SlideShare uma empresa Scribd logo

Advanced Evasion Techniques by Win32/Gapz

Alex Matrosov
Alex Matrosov
Tecnologia
1 de 65
Baixar para ler offline
Advanced Evasion Techniques by Win32/Gapz Aleksandr Matrosov Eugene Rodionov
Outline of The Presentation  Targeted Attacks with complex threats (rootkits/bootkits)  Is reasonable?  Gapz: dropper  PowerLoader builder  explorer.exe code injection trick  Gapz: bootkit  Classification of modern bootkits  New VBR bootkit technique  Gapz: payload  Hidden file system implementation  Disk hooks and Hooking engine  NDIS, TCP/IP stack implementation, HTTP protocol  C&C communications  Gapz: forensic approaches
Targeted Attacks with Complex Threats (rootkits/bootkits)
Targeted Attacks with Complex Threats (rootkits/bootkits) Is reasonable for attackers?  Long-lasting stealth infection  Difficult to investigate by typical forensic tools  Difficult to extract bot configuration information  Stealth duration for one target: months  Price in cybercrime market:  Bootkit builder without sources: ~ 10.000$  Stealth bootkit with sources: ~ 50.000$  Custom develop with sources: ~ 100.000$
Gapz: dropper
Gapz Known Droppers Detection Name Compilation Date LPE Exploits Bootkit Technique Win32/Gapz.A 11/09/2012 30/10/2012 CVE-2011-3402 CVE-2010-4398 COM Elevation VBR Win32/Gapz.B 06/11/2012 CVE-2011-3402 COM Elevation no bootkit Win32/Gapz.C 19/04/2012 CVE-2010-4398 CVE-2011-2005 COM Elevation MBR
PowerLoader Builder (since September 2012)
PowerLoader Builder (since September 2012)
PowerLoader Based Droppers Price for Power Loader is about $500 for one builder kit with C&C panel PowerLoader (Agent.UAW) Gapz Redyms Agent.UMT PowerLoader code inject Carberp
Gapz Dropper Execution Stages Injecting into explorer.exe (entry point) Local Privilege Escalation (icmnf) Infecting the system (isyspf) stage 1 stage 2
Bypassing HIPS with explorer.exe Code Injection opens shared sections from BaseNamedObjects mapped into explorer.exe and writes shellcode
Bypassing HIPS with explorer.exe Code Injection The dropper searches for the window “Shell_TrayWnd”
Bypassing HIPS with explorer.exe Code Injection The dropper calls GetWindowLong() so as to get the address of the routine related to the “Shell_TrayWnd” window handler The dropper calls SetWindowLong() to modify “Shell_TrayWnd” window-related data
Bypass HIPS with explorer.exe Code Injection calls SendNotifyMessage() to trigger shellcode execution in explorer.exe address space arbitrary code execution in WndProc() of “Shell_TrayWnd”:
Triggering Shellcode Execution SendNotifyMessage() transfers control to the address pointed to address points to the KiUserApcDispatcher() routine
Triggering Shellcode Execution uses ROP-gadgets to jump into shellcode memory region and execute shellcode
Triggering Shellcode Execution uses ROP-gadgets to jump into shellcode memory region and execute shellcode
Triggering Shellcode Execution
Gapz: bootkit
Modern Bootkits Classification Bootkits MBR VBR/IPL MBR Code modification Partition Table modification IPL Code modification BIOS Parameter Block modification TDL4 Olmasco Rovnix Gapz
Gapz Bootkit Modifications Detection Name Compilation Date Bootkit Technique Win32/Gapz.A 11/09/2012 30/10/2012 VBR Win32/Gapz.C 19/04/2012 MBR Gapz Bootkit MBR Modification VBR Modification
Gapz Bootkit Overview Module Name Hooked Routine ntldr BlLoadBootDrivers bootmgr Archx86TransferTo32BitApplicationAsm winload.exe OslArchtransferToKernel ntoskrnl.exe IoInitSystem Gapz bootkit features:  hooks int 13h handler  patches modules: ntldr, bootmgr, winload.exe, kernel image to survive processor execution mode switching and kernel-mode code integrity checks
Gapz Bootkit Workflow Hook Archx86TransferTo32BitApplicationAsm in bootmgr Hook OslArchTransferToKernel in winload.exe Hook IoInitSystem in kernel image Int 13h handler is hooked Bootmgr loads winload.exe Winload.exe loads kernel image Bootkit loads malicious kernel-mode code and runs it in a new system thread
Gapz VBR Bootkit Gapz VBR bootkit features:  Relies on Microsoft Windows VBR layout  The infections results in modifying only 4 bytes of VBR  The patched bytes might differ on various installations jmp BIOS Parameter Block (BPB) VBR code Text Strings 0x55 0xAA 0x000 0x003 0x054 0x19C 0x1FE 0x200 transfer control
Gapz BPB Layout struct BIOS_PARAMETER_BLOCK { WORD BytesPerSector; BYTE SecPerCluster; WORD ReservedSectors; BYTE Reserved[5]; BYTE MediaDescriptorID; WORD Reserved2; WORD SectorsPerTrack; WORD NumberOfHeads; DWORD HiddenSectors; DWORD Reserved3[2]; LONGLONG TotalSectors; LONGLONG StartingCluster; LONGLONG MFTMirrStartingCluster; DWORD ClustersPerMFTRecord; DWORD ClustersPerIndexBuffer; LONGLONG VolumeSerialNumber; DWORD Reserved4; };
Gapz BPB Layout struct BIOS_PARAMETER_BLOCK { WORD BytesPerSector; BYTE SecPerCluster; WORD ReservedSectors; BYTE Reserved[5]; BYTE MediaDescriptorID; WORD Reserved2; WORD SectorsPerTrack; WORD NumberOfHeads; DWORD HiddenSectors; DWORD Reserved3[2]; LONGLONG TotalSectors; LONGLONG StartingCluster; LONGLONG MFTMirrStartingCluster; DWORD ClustersPerMFTRecord; DWORD ClustersPerIndexBuffer; LONGLONG VolumeSerialNumber; DWORD Reserved4; };
Gapz BPB Modification MBR NTFS File SystemIPLVBR NTFS Volume 0x200 0x1E00 Number of “Hidden Sectors” MBR NTFS File SystemIPL Infected VBR NTFS Volume 0x200 0x1E00 Hard Drive Modified value of number of “Hidden Sectors” Bootkit before infection after infection
Gapz: rootkit
Gapz Rootkit Overview Gapz rootkit functionality is implemented as position independent kernel-mode code for both x86 and x64 platforms Gapz rootkit capabilities:  Hidden storage implementation  User-mode payload injection  Covert network communication channel  C&C server authentication mechanism
Gapz Rootkit Overview Gapz rootkit functionality is implemented as position independent kernel-mode code for both x86 and x64 platforms Gapz rootkit capabilities:  Hidden storage implementation  User-mode payload injection  Covert network communication channel  C&C server authentication mechanism
Gapz Kernel-mode Code Organization struct GAPZ_BASIC_BLOCK_HEADER { // A constant which is used to obtain addresses // of the routines implemented in the block unsigned int ProcBase; unsigned int Reserved[2]; // Offset to the next block unsigned int NextBlockOffset; // Offset of the routine performing block initialization unsigned int BlockInitialization; // Offset to configuration information // from the end of the kernel-mode module // valid only for the first block unsigned int CfgOffset; // Set to zeroes unsigned int Reserved1[2]; };
Gapz Kernel-mode Code Blocks Block # Implemented Functionality 1 General API, gathering information on the hard drives, CRT string routines and etc. 2 Cryptographic library: RC4, MD5, SHA1, AES, BASE64 and etc. 3 Hooking engine, disassembler engine. 4 Hidden Storage implementation. 5 Hard disk driver hooks, self-defense. 6 Payload manager. 7 Payload injector into processes’ user-mode address space. 8 Network communication: Data link layer. 9 Network communication: Transport layer. 10 Network communication: Protocol layer. 11 Payload communication interface. 12 Main routine.
Gapz Hidden Storage Implementation  Gapz implements modified FAT32 hidden volume based on FullFat project  Length of file name in FAT directory entry is 32 bytes  The hidden volume is stored in the file with name: “??C:System Volume Information{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}”  The contents of the volume is encrypted with AES-256 in CBC mode:  The sector LBA is used as IV
Gapz Hidden Storage Implementation  Gapz implements modified FAT32 hidden volume based on FullFat project  Length of file name in FAT directory entry is 32 bytes  The hidden volume is stored in the file with name: “??C:System Volume Information{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}”  The contents of the volume is encrypted with AES-256 in CBC mode:  The sector LBA is used as IV
