Recently I installed Windows 10 RTM and while I was digging around I happened to notice some changes to the user mode portion of the system call stub: these changes appear to break the current methods of user mode system […]
Since i got into firmware hacking, I’ve been working on a little project behind the scenes: A hard disk firmware based rootkit which allows malware to survive an operating system re-install or full disk format. Unfortunately I can’t post a […]
Core 2, I choose you. Less than 5 minutes after posting the last article, i discovered the final piece of my puzzle: a second CPU core. I was looking through my OpenOCD configuration when I realized it had a single […]
“Discovery requires experimentation” This weekend I made a pretty big breakthrough which lead to me making a few smaller breakthroughs and ultimately negating most of my previous research. I’ve also learned that “not reinventing the wheel” isn’t always the best […]
It seems that the bootstrap code is just scattered around various memory addresses and there’s no simple way to dump all of it, so i decided to just dump a chunk of memory from 0x00000000 and look for any reference […]
Before we get started with part 3, I have a few updates regarding part 1 & 2. I’ve found that the reset pad on the JTAG header is not actually a system reset (SRST) but a TAP reset (TRST), which […]
I’ve not been doing much in the windows malware world for a while now, because quite frankly I’ve run out of ideas and I’m totally bored. Recently I decided to take the jump into electronics / hardware hacking and people […]
Now that everything is ready to be connected, power up the hard drive an run openocd with the following command: openocd -f interface/<your interface here>.cfg -f target/test.cfg test.cfg should be the configuration for the CPU used by your hard disk […]
Usually I don’t post things like this, but because KiFastSystemCall hooking only works on x86 systems and doesn’t work on Windows 8 or above, it no longer has much use in malware. There are also multiple public implementations for this […]
Before we start it’s probably best to explain some things: Signature – A pattern of bytes used by an antivirus to identify malicious executables, this could be a string, parts of a function, or a hash. Crypting – This is […]