Quantcast
Channel: A blog about rootkits research and the Windows kernel
Browsing latest articles
Browse All 57 View Live

Windows exploitation in 2015

"Windows exploitation in 2015" is out. New version contains information about Google Chrome security features, EMET, Hacking Team exploits, and Windows vulnerabilities.Press releaseESET Examines...

View Article



My opinions in media

E2EE in modern messengers: [15.07.16] [Geekbrains] [RU] linkMessengers security, E2EE: [28.06.16] [Gazeta.RU] [RU] linkNemucod + TeslaCrypt campaign: [22.03.16] [Gizmodo India] [ENG] linkApple v FBI...

View Article

Image may be NSFW.
Clik here to view.

Remsec driver analysis

Remsec or Cremes malware already was perfectly described by Kaspersky in their report. Symantec also did a blog post about it. This sophisticated malware toolkit refers to so-called state-sponsored...

View Article

Image may be NSFW.
Clik here to view.

Remsec driver analysis - Part 2

In previous blog post I've described 32-bit driver that has been used by attackers who are behind Strider cybergroup. I also pointed that from my point of view the driver was developed by skilled guys,...

View Article

Image may be NSFW.
Clik here to view.

Remsec driver analysis - Part 3

In two previous blog posts I've described 32-bit plugin that was mentioned by Kaspersky in their technical analysis. The plugin is called kgate and it has some interesting features, including,...

View Article


Image may be NSFW.
Clik here to view.

Remsec driver analysis - Agnitum driver exploitation

In previous three parts of "Remsec driver analysis" research I've tried to show, how Remsec (aka Cremes) Ring 0 code works and how it is loaded into a system. We already know that attackers were...

View Article

Image may be NSFW.
Clik here to view.

A note about Sednit rootkit

Sednit cyberespionage group is already a well-known for AVers & security community. It is also known as APT28, Fancy Bear, Pawn Storm, Sofacy. Wide range of various researches show for us that this...

View Article

Image may be NSFW.
Clik here to view.

Windows exploitation in 2016

"Windows exploitation in 2016" is out......

View Article


Image may be NSFW.
Clik here to view.

Wingbird rootkit analysis

In previous blog posts I've described rootkits that have been used by so-called state-sponsored actors for infecting their victims, providing malware persistence and achieving SYSTEM privileges into a...

View Article


Image may be NSFW.
Clik here to view.

Finfisher rootkit analysis

My previous blog post was dedicated to very interesting malware that is called Wingbird. This malware has been used by NEODYMIUM cyber espionage group and contains rootkit to execute sensitive and...

View Article

Image may be NSFW.
Clik here to view.

EquationDrug rootkit analysis (mstcp32.sys)

Malware arsenal that have been used by very sophisticated & so-called state-sponsored cyber group named "Equation Group" already was perfectly described by Kaspersky in their report. As always, it...

View Article

Image may be NSFW.
Clik here to view.

Stuxnet drivers: detailed analysis

There has passed already a lot of time since the publication of various detailed researches about Stuxnet and its components. All top AV vendors wrote own comprehensive papers, which reveal major...

View Article

Image may be NSFW.
Clik here to view.

GrayFish rootkit analysis

Earlier in this year, I published research of the rootkit that belong to famous state-sponsored cybergroup called "Equation Group". Analyzed rootkit actually represents one of the Windows kernel mode...

View Article


Image may be NSFW.
Clik here to view.

Windows 10 RS5 introduces a new Software PTE type

As we already know, Microsoft tries to roll out a new security features (aka exploit mitigations) with each release of Windows 10 (RS_X). In previous releases was spotted a built into the OS EMET (aka...

View Article

Image may be NSFW.
Clik here to view.

What is a Proto-PTE and how Windows VMM works with it

A Proto-PTE (Prototype PTE, PPTE) is a basic block of the Windows VMM (Virtual Memory Manager) for help of which the OS can work with memory-mapped files (or Sections in the Native/NT kernel API...

View Article


Image may be NSFW.
Clik here to view.

Why Google Chrome runs so much processes

Reading some topics at the Internet, it became clear that I'm not alone who have wondered why Google Chrome web browser (on Windows) runs too much processes even if one or two tabs have been opened in...

View Article

Image may be NSFW.
Clik here to view.

RIP Vitalik aka VK_Intel

https://www.darkreading.com/careers-and-people/vitali-kremez-dead-apparent-scuba-diving-accident

View Article


Image may be NSFW.
Clik here to view.

Inside the Windows Cache Manager

IntroductionThe cache is an integral part of the operating system and its hybrid kernel. Roughly speaking, it's just a virtual memory region in the kernel address space, on which the Cache Manager maps...

View Article

Image may be NSFW.
Clik here to view.

Dissecting Windows Section Objects

Instead of introductionWe can't imagine Windows without section objects (or file mapping objects in terms of Windows API) and hardly can we find a Windows kernel subsystem that doesn't address it. The...

View Article

Image may be NSFW.
Clik here to view.

Ky1vstar cyberattack - under the hood of the malicious scripts

The attack overviewIn mid-December, it was revealed that a devastating cyberattack hit Ukr@ine's biggest telecommunications company. The attack disabled the company's services for days (!), leaving...

View Article

Image may be NSFW.
Clik here to view.

GMER - the art of exposing Windows rootkits in kernel mode

📌 Chapters:IntroductionSome basic termsHowtoExploring Win11 disk subsystemSet up a secure environmentOverview of the driverPatching kernel dataSecuring disk I/O operationsSecuring file I/O...

View Article


Image may be NSFW.
Clik here to view.

Guntior - the story of an advanced bootkit that doesn't rely on Windows disk...

I first stumbled upon this interesting malware sample about a decade ago, being a contributor to the kernelmodeinfo forum. Amid the rise of bootkits at that time, the dropper was captured in-the-wild...

View Article


Image may be NSFW.
Clik here to view.

Windows Bootkits Guide

There are two main sections in the article, an infographic and web links to researches, samples and sources. The Year column indicates the year of the malware's appearance or when the information...

View Article

Windows Rootkits Guide

Glad to present my deep dive into Windows rootkit families from early concepts to the latest sophisticated instances. This is an attempt to summarize information about them and highlight the Windows...

View Article

Image may be NSFW.
Clik here to view.

Windows Rootkits (and Bootkits) Guide v2

The picture from the movie ElysiumHello folks and have a good day. If u follow my blog, u might know that my two previous blog posts discussed km malware - rootkits and bootkits - focusing on the Ring...

View Article

Browsing latest articles
Browse All 57 View Live




Latest Images