Gapz Hidden Storage Implementation  Gapz implements modified FAT32 hidden volume based on FullFat project  Length of file name in FAT directory entry is 32 bytes  The hidden volume is stored in the file with name: “??C:System Volume Information{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}”  The contents of the volume is encrypted with AES-256 in CBC mode:  The sector LBA is used as IV
Gapz Crypto Library Implementation  Gapz crypto library functionality:  Hashing: MD5, SHA1  Symmetric ciphers: RC4, AES  Asymmetric cipher: ECC
Gapz Self-Defence Mechanisms  Gapz hooks IRP_MJ_INTERNAL_DEVICE_CONTROL and IRP_MJ_DEVICE_CONTROL handlers to monitor:  IOCTL_SCSI_PASS_THROUGH  IOCTL_SCSI_PASS_THROUGH_DIRECT  IOCTL_ATA_PASS_THROUGH  IOCTL_ATA_PASS_THROUGH_DIRECT  Gapz protects:  MBR/VBR from being read/overwritten  its image on the hard drive from being overwritten
Gapz Hooking Engine Implementation  Gapz hooking engine is based on the ”Hacker Disassembler Engine”  Tries to avoid patching the very first bytes of the routine being hooked (nop; mov edi, edi; etc.):
Gapz Hooking Engine Implementation  Gapz hooking engine is based on the ”Hacker Disassembler Engine”  Tries to avoid patching the very first bytes of the routine being hooked (nop; mov edi, edi; etc.):
Gapz Code Injection Functionality Allocate memory buffer in target process address space Write payload and loader code into allocated buffer Create remote thread in the target process Loader code DLL loader (load/unload DLL modules) Command executer (call specific handler in DLL payload and pass necessary parameters) EXE loader 1 (run EXE modules) EXE loader 2 (run EXE modules)
Gapz Payload Loader Code: DLL Loader & Command Executer Map image into address space Fix relocations and initialize IAT Load or unload? Execute export #1 Execute export #2 Release image memory unload load
Gapz Payload Loader Code: EXE Loaders Drop payload image into %TEMP% directory Execute CreateProcessW API EXE Loader 1 Create legitimate suspended process (via CreateProcessAsUser) Overwrite process image with the malicious one Set process thread context according to malicious image Resume process thread EXE Loader 2
Gapz Network Protocol Implementation svchost.exe overlord32(64).dll Win32/Gapz kernel-mode module TCP/IP protocol stack implementation Message to be sent to C&C Server user mode kernel mode C&C Server Send using Win32 socket implementation Send directly using NDIS miniport driver
Gapz Network Protocol Architecture Gapz implementation OSI Model HTTP protocol (block #10) TCP/IP protocol (block #9) NDIS miniport wrapper (block #8) Application/Presentation Layer Network/Transport Layer Data Link Layer
Gapz Network Protocol Implementation: NDIS Gapz network protocol stack relies on miniport adapter driver: Miniport adapter driver Intermediate driver Protocol driver (tcpip.sys) Filter driver ......... At the level of protocol or intermediate drivers Win32/Gapz’s network packet is “invisible” Win32/Gapz communicates directly to miniport adapter Win32/Gapz Network packet
Gapz C&C Communication Protocol  Gapz communicates to C&C servers over HTTP protocol  Capabilities of the protocol:  00 - download payload  01 - send bot information to C&C  02 - request payload download information  03 - report on running payload  04 - update payload download URL  The requests corresponding to commands 0x01, 0x02 and 0x03 are performed by the POST method of the HTTP protocol.
Gapz C&C Communication Protocol: HTTP Request Message HeaderHTTP Header Request specific data HTTP header HTTP body struct MESSAGE_HEADER { // Output of PRNG unsigned char random[128]; // a DWORD from configuration file unsigned int reserved; // A binary string which is used to authenticate C&C servers unsigned char auth_str[64]; };
Gapz C&C Communication Protocol: HTTP Request Message HeaderHTTP Header Request specific data HTTP header HTTP body struct MESSAGE_HEADER { // Output of PRNG unsigned char random[128]; // a DWORD from configuration file unsigned int reserved; // A binary string which is used to authenticate C&C servers unsigned char auth_str[64]; };
Gapz C&C Communication Protocol: C&C Reply Encrypted rc4 key K1 HTTP Header Reply specific data HTTP message header HTTP message body Authentication string rc4 encrypted data with key k1 Decrypt key K1 Decrypt authentication string and reply-specific data using key K1 Check authentication string Process reply-specific data Reject reply-specific data matchdoesn’t match
Gapz C&C Communication Protocol: URLs
Gapz C&C Communication Protocol: URLs
Gapz User-mode Payload Functionality The module overlord32(64).dll is essential part of the Gapz bootkit Overlord32(64).dll is injected into svchost.exe process Overlord32(64).dll dispatches the requests from kernel-mode Cmd # Command Description 0 gather information about all the network adapters installed in the system and their properties and send it to kernel-mode module 1 gather information on the presence of particular software in the system 2 check internet connection by trying to reach update.microsoft.com 3 send & receive data from a remote host using Windows sockets 4 get the system time from time.windows.com 5 get the host IP address given its domain name (via Win32 API gethostbyname) 6 get Windows shell (by means of querying “Shell” value of “SoftwareMicrosoftWindows NTCurrentVersionWinlogon” registry key)
Gapz User-mode Payload Interface Gapz impersonates the handler of the payload requests in the null.sys driver to communicate with the injected payload: Win32/Gapz module DriverNull DRIVER_OBJECT DriverNull Driver Image IRP_MJ_DEVICE_CONTROL DriverUnload = NULL DriverUnload rotuine IRP_MJ_DEVICE_CONTROL handler DriverNull DRIVER_OBJECT DriverNull Driver Image IRP_MJ_DEVICE_CONTROL DriverUnload DriverUnload rotuine IRP_MJ_DEVICE_CONTROL handler Gapz’s hook jmp gapz_hook Payload interface before patching after patching
Gapz User-mode Payload Interface Gapz impersonates the handler of the payload requests in the null.sys driver to communicate with the injected payload: Win32/Gapz module DriverNull DRIVER_OBJECT DriverNull Driver Image IRP_MJ_DEVICE_CONTROL DriverUnload = NULL DriverUnload rotuine IRP_MJ_DEVICE_CONTROL handler DriverNull DRIVER_OBJECT DriverNull Driver Image IRP_MJ_DEVICE_CONTROL DriverUnload DriverUnload rotuine IRP_MJ_DEVICE_CONTROL handler Gapz’s hook jmp gapz_hook Payload interface before patching after patching
Modern bootkits comparison Functionality Gapz Olmarik (TDL4) Rovnix (Cidox) Goblin (XPAJ) Olmasco (MaxSS) MBR modification      VBR modification      Hidden file system type FAT32 custom FAT16 modification custom (TDL4 based) custom Crypto implementation AES-256, RC4, MD5, SHA1, ECC XOR/RC4 Custom (XOR+ROL)  RC6 modification Compression algorithm   aPlib aPlib  Custom TCP/IP network stack     
Gapz: forensics approaches
Hidden File System Reader
Hidden File System Reader
Hidden File System Reader
DEMO
HiddenFsReader: Free public forensic tool http://download.eset.com/special/ESETHfsReader.exe
Conclusion  The most complex != The stealthiest (detection)  Gapz employs a new VBR-based bootkit technique  Gapz implements:  network communication protocol stack  crypto library  hidden FAT volume  HiddenFsReader is capable of dumping contents of the hidden volume
References  Gapz and Redyms droppers based on Power Loader code http://www.welivesecurity.com/2013/03/19/gapz-and-redyms-droppers-based-on-power-loader-code/  Mind the Gapz: The most complex bootkit ever analyzed? http://www.welivesecurity.com/wp-content/uploads/2013/04/gapz-bootkit-whitepaper.pdf  Modern Bootkit Trends: Bypassing Kernel-Mode Signing Policy http://go.eset.com/us/resources/white-papers/Rodionov-Matrosov.pdf  Defeating Anti-Forensics in Contemporary Complex Threats http://go.eset.com/us/resources/white-papers/Matrosov_Rodionov_VB2012.pdf  Bootkit Threats: In-Depth Reverse Engineering & Defense http://www.welivesecurity.com/wp-content/media_files/REcon2012.pdf
Thank you for your attention! Aleksandr Matrosov matrosov@eset.sk @matrosov Eugene Rodionov rodionov@eset.sk @vxradius

