuring disk I/O operationsSecuring file I/O...
View ArticleClik here to view.
Guntior - the story of an advanced bootkit that doesn't rely on Windows disk...
I first stumbled upon this interesting malware sample about a decade ago, being a contributor to the kernelmodeinfo forum. Amid the rise of bootkits at that time, the dropper was captured in-the-wild...
View ArticleClik here to view.
Windows Bootkits Guide
There are two main sections in the article, an infographic and web links to researches, samples and sources. The Year column indicates the year of the malware's appearance or when the information...
View ArticleWindows Rootkits Guide
Glad to present my deep dive into Windows rootkit families from early concepts to the latest sophisticated instances. This is an attempt to summarize information about them and highlight the Windows...
View ArticleClik here to view.
Windows Rootkits (and Bootkits) Guide v2
The picture from the movie ElysiumHello folks and have a good day. If u follow my blog, u might know that my two previous blog posts discussed km malware - rootkits and bootkits - focusing on the Ring...
View ArticleThe final post
This blog is no longer active. For new posts,https://aibaranov.github.io/Contactshttps://linktr.ee/artem_i_baranovhttps://github.com/ArtemBaranov/Misc
View Article