Monday, October 13, 2025

Regin: Static Analysis of Its Lightweight VFS Abstraction Layer

Regin: Static Analysis of Its Lightweight VFS Abstraction Layer

Polymorphic Kernel Interfaces and I/O Abstraction Layer

“To understand the immeasurable, the mind must be extraordinarily quiet, still.”
— Jiddu Krishnamurti

Seeker(李标明) · @clibm079

China · Independent Malware Analyst & Researcher

From 2025.9.24 to 2025.10.14

Prologue: The Temple and the Kernel

Recently, I still climbed a mountain and visited the temple again, but only a few times; sometimes, I go hiking in the forests. Here, I keep moving on malware research. I notice that quite sophisticated malware Regin, between 2014 and 2015, Symantec and Kaspersky published their report of analysis.

According to a Symantec report, “Regin is a multi-staged, modular threat, meaning that it has a number of components, each depending on others, to perform attack operations.”

In this report, I would like to do and share limited analysis without getting all components. I was very curious and interested in the VFS design uncovered by the Symantec and Kaspersky report; it needs “stage 2” to run “stage 3,” so personally I just tended to do simple static analysis about the driver named VMEM.sys, which is on stage 3. Table 2 is shown as follows.

Figure 1: Table 2 from Symantec’s report.

The following limited analysis about “Virtual file system (VFS) access manager” was done in my own way.

Sample choice: Regin

NAME: Stage 3 is internally known as VMEM.sys

MD5: 8486ec3112e322f9f468bdea3005d7b5

Static analysis

The Concept of VFS

I think we need to know what’s VFS first before staring static analysis. When we say VFS (Virtual File System) in the context of drivers or operating systems, we’re not talking about a “virtual machine file type” like a .vmdk or .vdi.

Instead:

· VFS = Virtual File System
It’s an abstraction layer that lets software access different storage backends (real disk, network share, encrypted container, memory region, etc.) using the same file API.

Kernel Interface-Based Polymorphism Design

I did a string search and followed the value of Unit(hex), which is 006bh, and finally went to the main function sub_2E40A and then dove deep into the sub-branch sub_2F7C6 and found a series of similar calls that do:

push offset sub_2EBB4

push 0x12

push eax

call dword ptr [ecx+24h]

Dispatcher pattern:
• Different handlers (sub_xxx) pushed but same [ecx+24h] call → polymorphic dispatch.
• Immediate (0x12) is likely a flag controlling logic flow or acting as a mode selector.

Figure 2: Polymorphic interface dispatch design.

And from the above pattern of design, it’s very convenient to do functionality extension because of its scalability. It treats the design seriously as professional software engineering architecture thinking and practice, which is a long-term maintenance and mature mindset.

Polymorphic Dispatch Issue Direct Kernel I/O Calls

When diving deep into polymorphic dispatch, different handlers are supplied to the same dispatcher, like the pattern “push offset sub_xxx”; they issue direct kernel I/O calls under the safety kernel environment, for which they did security initialization and releasing with synchronization logic. Here are several different handlers to pick to demonstrate.

1. About “push offset sub_2EDCC”

kr_sec_init (After Function Rename):

It executes the kernel security initialization operation API (KeGetCurrentIrql, KeEnterCriticalRegion, ExAcquireFastMutexUnsafe, KfAcquireSpinLock, and ExAcquireFastMutex).

And in the middle part, the logic branch operation handles routines and issues direct kernel I/O calls (ZwQueryInformationFile, ZwWriteFile).

kr_sec_clean (After Function Rename):

And finally, it is to release them that are related to API (ExReleaseFastMutexUnsafe,

KeLeaveCriticalRegion, KfReleaseSpinLock, and ExReleaseFastMutex).

Figure 3: push offset sub_2EDCC logic issue direct kernel I/O calls.

In addition, it uses the standard software CRC32 algorithm implementation for integrity checks, a valid precomputed CRC with reversed polynomial 0xEDB88320 in the lookup table.

Figure 4: snippet for 256 precomputed uint32 values, including the polynomial 0xEDB88320.

2. About “push offset sub_2EBB4”

The structure design is very similar to “push offset sub_2EDCC,” which includes a wrapper for “ZwWriteFile” and the part of function sub_2FD2C.

3. About “push offset sub_2F32A”:

The structure has more sub-branches in the logic design. When diving deep into the function sub_30386, the logic branch operation handles routines that issue direct kernel I/O calls (ZwQueryInformationFile, ZwWriteFile, ZwReadFile, ZwClose). Wait on an event or op completion (ZwWaitForSingleObject) before proceeding.

Yes, in the function sub_2F7C6, most of the functionality is designed around I/O calls to bridge virtual objects to real files or queries or operate on real file objects, which is polymorphism design with the same interface and different implementations.

well-designed Kernel Synchronization Wrapper

In the function sub_2EDCC, kr_acquire_lock and kr_release_unlock perform IRQL-aware lock/unlock routines, including the different lock types: FastMutex Unsafe, SpinLock, and FastMutex. The design is a kernel synchronization security layer, which, combined with file operation, the concurrency control indicates the feature about typical VFS-layer or filesystem object access.

Figure 5：kernel synchronization wrapper with IRQL checks.

Figure 6：perform IRQL lock/unlock routines.

The implementation's use of IRQL-aware wrappers for local resource protection, in contrast to the complex multi-layer locking architecture required for managing global Index Node, Directory Entry, and superblock caches in a standard VFS, definitively characterizes it as a Light VFS-layer implementation.

According to Kernel Theory Knowledge, Synchronization Expertise, and Security Awareness, this synchronization wrapper indicates a highly sophisticated threat actor with professional kernel development experience.