Recomendados

Reconstructing Gapz: Position-Independent Code Analysis Problem
Reconstructing Gapz: Position-Independent Code Analysis ProblemReconstructing Gapz: Position-Independent Code Analysis Problem
Reconstructing Gapz: Position-Independent Code Analysis ProblemAlex Matrosov
 
Code Injection in Windows
Code Injection in WindowsCode Injection in Windows
Code Injection in Windowsn|u - The Open Security Community
 
Проведение криминалистической экспертизы и анализа руткит-программ на примере...
Проведение криминалистической экспертизы и анализа руткит-программ на примере...Проведение криминалистической экспертизы и анализа руткит-программ на примере...
Проведение криминалистической экспертизы и анализа руткит-программ на примере...Alex Matrosov
 
Object Oriented Code RE with HexraysCodeXplorer
Object Oriented Code RE with HexraysCodeXplorerObject Oriented Code RE with HexraysCodeXplorer
Object Oriented Code RE with HexraysCodeXplorerAlex Matrosov
 
Bootkits: past, present & future
Bootkits: past, present & futureBootkits: past, present & future
Bootkits: past, present & futureAlex Matrosov
 
Malware analysis using volatility
Malware analysis using volatilityMalware analysis using volatility
Malware analysis using volatilityYashashree Gund
 
44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar44CON
 
Sysdig Open Source Intro
Sysdig Open Source IntroSysdig Open Source Intro
Sysdig Open Source IntroMichael Ducy
 

Recomendados

Reconstructing Gapz: Position-Independent Code Analysis Problem
Reconstructing Gapz: Position-Independent Code Analysis ProblemReconstructing Gapz: Position-Independent Code Analysis Problem
Reconstructing Gapz: Position-Independent Code Analysis ProblemAlex Matrosov
 
Code Injection in Windows
Code Injection in WindowsCode Injection in Windows
Code Injection in Windowsn|u - The Open Security Community
 
Проведение криминалистической экспертизы и анализа руткит-программ на примере...
Проведение криминалистической экспертизы и анализа руткит-программ на примере...Проведение криминалистической экспертизы и анализа руткит-программ на примере...
Проведение криминалистической экспертизы и анализа руткит-программ на примере...Alex Matrosov
 
Object Oriented Code RE with HexraysCodeXplorer
Object Oriented Code RE with HexraysCodeXplorerObject Oriented Code RE with HexraysCodeXplorer
Object Oriented Code RE with HexraysCodeXplorerAlex Matrosov
 
Bootkits: past, present & future
Bootkits: past, present & futureBootkits: past, present & future
Bootkits: past, present & futureAlex Matrosov
 
Malware analysis using volatility
Malware analysis using volatilityMalware analysis using volatility
Malware analysis using volatilityYashashree Gund
 
44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar44CON
 
Sysdig Open Source Intro
Sysdig Open Source IntroSysdig Open Source Intro
Sysdig Open Source IntroMichael Ducy
 
Kernel Recipes 2015: Anatomy of an atomic KMS driver
Kernel Recipes 2015: Anatomy of an atomic KMS driverKernel Recipes 2015: Anatomy of an atomic KMS driver
Kernel Recipes 2015: Anatomy of an atomic KMS driverAnne Nicolas
 
Genode Compositions
Genode CompositionsGenode Compositions
Genode CompositionsVasily Sartakov
 
Android porting for dummies @droidconin 2011
Android porting for dummies @droidconin 2011Android porting for dummies @droidconin 2011
Android porting for dummies @droidconin 2011pundiramit
 
Genode Components
Genode ComponentsGenode Components
Genode ComponentsVasily Sartakov
 
Captain Hook: Pirating AVs to Bypass Exploit Mitigations
Captain Hook: Pirating AVs to Bypass Exploit MitigationsCaptain Hook: Pirating AVs to Bypass Exploit Mitigations
Captain Hook: Pirating AVs to Bypass Exploit MitigationsenSilo
 
Genode Architecture
Genode ArchitectureGenode Architecture
Genode ArchitectureVasily Sartakov
 
Mem forensic
Mem forensicMem forensic
Mem forensicChong-Kuan Chen
 
[2007 CodeEngn Conference 01] dual5651 - Windows 커널단의 후킹
[2007 CodeEngn Conference 01] dual5651 - Windows 커널단의 후킹[2007 CodeEngn Conference 01] dual5651 - Windows 커널단의 후킹
[2007 CodeEngn Conference 01] dual5651 - Windows 커널단의 후킹GangSeok Lee
 
Can We Prevent Use-after-free Attacks?
Can We Prevent Use-after-free Attacks?Can We Prevent Use-after-free Attacks?
Can We Prevent Use-after-free Attacks?inaz2
 
Porting Android
Porting AndroidPorting Android
Porting AndroidOpersys inc.
 
How to drive a malware analyst crazy
How to drive a malware analyst crazyHow to drive a malware analyst crazy
How to drive a malware analyst crazyMichael Boman
 
Hardware backdooring is practical : slides
Hardware backdooring is practical : slidesHardware backdooring is practical : slides
Hardware backdooring is practical : slidesMoabi.com
 
[Defcon] Hardware backdooring is practical
[Defcon] Hardware backdooring is practical[Defcon] Hardware backdooring is practical
[Defcon] Hardware backdooring is practicalMoabi.com
 
[Defcon24] Introduction to the Witchcraft Compiler Collection
[Defcon24] Introduction to the Witchcraft Compiler Collection[Defcon24] Introduction to the Witchcraft Compiler Collection
[Defcon24] Introduction to the Witchcraft Compiler CollectionMoabi.com
 
ADB(Android Debug Bridge): How it works?
ADB(Android Debug Bridge): How it works?ADB(Android Debug Bridge): How it works?
ADB(Android Debug Bridge): How it works?Tetsuyuki Kobayashi
 
Formbook - In-depth malware analysis (Botconf 2018)
Formbook - In-depth malware analysis (Botconf 2018)Formbook - In-depth malware analysis (Botconf 2018)
Formbook - In-depth malware analysis (Botconf 2018)Rémi Jullian
 
Mac Memory Analysis with Volatility
Mac Memory Analysis with VolatilityMac Memory Analysis with Volatility
Mac Memory Analysis with VolatilityAndrew Case
 
DeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows KernelDeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows KernelPeter Hlavaty
 
Davide Berardi - Linux hardening and security measures against Memory corruption
Davide Berardi - Linux hardening and security measures against Memory corruptionDavide Berardi - Linux hardening and security measures against Memory corruption
Davide Berardi - Linux hardening and security measures against Memory corruptionlinuxlab_conf
 
