Archive for August, 2010

Kernel Malware – The Attack from Within

Author : Kimmo Kasslin

Author website : kimmo.kasslin©


The Kernel is the heart of modern operating systems. Code executing in kernel mode has full access to all memory including the kernel itself, all CPU instructions, and all hardware. For this obvious reason only the most trusted software should be allowed to run in kernel mode.

Today, we are facing an emerging threat in the form of kernel-mode malware. By kernel-mode malware we mean malicious software that executes as part of the operating system having full access to the computer’s resources. To the end-user this means malware that can bypass software firewalls and can be almost impossible to detect or remove even if the best anti-virus solutions are being used.

This paper will examine the most important malware cases utilizing kernel-mode techniques over the last few years. The research will be limited to malware running on Windows NT and later operating system versions. It will look at the possible motives for the malware authors to move their creations to kernel mode. A detailed analysis of the key techniques making their existence possible will be covered.

Filesize 615.62 kB

Download : Kernel Malware – The Attack from Within


Inference and Analysis of Formal Models of Botnet

Author [ Various Authors ]

Description :

We propose a novel approach to infer complete protocol state machines in realistic high-latency network setting, and apply it to the analysis of botnet C&C protocols. Our proposed techniques enable an order of magnitude reduction in the number of queries and time needed to learn a botnet C&C protocol than classic algorithms (from days to hours for inferring MegaD C&C protocol). We also show that the computed complete protocol state machines enable powerful analysis for botnet defense, including finding weakest links in a protocol, uncovering protocol design flaws, inferring the existence of unobservable communication back-channels among botnet servers, and finding deviations of protocol implementations which can be used for fingerprinting. Our experimental results on MegaD demonstrate that our technology offers invaluable novel insights to existing problems on botnet C&C and provides a powerful weapon for botnet defense.

Download here : Inference and Analysis of Formal Models of Botnet

Theories and Methods of Code-Caves

Author: Faldo

Description Since many have read my tutorial on basic memory hacking and got stuck on the creation of code-caves, I’ve decided to make a short follow-up on some code-cave techniques where I’ll explain the WHYs and the HOWs.

Archive also contains “Theories and methods of memory hacking”.

Filesize 744.53 kB

Download here :