DriverStartIo As I explained in the previous article: DriverStartIo is used by older miniports to actually perform the disk I/O, it takes 2 parameters (a device object and an IRP), exactly the same as IoCallDriver does. The call to DriverStartIo is done with IoStartPacket; however, the device object passed is …

Recently I got the idea to play around with bypassing bootkit disk filters from an email i received, which highlighted that my MBR spoofing code was able to get underneath the driver of a popular forensics tool, preventing it from reading the real disk sectors. Although I believe disk forensics …

OphionLocker is supposedly the new ransomware on the block and is already being compared with sophisticated operations such as CryptoLocker and CryptoWall, so i decided to take a look and what I found is nothing short of hilarious. That’s right, the ransomware is actually a console application, Instead of writing …

As I said in the last part of the analysis the sample I had was just a test binary, but now I have some real ones thanks to some help from @Xylit0l. The new binaries incorporate some much more interesting features which I’ll go over in this article. Reverse Connection …

Phase Bot is a fileless rootkit that went on sale during late October, the bot is fairly cheap ($200) and boasts features such as formgrabbing, ftp stealing, and of course the ability to run without a file. The bot has both a 32-bit binary (Win32/Phase) and a 64-bit binary (Win64/Phase), …

Rovnix is an advanced VBR (Volume Boot Record) rootkit best known for being the bootkit component of Carberp. The kit operates in kernel mode, uses a custom TCP/IP stack to bypass firewalls, and stores components on a virtual filesystem outside of the partition. Yesterday Microsoft posted an update explaining a …

Since I posted the article about malware using the 0x33 segment selector to execute 64-bit code in an 32-bit (WOW64) Process, a few people have asked me how the segment selector actually works deep down (a lot of people think it’s software based). For those who haven’t read the previous …

I’m not dead It has been a while since i wrote an article (I’ve been pretty busy in real life), so I decided to get writing. This article will probably only make sense to people from a malware research / programming background, but to compensate i will be posting a …

A bit about past rootkits In the past it has been very common to see usermode rootkits that only attack one architecture, which has usually been 32-bit. A standard rootkit injects code into specific/all running processes in order to modify code inside them, this then allows it to hide itself …