Linux: the first second
Linux: the first secondLinux: the first second
Linux: the first secondAlison Chaiken
 
Defeating x64: The Evolution of the TDL Rootkit
Defeating x64: The Evolution of the TDL RootkitDefeating x64: The Evolution of the TDL Rootkit
Defeating x64: The Evolution of the TDL RootkitAlex Matrosov
 
Festi botnet analysis and investigation
Festi botnet analysis and investigationFesti botnet analysis and investigation
Festi botnet analysis and investigationAlex Matrosov
 

Mais conteúdo relacionado

Mais procurados

Kernel Recipes 2015: Anatomy of an atomic KMS driver
Kernel Recipes 2015: Anatomy of an atomic KMS driverKernel Recipes 2015: Anatomy of an atomic KMS driver
Kernel Recipes 2015: Anatomy of an atomic KMS driverAnne Nicolas
 
Android porting for dummies @droidconin 2011
Android porting for dummies @droidconin 2011Android porting for dummies @droidconin 2011
Android porting for dummies @droidconin 2011pundiramit
 
Captain Hook: Pirating AVs to Bypass Exploit Mitigations
Captain Hook: Pirating AVs to Bypass Exploit MitigationsCaptain Hook: Pirating AVs to Bypass Exploit Mitigations
Captain Hook: Pirating AVs to Bypass Exploit MitigationsenSilo
 
[2007 CodeEngn Conference 01] dual5651 - Windows 커널단의 후킹
[2007 CodeEngn Conference 01] dual5651 - Windows 커널단의 후킹[2007 CodeEngn Conference 01] dual5651 - Windows 커널단의 후킹
[2007 CodeEngn Conference 01] dual5651 - Windows 커널단의 후킹GangSeok Lee
 
Can We Prevent Use-after-free Attacks?
Can We Prevent Use-after-free Attacks?Can We Prevent Use-after-free Attacks?
Can We Prevent Use-after-free Attacks?inaz2
 
How to drive a malware analyst crazy
How to drive a malware analyst crazyHow to drive a malware analyst crazy
How to drive a malware analyst crazyMichael Boman
 
Hardware backdooring is practical : slides
Hardware backdooring is practical : slidesHardware backdooring is practical : slides
Hardware backdooring is practical : slidesMoabi.com
 
[Defcon] Hardware backdooring is practical
[Defcon] Hardware backdooring is practical[Defcon] Hardware backdooring is practical
[Defcon] Hardware backdooring is practicalMoabi.com
 
[Defcon24] Introduction to the Witchcraft Compiler Collection
[Defcon24] Introduction to the Witchcraft Compiler Collection[Defcon24] Introduction to the Witchcraft Compiler Collection
[Defcon24] Introduction to the Witchcraft Compiler CollectionMoabi.com
 
ADB(Android Debug Bridge): How it works?
ADB(Android Debug Bridge): How it works?ADB(Android Debug Bridge): How it works?
ADB(Android Debug Bridge): How it works?Tetsuyuki Kobayashi
 
Formbook - In-depth malware analysis (Botconf 2018)
Formbook - In-depth malware analysis (Botconf 2018)Formbook - In-depth malware analysis (Botconf 2018)
Formbook - In-depth malware analysis (Botconf 2018)Rémi Jullian
 
Mac Memory Analysis with Volatility
Mac Memory Analysis with VolatilityMac Memory Analysis with Volatility
Mac Memory Analysis with VolatilityAndrew Case
 
DeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows KernelDeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows KernelPeter Hlavaty
 
Davide Berardi - Linux hardening and security measures against Memory corruption
Davide Berardi - Linux hardening and security measures against Memory corruptionDavide Berardi - Linux hardening and security measures against Memory corruption
Davide Berardi - Linux hardening and security measures against Memory corruptionlinuxlab_conf
 
Linux: the first second
Linux: the first secondLinux: the first second
Linux: the first secondAlison Chaiken
 

Mais procurados (20)

Kernel Recipes 2015: Anatomy of an atomic KMS driver
Kernel Recipes 2015: Anatomy of an atomic KMS driverKernel Recipes 2015: Anatomy of an atomic KMS driver
Kernel Recipes 2015: Anatomy of an atomic KMS driver
 
Genode Compositions
Genode CompositionsGenode Compositions
Genode Compositions
 
Android porting for dummies @droidconin 2011
Android porting for dummies @droidconin 2011Android porting for dummies @droidconin 2011
Android porting for dummies @droidconin 2011
 
Genode Components
Genode ComponentsGenode Components
Genode Components
 
Captain Hook: Pirating AVs to Bypass Exploit Mitigations
Captain Hook: Pirating AVs to Bypass Exploit MitigationsCaptain Hook: Pirating AVs to Bypass Exploit Mitigations
Captain Hook: Pirating AVs to Bypass Exploit Mitigations
 
Genode Architecture
Genode ArchitectureGenode Architecture
Genode Architecture
 
Mem forensic
Mem forensicMem forensic
Mem forensic
 
[2007 CodeEngn Conference 01] dual5651 - Windows 커널단의 후킹
[2007 CodeEngn Conference 01] dual5651 - Windows 커널단의 후킹[2007 CodeEngn Conference 01] dual5651 - Windows 커널단의 후킹
[2007 CodeEngn Conference 01] dual5651 - Windows 커널단의 후킹
 
Can We Prevent Use-after-free Attacks?
Can We Prevent Use-after-free Attacks?Can We Prevent Use-after-free Attacks?
Can We Prevent Use-after-free Attacks?
 
Porting Android
Porting AndroidPorting Android
Porting Android
 
How to drive a malware analyst crazy
How to drive a malware analyst crazyHow to drive a malware analyst crazy
How to drive a malware analyst crazy
 
Hardware backdooring is practical : slides
Hardware backdooring is practical : slidesHardware backdooring is practical : slides
Hardware backdooring is practical : slides
 
[Defcon] Hardware backdooring is practical
[Defcon] Hardware backdooring is practical[Defcon] Hardware backdooring is practical
[Defcon] Hardware backdooring is practical
 
[Defcon24] Introduction to the Witchcraft Compiler Collection
[Defcon24] Introduction to the Witchcraft Compiler Collection[Defcon24] Introduction to the Witchcraft Compiler Collection
[Defcon24] Introduction to the Witchcraft Compiler Collection
 
ADB(Android Debug Bridge): How it works?
ADB(Android Debug Bridge): How it works?ADB(Android Debug Bridge): How it works?
ADB(Android Debug Bridge): How it works?
 
Formbook - In-depth malware analysis (Botconf 2018)
Formbook - In-depth malware analysis (Botconf 2018)Formbook - In-depth malware analysis (Botconf 2018)
Formbook - In-depth malware analysis (Botconf 2018)
 
Mac Memory Analysis with Volatility
Mac Memory Analysis with VolatilityMac Memory Analysis with Volatility
Mac Memory Analysis with Volatility
 
DeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows KernelDeathNote of Microsoft Windows Kernel
DeathNote of Microsoft Windows Kernel
 
Davide Berardi - Linux hardening and security measures against Memory corruption
Davide Berardi - Linux hardening and security measures against Memory corruptionDavide Berardi - Linux hardening and security measures against Memory corruption
Davide Berardi - Linux hardening and security measures against Memory corruption
 
Linux: the first second
Linux: the first secondLinux: the first second
Linux: the first second
 

Destaque

Defeating x64: The Evolution of the TDL Rootkit
Defeating x64: The Evolution of the TDL RootkitDefeating x64: The Evolution of the TDL Rootkit
Defeating x64: The Evolution of the TDL RootkitAlex Matrosov
 
Festi botnet analysis and investigation
Festi botnet analysis and investigationFesti botnet analysis and investigation
Festi botnet analysis and investigationAlex Matrosov
 
