Login Papers Register

Need an account to vote? Register to attend at gsec.hitb.org/sg2017/

<< previous next >>

Contemporary Malwares: Techniques and Kernel Tricks

Alexandre Borges

0 vote(s)

Malwares have been causing heavy losses to companies around the world and, unfortunately, the scenario is getting worse because these new threats infect BIOS/UEFI, SMM, network interfaces (using DMA to take the system control), use SGX to keep hidden, run on GPU, deploy packers that virtualize instructions and so on.

Furthermore, there are also many kernel malwares controlling the system working as kernel drivers, hooking BIOS and boot manager, bypassing Windows protections such as code signing policy (Secure Boot) and so on.

It is not news that these smart malwares have a wide spectre of methods to take the control such as infecting drivers used during the boot (available from KLDR_DATA_TABLE_ENTRY structure) to change the execution flow, modifying the data/control flow by hooking system calls and callback tables, or even manipulating low-level drivers (which are close to kernel) and IRPs for hiding entire chunks of filesystems where malwares keeps their valuable information.

This presentation has as goal to show and remember about few of these known techniques, tricks, kernel structures, memory analysis and codes for encouraging professionals to research about these new threats, which could be stealth for product and even skilled professionals.

About Alexandre Borges

Consultant and Speaker in Malware Analysis, Reversing, DFIR and Windows Exploit Development. Refereer on Digital Investigation:The International Journal of Digital Forensics & Incident Response. Reviewer on The Journal of Digital Forensics, Security and Law