Modern malware techniques for attacking RBS systems in Russia
Modern malware techniques for attacking RBS systems in RussiaModern malware techniques for attacking RBS systems in Russia
Modern malware techniques for attacking RBS systems in RussiaAlex Matrosov
 
HexRaysCodeXplorer: make object-oriented RE easier
HexRaysCodeXplorer: make object-oriented RE easierHexRaysCodeXplorer: make object-oriented RE easier
HexRaysCodeXplorer: make object-oriented RE easierAlex Matrosov
 
Win32/Duqu: involution of Stuxnet
Win32/Duqu: involution of StuxnetWin32/Duqu: involution of Stuxnet
Win32/Duqu: involution of StuxnetAlex Matrosov
 
Injection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniquesInjection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniquesenSilo
 
Modern Bootkit Trends: Bypassing Kernel-Mode Signing Policy
Modern Bootkit Trends: Bypassing Kernel-Mode Signing PolicyModern Bootkit Trends: Bypassing Kernel-Mode Signing Policy
Modern Bootkit Trends: Bypassing Kernel-Mode Signing PolicyAlex Matrosov
 
Carberp Evolution and BlackHole: Investigation Beyond the Event Horizon
Carberp Evolution and BlackHole: Investigation Beyond the Event HorizonCarberp Evolution and BlackHole: Investigation Beyond the Event Horizon
Carberp Evolution and BlackHole: Investigation Beyond the Event HorizonAlex Matrosov
 
BERserk: New RSA Signature Forgery Attack
BERserk: New RSA Signature Forgery AttackBERserk: New RSA Signature Forgery Attack
BERserk: New RSA Signature Forgery AttackAlex Matrosov
 
インテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor Skochinsky
インテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor SkochinskyインテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor Skochinsky
インテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor SkochinskyCODE BLUE
 
Smartcard vulnerabilities in modern banking malware
Smartcard vulnerabilities in modern banking malwareSmartcard vulnerabilities in modern banking malware
Smartcard vulnerabilities in modern banking malwareAlex Matrosov
 
Defeating x64: Modern Trends of Kernel-Mode Rootkits
Defeating x64: Modern Trends of Kernel-Mode RootkitsDefeating x64: Modern Trends of Kernel-Mode Rootkits
Defeating x64: Modern Trends of Kernel-Mode RootkitsAlex Matrosov
 
Win32/Flamer: Reverse Engineering and Framework Reconstruction
Win32/Flamer: Reverse Engineering and Framework ReconstructionWin32/Flamer: Reverse Engineering and Framework Reconstruction
Win32/Flamer: Reverse Engineering and Framework ReconstructionAlex Matrosov
 
HexRaysCodeXplorer: object oriented RE for fun and profit
HexRaysCodeXplorer: object oriented RE for fun and profitHexRaysCodeXplorer: object oriented RE for fun and profit
HexRaysCodeXplorer: object oriented RE for fun and profitAlex Matrosov
 
BIOS and Secure Boot Attacks Uncovered
BIOS and Secure Boot Attacks UncoveredBIOS and Secure Boot Attacks Uncovered
BIOS and Secure Boot Attacks UncoveredAlex Matrosov
 
Моделирование угроз для BIOS и UEFI
Моделирование угроз для BIOS и UEFIМоделирование угроз для BIOS и UEFI
Моделирование угроз для BIOS и UEFIAleksey Lukatskiy
 
Secret of Intel Management Engine by Igor Skochinsky
Secret of Intel Management Engine by Igor SkochinskySecret of Intel Management Engine by Igor Skochinsky
Secret of Intel Management Engine by Igor SkochinskyCODE BLUE
 

Destaque (18)

Defeating x64: The Evolution of the TDL Rootkit
Defeating x64: The Evolution of the TDL RootkitDefeating x64: The Evolution of the TDL Rootkit
Defeating x64: The Evolution of the TDL Rootkit
 
Festi botnet analysis and investigation
Festi botnet analysis and investigationFesti botnet analysis and investigation
Festi botnet analysis and investigation
 
Modern malware techniques for attacking RBS systems in Russia
Modern malware techniques for attacking RBS systems in RussiaModern malware techniques for attacking RBS systems in Russia
Modern malware techniques for attacking RBS systems in Russia
 
HexRaysCodeXplorer: make object-oriented RE easier
HexRaysCodeXplorer: make object-oriented RE easierHexRaysCodeXplorer: make object-oriented RE easier
HexRaysCodeXplorer: make object-oriented RE easier
 
Win32/Duqu: involution of Stuxnet
Win32/Duqu: involution of StuxnetWin32/Duqu: involution of Stuxnet
Win32/Duqu: involution of Stuxnet
 
Injection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniquesInjection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniques
 
Modern Bootkit Trends: Bypassing Kernel-Mode Signing Policy
Modern Bootkit Trends: Bypassing Kernel-Mode Signing PolicyModern Bootkit Trends: Bypassing Kernel-Mode Signing Policy
Modern Bootkit Trends: Bypassing Kernel-Mode Signing Policy
 
Carberp Evolution and BlackHole: Investigation Beyond the Event Horizon
Carberp Evolution and BlackHole: Investigation Beyond the Event HorizonCarberp Evolution and BlackHole: Investigation Beyond the Event Horizon
Carberp Evolution and BlackHole: Investigation Beyond the Event Horizon
 
BERserk: New RSA Signature Forgery Attack
BERserk: New RSA Signature Forgery AttackBERserk: New RSA Signature Forgery Attack
BERserk: New RSA Signature Forgery Attack
 
42054960
4205496042054960
42054960
 
インテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor Skochinsky
インテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor SkochinskyインテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor Skochinsky
インテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor Skochinsky
 
Smartcard vulnerabilities in modern banking malware
Smartcard vulnerabilities in modern banking malwareSmartcard vulnerabilities in modern banking malware
Smartcard vulnerabilities in modern banking malware
 
Defeating x64: Modern Trends of Kernel-Mode Rootkits
Defeating x64: Modern Trends of Kernel-Mode RootkitsDefeating x64: Modern Trends of Kernel-Mode Rootkits
Defeating x64: Modern Trends of Kernel-Mode Rootkits
 
Win32/Flamer: Reverse Engineering and Framework Reconstruction
Win32/Flamer: Reverse Engineering and Framework ReconstructionWin32/Flamer: Reverse Engineering and Framework Reconstruction
Win32/Flamer: Reverse Engineering and Framework Reconstruction
 
HexRaysCodeXplorer: object oriented RE for fun and profit
HexRaysCodeXplorer: object oriented RE for fun and profitHexRaysCodeXplorer: object oriented RE for fun and profit
HexRaysCodeXplorer: object oriented RE for fun and profit
 
BIOS and Secure Boot Attacks Uncovered
BIOS and Secure Boot Attacks UncoveredBIOS and Secure Boot Attacks Uncovered
BIOS and Secure Boot Attacks Uncovered
 
Моделирование угроз для BIOS и UEFI
Моделирование угроз для BIOS и UEFIМоделирование угроз для BIOS и UEFI
Моделирование угроз для BIOS и UEFI
 
Secret of Intel Management Engine by Igor Skochinsky
Secret of Intel Management Engine by Igor SkochinskySecret of Intel Management Engine by Igor Skochinsky
Secret of Intel Management Engine by Igor Skochinsky
 

Semelhante a Advanced Evasion Techniques by Win32/Gapz

Easily emulating full systems on amazon fpg as
Easily emulating full systems on amazon fpg asEasily emulating full systems on amazon fpg as
Easily emulating full systems on amazon fpg asRISC-V International
 
Securing Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container PlatformSecuring Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container PlatformAll Things Open
 
Embedded Linux BSP Training (Intro)
Embedded Linux BSP Training (Intro)Embedded Linux BSP Training (Intro)
Embedded Linux BSP Training (Intro)RuggedBoardGroup
 
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...Felipe Prado
 
LAS16-403: GDB Linux Kernel Awareness
LAS16-403: GDB Linux Kernel AwarenessLAS16-403: GDB Linux Kernel Awareness
LAS16-403: GDB Linux Kernel AwarenessLinaro
 
LAS16-403 - GDB Linux Kernel Awareness
LAS16-403 - GDB Linux Kernel Awareness LAS16-403 - GDB Linux Kernel Awareness
LAS16-403 - GDB Linux Kernel Awareness Peter Griffin
 
ELC-E Linux Awareness
ELC-E Linux AwarenessELC-E Linux Awareness
ELC-E Linux AwarenessPeter Griffin
 
Securing Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container PlatformSecuring Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container PlatformAll Things Open
 
Exploit access root to kernel 2.6.32 2.6.36 privilege escalation exploit
Exploit access root to kernel 2.6.32 2.6.36 privilege escalation exploitExploit access root to kernel 2.6.32 2.6.36 privilege escalation exploit
Exploit access root to kernel 2.6.32 2.6.36 privilege escalation exploitCarlos Eduardo
 
Bootkits: Past, Present & Future - Virus Bulletin
Bootkits: Past, Present & Future - Virus BulletinBootkits: Past, Present & Future - Virus Bulletin
Bootkits: Past, Present & Future - Virus BulletinESET
 
Roll your own toy unix clone os
Roll your own toy unix clone osRoll your own toy unix clone os
Roll your own toy unix clone oseramax
 
Security on a Container Platform
Security on a Container PlatformSecurity on a Container Platform
Security on a Container PlatformAll Things Open
 
Smartcard Vulnerabilities In Modern Banking Malwaremalware
Smartcard Vulnerabilities In Modern Banking MalwaremalwareSmartcard Vulnerabilities In Modern Banking Malwaremalware
Smartcard Vulnerabilities In Modern Banking MalwaremalwarePositive Hack Days
 
ebpf and IO Visor: The What, how, and what next!
ebpf and IO Visor: The What, how, and what next!ebpf and IO Visor: The What, how, and what next!
ebpf and IO Visor: The What, how, and what next!Affan Syed
 
.NET Debugging Tips and Techniques
.NET Debugging Tips and Techniques.NET Debugging Tips and Techniques
.NET Debugging Tips and TechniquesBala Subra
 
.Net Debugging Techniques
.Net Debugging Techniques.Net Debugging Techniques
.Net Debugging TechniquesBala Subra
 
DPDK Summit 2015 - Intel - Keith Wiles
DPDK Summit 2015 - Intel - Keith WilesDPDK Summit 2015 - Intel - Keith Wiles
DPDK Summit 2015 - Intel - Keith WilesJim St. Leger
 
Intel® RDT Hands-on Lab
Intel® RDT Hands-on LabIntel® RDT Hands-on Lab
Intel® RDT Hands-on LabMichelle Holley
 
Kernel development
Kernel developmentKernel development
Kernel developmentNuno Martins
 

Semelhante a Advanced Evasion Techniques by Win32/Gapz (20)

Easily emulating full systems on amazon fpg as
Easily emulating full systems on amazon fpg asEasily emulating full systems on amazon fpg as
Easily emulating full systems on amazon fpg as
 
Building
BuildingBuilding
Building
 
Securing Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container PlatformSecuring Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container Platform
 
Embedded Linux BSP Training (Intro)
Embedded Linux BSP Training (Intro)Embedded Linux BSP Training (Intro)
Embedded Linux BSP Training (Intro)
 
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
 
LAS16-403: GDB Linux Kernel Awareness
LAS16-403: GDB Linux Kernel AwarenessLAS16-403: GDB Linux Kernel Awareness
LAS16-403: GDB Linux Kernel Awareness
 
LAS16-403 - GDB Linux Kernel Awareness
LAS16-403 - GDB Linux Kernel Awareness LAS16-403 - GDB Linux Kernel Awareness
LAS16-403 - GDB Linux Kernel Awareness
 
ELC-E Linux Awareness
ELC-E Linux AwarenessELC-E Linux Awareness
ELC-E Linux Awareness
 
Securing Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container PlatformSecuring Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container Platform
 
Exploit access root to kernel 2.6.32 2.6.36 privilege escalation exploit
Exploit access root to kernel 2.6.32 2.6.36 privilege escalation exploitExploit access root to kernel 2.6.32 2.6.36 privilege escalation exploit
Exploit access root to kernel 2.6.32 2.6.36 privilege escalation exploit
 
Bootkits: Past, Present & Future - Virus Bulletin
Bootkits: Past, Present & Future - Virus BulletinBootkits: Past, Present & Future - Virus Bulletin
Bootkits: Past, Present & Future - Virus Bulletin
 
Roll your own toy unix clone os
Roll your own toy unix clone osRoll your own toy unix clone os
Roll your own toy unix clone os
 
Security on a Container Platform
Security on a Container PlatformSecurity on a Container Platform
Security on a Container Platform
 
Smartcard Vulnerabilities In Modern Banking Malwaremalware
Smartcard Vulnerabilities In Modern Banking MalwaremalwareSmartcard Vulnerabilities In Modern Banking Malwaremalware
Smartcard Vulnerabilities In Modern Banking Malwaremalware
 
ebpf and IO Visor: The What, how, and what next!
ebpf and IO Visor: The What, how, and what next!ebpf and IO Visor: The What, how, and what next!
ebpf and IO Visor: The What, how, and what next!
 
.NET Debugging Tips and Techniques
.NET Debugging Tips and Techniques.NET Debugging Tips and Techniques
.NET Debugging Tips and Techniques
 
.Net Debugging Techniques
.Net Debugging Techniques.Net Debugging Techniques
.Net Debugging Techniques
 
DPDK Summit 2015 - Intel - Keith Wiles
DPDK Summit 2015 - Intel - Keith WilesDPDK Summit 2015 - Intel - Keith Wiles
DPDK Summit 2015 - Intel - Keith Wiles
 
Intel® RDT Hands-on Lab
Intel® RDT Hands-on LabIntel® RDT Hands-on Lab
Intel® RDT Hands-on Lab
 
Kernel development
Kernel developmentKernel development
Kernel development
 

Último

Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 

Último (20)

Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 

Advanced Evasion Techniques by Win32/Gapz

  • 1. Advanced Evasion Techniques by Win32/Gapz Aleksandr Matrosov Eugene Rodionov
  • 2. Outline of The Presentation  Targeted Attacks with complex threats (rootkits/bootkits)  Is reasonable?  Gapz: dropper  PowerLoader builder  explorer.exe code injection trick  Gapz: bootkit  Classification of modern bootkits  New VBR bootkit technique  Gapz: payload  Hidden file system implementation  Disk hooks and Hooking engine  NDIS, TCP/IP stack implementation, HTTP protocol  C&C communications  Gapz: forensic approaches
  • 3. Targeted Attacks with Complex Threats (rootkits/bootkits)
  • 4. Targeted Attacks with Complex Threats (rootkits/bootkits) Is reasonable for attackers?  Long-lasting stealth infection  Difficult to investigate by typical forensic tools  Difficult to extract bot configuration information  Stealth duration for one target: months  Price in cybercrime market:  Bootkit builder without sources: ~ 10.000$  Stealth bootkit with sources: ~ 50.000$  Custom develop with sources: ~ 100.000$
  • 6. Gapz Known Droppers Detection Name Compilation Date LPE Exploits Bootkit Technique Win32/Gapz.A 11/09/2012 30/10/2012 CVE-2011-3402 CVE-2010-4398 COM Elevation VBR Win32/Gapz.B 06/11/2012 CVE-2011-3402 COM Elevation no bootkit Win32/Gapz.C 19/04/2012 CVE-2010-4398 CVE-2011-2005 COM Elevation MBR
  • 7. PowerLoader Builder (since September 2012)
  • 8. PowerLoader Builder (since September 2012)
  • 9. PowerLoader Based Droppers Price for Power Loader is about $500 for one builder kit with C&C panel PowerLoader (Agent.UAW) Gapz Redyms Agent.UMT PowerLoader code inject Carberp
  • 10. Gapz Dropper Execution Stages Injecting into explorer.exe (entry point) Local Privilege Escalation (icmnf) Infecting the system (isyspf) stage 1 stage 2
  • 11. Bypassing HIPS with explorer.exe Code Injection opens shared sections from BaseNamedObjects mapped into explorer.exe and writes shellcode
  • 12. Bypassing HIPS with explorer.exe Code Injection The dropper searches for the window “Shell_TrayWnd”
  • 13. Bypassing HIPS with explorer.exe Code Injection The dropper calls GetWindowLong() so as to get the address of the routine related to the “Shell_TrayWnd” window handler The dropper calls SetWindowLong() to modify “Shell_TrayWnd” window-related data
  • 14. Bypass HIPS with explorer.exe Code Injection calls SendNotifyMessage() to trigger shellcode execution in explorer.exe address space arbitrary code execution in WndProc() of “Shell_TrayWnd”:
  • 15. Triggering Shellcode Execution SendNotifyMessage() transfers control to the address pointed to address points to the KiUserApcDispatcher() routine
  • 16. Triggering Shellcode Execution uses ROP-gadgets to jump into shellcode memory region and execute shellcode
  • 17. Triggering Shellcode Execution uses ROP-gadgets to jump into shellcode memory region and execute shellcode
  • 20. Modern Bootkits Classification Bootkits MBR VBR/IPL MBR Code modification Partition Table modification IPL Code modification BIOS Parameter Block modification TDL4 Olmasco Rovnix Gapz
  • 21. Gapz Bootkit Modifications Detection Name Compilation Date Bootkit Technique Win32/Gapz.A 11/09/2012 30/10/2012 VBR Win32/Gapz.C 19/04/2012 MBR Gapz Bootkit MBR Modification VBR Modification
  • 22. Gapz Bootkit Overview Module Name Hooked Routine ntldr BlLoadBootDrivers bootmgr Archx86TransferTo32BitApplicationAsm winload.exe OslArchtransferToKernel ntoskrnl.exe IoInitSystem Gapz bootkit features:  hooks int 13h handler  patches modules: ntldr, bootmgr, winload.exe, kernel image to survive processor execution mode switching and kernel-mode code integrity checks
  • 23. Gapz Bootkit Workflow Hook Archx86TransferTo32BitApplicationAsm in bootmgr Hook OslArchTransferToKernel in winload.exe Hook IoInitSystem in kernel image Int 13h handler is hooked Bootmgr loads winload.exe Winload.exe loads kernel image Bootkit loads malicious kernel-mode code and runs it in a new system thread
  • 24. Gapz VBR Bootkit Gapz VBR bootkit features:  Relies on Microsoft Windows VBR layout  The infections results in modifying only 4 bytes of VBR  The patched bytes might differ on various installations jmp BIOS Parameter Block (BPB) VBR code Text Strings 0x55 0xAA 0x000 0x003 0x054 0x19C 0x1FE 0x200 transfer control
  • 25. Gapz BPB Layout struct BIOS_PARAMETER_BLOCK { WORD BytesPerSector; BYTE SecPerCluster; WORD ReservedSectors; BYTE Reserved[5]; BYTE MediaDescriptorID; WORD Reserved2; WORD SectorsPerTrack; WORD NumberOfHeads; DWORD HiddenSectors; DWORD Reserved3[2]; LONGLONG TotalSectors; LONGLONG StartingCluster; LONGLONG MFTMirrStartingCluster; DWORD ClustersPerMFTRecord; DWORD ClustersPerIndexBuffer; LONGLONG VolumeSerialNumber; DWORD Reserved4; };
  • 26. Gapz BPB Layout struct BIOS_PARAMETER_BLOCK { WORD BytesPerSector; BYTE SecPerCluster; WORD ReservedSectors; BYTE Reserved[5]; BYTE MediaDescriptorID; WORD Reserved2; WORD SectorsPerTrack; WORD NumberOfHeads; DWORD HiddenSectors; DWORD Reserved3[2]; LONGLONG TotalSectors; LONGLONG StartingCluster; LONGLONG MFTMirrStartingCluster; DWORD ClustersPerMFTRecord; DWORD ClustersPerIndexBuffer; LONGLONG VolumeSerialNumber; DWORD Reserved4; };
  • 27. Gapz BPB Modification MBR NTFS File SystemIPLVBR NTFS Volume 0x200 0x1E00 Number of “Hidden Sectors” MBR NTFS File SystemIPL Infected VBR NTFS Volume 0x200 0x1E00 Hard Drive Modified value of number of “Hidden Sectors” Bootkit before infection after infection
  • 29. Gapz Rootkit Overview Gapz rootkit functionality is implemented as position independent kernel-mode code for both x86 and x64 platforms Gapz rootkit capabilities:  Hidden storage implementation  User-mode payload injection  Covert network communication channel  C&C server authentication mechanism
  • 30. Gapz Rootkit Overview Gapz rootkit functionality is implemented as position independent kernel-mode code for both x86 and x64 platforms Gapz rootkit capabilities:  Hidden storage implementation  User-mode payload injection  Covert network communication channel  C&C server authentication mechanism
  • 31. Gapz Kernel-mode Code Organization struct GAPZ_BASIC_BLOCK_HEADER { // A constant which is used to obtain addresses // of the routines implemented in the block unsigned int ProcBase; unsigned int Reserved[2]; // Offset to the next block unsigned int NextBlockOffset; // Offset of the routine performing block initialization unsigned int BlockInitialization; // Offset to configuration information // from the end of the kernel-mode module // valid only for the first block unsigned int CfgOffset; // Set to zeroes unsigned int Reserved1[2]; };
  • 32. Gapz Kernel-mode Code Blocks Block # Implemented Functionality 1 General API, gathering information on the hard drives, CRT string routines and etc. 2 Cryptographic library: RC4, MD5, SHA1, AES, BASE64 and etc. 3 Hooking engine, disassembler engine. 4 Hidden Storage implementation. 5 Hard disk driver hooks, self-defense. 6 Payload manager. 7 Payload injector into processes’ user-mode address space. 8 Network communication: Data link layer. 9 Network communication: Transport layer. 10 Network communication: Protocol layer. 11 Payload communication interface. 12 Main routine.
  • 33. Gapz Hidden Storage Implementation  Gapz implements modified FAT32 hidden volume based on FullFat project  Length of file name in FAT directory entry is 32 bytes  The hidden volume is stored in the file with name: “??C:System Volume Information{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}”  The contents of the volume is encrypted with AES-256 in CBC mode:  The sector LBA is used as IV
  • 34. Gapz Hidden Storage Implementation  Gapz implements modified FAT32 hidden volume based on FullFat project  Length of file name in FAT directory entry is 32 bytes  The hidden volume is stored in the file with name: “??C:System Volume Information{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}”  The contents of the volume is encrypted with AES-256 in CBC mode:  The sector LBA is used as IV
  • 35. Gapz Hidden Storage Implementation  Gapz implements modified FAT32 hidden volume based on FullFat project  Length of file name in FAT directory entry is 32 bytes  The hidden volume is stored in the file with name: “??C:System Volume Information{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}”  The contents of the volume is encrypted with AES-256 in CBC mode:  The sector LBA is used as IV
  • 36. Gapz Crypto Library Implementation  Gapz crypto library functionality:  Hashing: MD5, SHA1  Symmetric ciphers: RC4, AES  Asymmetric cipher: ECC
  • 37. Gapz Self-Defence Mechanisms  Gapz hooks IRP_MJ_INTERNAL_DEVICE_CONTROL and IRP_MJ_DEVICE_CONTROL handlers to monitor:  IOCTL_SCSI_PASS_THROUGH  IOCTL_SCSI_PASS_THROUGH_DIRECT  IOCTL_ATA_PASS_THROUGH  IOCTL_ATA_PASS_THROUGH_DIRECT  Gapz protects:  MBR/VBR from being read/overwritten  its image on the hard drive from being overwritten
  • 38. Gapz Hooking Engine Implementation  Gapz hooking engine is based on the ”Hacker Disassembler Engine”  Tries to avoid patching the very first bytes of the routine being hooked (nop; mov edi, edi; etc.):
  • 39. Gapz Hooking Engine Implementation  Gapz hooking engine is based on the ”Hacker Disassembler Engine”  Tries to avoid patching the very first bytes of the routine being hooked (nop; mov edi, edi; etc.):
  • 40. Gapz Code Injection Functionality Allocate memory buffer in target process address space Write payload and loader code into allocated buffer Create remote thread in the target process Loader code DLL loader (load/unload DLL modules) Command executer (call specific handler in DLL payload and pass necessary parameters) EXE loader 1 (run EXE modules) EXE loader 2 (run EXE modules)
  • 41. Gapz Payload Loader Code: DLL Loader & Command Executer Map image into address space Fix relocations and initialize IAT Load or unload? Execute export #1 Execute export #2 Release image memory unload load
  • 42. Gapz Payload Loader Code: EXE Loaders Drop payload image into %TEMP% directory Execute CreateProcessW API EXE Loader 1 Create legitimate suspended process (via CreateProcessAsUser) Overwrite process image with the malicious one Set process thread context according to malicious image Resume process thread EXE Loader 2
  • 43. Gapz Network Protocol Implementation svchost.exe overlord32(64).dll Win32/Gapz kernel-mode module TCP/IP protocol stack implementation Message to be sent to C&C Server user mode kernel mode C&C Server Send using Win32 socket implementation Send directly using NDIS miniport driver
  • 44. Gapz Network Protocol Architecture Gapz implementation OSI Model HTTP protocol (block #10) TCP/IP protocol (block #9) NDIS miniport wrapper (block #8) Application/Presentation Layer Network/Transport Layer Data Link Layer
  • 45. Gapz Network Protocol Implementation: NDIS Gapz network protocol stack relies on miniport adapter driver: Miniport adapter driver Intermediate driver Protocol driver (tcpip.sys) Filter driver ......... At the level of protocol or intermediate drivers Win32/Gapz’s network packet is “invisible” Win32/Gapz communicates directly to miniport adapter Win32/Gapz Network packet
  • 46. Gapz C&C Communication Protocol  Gapz communicates to C&C servers over HTTP protocol  Capabilities of the protocol:  00 - download payload  01 - send bot information to C&C  02 - request payload download information  03 - report on running payload  04 - update payload download URL  The requests corresponding to commands 0x01, 0x02 and 0x03 are performed by the POST method of the HTTP protocol.
  • 47. Gapz C&C Communication Protocol: HTTP Request Message HeaderHTTP Header Request specific data HTTP header HTTP body struct MESSAGE_HEADER { // Output of PRNG unsigned char random[128]; // a DWORD from configuration file unsigned int reserved; // A binary string which is used to authenticate C&C servers unsigned char auth_str[64]; };
  • 48. Gapz C&C Communication Protocol: HTTP Request Message HeaderHTTP Header Request specific data HTTP header HTTP body struct MESSAGE_HEADER { // Output of PRNG unsigned char random[128]; // a DWORD from configuration file unsigned int reserved; // A binary string which is used to authenticate C&C servers unsigned char auth_str[64]; };
  • 49. Gapz C&C Communication Protocol: C&C Reply Encrypted rc4 key K1 HTTP Header Reply specific data HTTP message header HTTP message body Authentication string rc4 encrypted data with key k1 Decrypt key K1 Decrypt authentication string and reply-specific data using key K1 Check authentication string Process reply-specific data Reject reply-specific data matchdoesn’t match
  • 50. Gapz C&C Communication Protocol: URLs
  • 51. Gapz C&C Communication Protocol: URLs
  • 52. Gapz User-mode Payload Functionality The module overlord32(64).dll is essential part of the Gapz bootkit Overlord32(64).dll is injected into svchost.exe process Overlord32(64).dll dispatches the requests from kernel-mode Cmd # Command Description 0 gather information about all the network adapters installed in the system and their properties and send it to kernel-mode module 1 gather information on the presence of particular software in the system 2 check internet connection by trying to reach update.microsoft.com 3 send & receive data from a remote host using Windows sockets 4 get the system time from time.windows.com 5 get the host IP address given its domain name (via Win32 API gethostbyname) 6 get Windows shell (by means of querying “Shell” value of “SoftwareMicrosoftWindows NTCurrentVersionWinlogon” registry key)
  • 53. Gapz User-mode Payload Interface Gapz impersonates the handler of the payload requests in the null.sys driver to communicate with the injected payload: Win32/Gapz module DriverNull DRIVER_OBJECT DriverNull Driver Image IRP_MJ_DEVICE_CONTROL DriverUnload = NULL DriverUnload rotuine IRP_MJ_DEVICE_CONTROL handler DriverNull DRIVER_OBJECT DriverNull Driver Image IRP_MJ_DEVICE_CONTROL DriverUnload DriverUnload rotuine IRP_MJ_DEVICE_CONTROL handler Gapz’s hook jmp gapz_hook Payload interface before patching after patching
  • 54. Gapz User-mode Payload Interface Gapz impersonates the handler of the payload requests in the null.sys driver to communicate with the injected payload: Win32/Gapz module DriverNull DRIVER_OBJECT DriverNull Driver Image IRP_MJ_DEVICE_CONTROL DriverUnload = NULL DriverUnload rotuine IRP_MJ_DEVICE_CONTROL handler DriverNull DRIVER_OBJECT DriverNull Driver Image IRP_MJ_DEVICE_CONTROL DriverUnload DriverUnload rotuine IRP_MJ_DEVICE_CONTROL handler Gapz’s hook jmp gapz_hook Payload interface before patching after patching
  • 55. Modern bootkits comparison Functionality Gapz Olmarik (TDL4) Rovnix (Cidox) Goblin (XPAJ) Olmasco (MaxSS) MBR modification      VBR modification      Hidden file system type FAT32 custom FAT16 modification custom (TDL4 based) custom Crypto implementation AES-256, RC4, MD5, SHA1, ECC XOR/RC4 Custom (XOR+ROL)  RC6 modification Compression algorithm   aPlib aPlib  Custom TCP/IP network stack     
  • 60. DEMO
  • 61. HiddenFsReader: Free public forensic tool http://download.eset.com/special/ESETHfsReader.exe
  • 62. Conclusion  The most complex != The stealthiest (detection)  Gapz employs a new VBR-based bootkit technique  Gapz implements:  network communication protocol stack  crypto library  hidden FAT volume  HiddenFsReader is capable of dumping contents of the hidden volume
  • 63. References  Gapz and Redyms droppers based on Power Loader code http://www.welivesecurity.com/2013/03/19/gapz-and-redyms-droppers-based-on-power-loader-code/  Mind the Gapz: The most complex bootkit ever analyzed? http://www.welivesecurity.com/wp-content/uploads/2013/04/gapz-bootkit-whitepaper.pdf  Modern Bootkit Trends: Bypassing Kernel-Mode Signing Policy http://go.eset.com/us/resources/white-papers/Rodionov-Matrosov.pdf  Defeating Anti-Forensics in Contemporary Complex Threats http://go.eset.com/us/resources/white-papers/Matrosov_Rodionov_VB2012.pdf  Bootkit Threats: In-Depth Reverse Engineering & Defense http://www.welivesecurity.com/wp-content/media_files/REcon2012.pdf
  • 64.
  • 65. Thank you for your attention! Aleksandr Matrosov matrosov@eset.sk @matrosov Eugene Rodionov rodionov@eset.sk @vxradius