Conclusion

Together, these behaviors indicate that the function sub_2F7C6 implements a custom VFS (virtual filesystem) structure, using polymorphic method tables to abstract file access. an abstraction layer that routes all file-like operations (read, write, query, close) through a consistent interface, guarded by a well-designed synchronization security layer, and the code uses IRQL-aware wrappers for local protection. The evidence indicates that it is a Lightweight VFS layer or VFS access manager.

Epilogue: What the Regin Taught Me

1. If you want to analyze Regin-class implants, you must reach a high level of Windows kernel competence. its authors deliberately used advanced kernel primitives (VFS-like storage, IRQL-aware locking, Zw* bridging, stealthy persistence).

2. Malware that is designed with multiple stages and interdependent components makes analysis more challenging and is very difficult to understand completely without all related samples.

3. Simply being curious and exploring gives people positive abilities to expand on malware research or other fields.

4. Being humble is not just about recognizing how little you know but also about facing complexity and understanding it takes time and patience.

Annotation: In all the sentences I wrote and used the word “you or your or yourself” in, it talked to me or “the malware sample itself, especially in my poem I did”, not the reader. I must clarify my motivation.

References

[1]. https[:]//docs.broadcom.com/doc/regin-top-tier-espionage-tool-15-en

[2]. https[:]//media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08070305/
Kaspersky_Lab_whitepaper_Regin_platform_eng.pdf

“Do or do not, there is no try.”
— Master Yoda

End of Report

──────────────────────

Seeker(李标明) · @clibm079

China · Independent Malware Analyst & Researcher

Labels: #KernelMode, #Regin, #ReverseEngineering, #rootkit, #TopTierAPT, #VFS

Tuesday, September 16, 2025

Design Intent Exposed: Path Deception in nls_933w.dll

Design Intent Exposed: Path Deception in nls_933w.dll
How Equation Group Protects the Embedded Driver Resource from Being Released to Physical Disk Automatically—A Stealth Loading Tactic

“To understand the immeasurable, the mind must be extraordinarily quiet, still.”
— Jiddu Krishnamurti

Seeker(李标明) ·@clibm079

China · Independent Malware Analyst & Researcher

From 2025.9.7 to 2025.9.16

Prologue

Recently, I didn’t go to the temple frequently but sometimes walked in the park and watched the trees and flowers and felt the air flowing, which, by the way, let me get close to nature to clear my mind.

Figure 1: One day in the mountains.

The last report, “Analysis of Equation Group’s nls_933w.dll Revealing Core Tactics and Technical Mindset,” took me more than 60 days—too much time and energy, so I had to stop and have a rest and make a balance between life and research work, and then I wrote an article called “Safeguarding the Self” and shared real feelings on the “Poems of Malware Analysis,” and the other thing was to improve my homepage and the repository of GitHub, something like that to release the pressure of research.

In this report, I will narrow the scope of my research and focus on one strategic point. I would like to dive deep into the invalid path tactic, guess and verify, and how the equation group did it like that. I will try to change the invalid path to the valid path for the experiment and check the logic and confirm my personal guess. Here we go.

Sample choice: nsl_933w.dll

Yeah, it’s still the nation-state group APT called Equation group.

nls_933w.dll 

md5: 11fb08b9126cdb4668b3f5135cf7a6c5

WIN32M.sys

md5: 2b444ac5209a8b4140dd6b747a996653

Technical analysis

The invalid path deception tactic

Here, let’s jump to the core title “the invalid path,” directly related to the last report. It uses GetSystemDirectoryA to locate the correct directory “c:\windows\system32” but concatenates the invalid strings. Both the constant “Source” and the “Str” design from the .data segment don’t even plan to decode.

Figure 2: invalid path from concatenating the constant “Source” and the “Str”.

In fact, it was the first time that I had generated an idea of what would happen if they were valid paths, but I just paused not to make them more complex. And weeks passed and the heavy pressure was released, so I think it’s time to verify the guess.

Guess and experimental testing

The first thing to do is change the value of memory directly and then debug with a single step forward.

Figure 3: Change the value of memory to a valid path.

I debugged step by step, and it returned the value of EAX as 1.

Figure 4: the process of debugging.

The driver WIN32M.sys was successfully released to disk

And then the embedded driver WIN32M.sys in nls_933w.dll was released to the physical disk. The size of the file and the hash of the file are right.

Figure 5: the embedded driver WIN32M.sys in nsl_933w.dll released to the physical disk.

Manually modify the nls_933w.dll file, check the logic, and confirm

So from there I thought I should change both constant values in nsl_933w.dll. Yeah, as mentioned above, as follows.

Figure 6: the constant about Source and Str.

I tried several times to make it work well, an example as follows.

Figure 7: edited the hex value with HxD Hex Editor and saved it.

And the condition of memory was as follows: finally, it successfully released the embedded driver WIN32.sys in nls_933w.dll to physical disk again, like the above Figure-4 shown.

Figure 8: the condition of memory after changing both constants.

The path constants changed ≠ driver released

Does it work well after changing path constants and releasing the embedded driver WIN32M.sys in nls_933w.dll to the physical disk automatically?

To be honest, “no!” I had to change the logic of the control flow to debug. It should be loaded manually the right way, which is key, but until now I haven’t understood it completely. It is the deception path; it is a smart policy to evade automatic driver file release to disk. In order to implant the malware and run correctly, it needs to know how to load, which is the real intent of the designer. Here there are two things we need to know.

1. Change the path constant value.

2. Loading it the right way manually.

So from the above analysis and observation, we know equation group design with two layers or multiple layers protects their critical weapon from being loaded.

Conclusion

In my opinion, the invalid path design is a deception and protection policy to avoid loading automatically to a physical disk; it is a smart and ingenious way to evade anti-analysis and anti-virus. They protect their critical weapon for both sides; one side is anti-analyst, and the other side is anti-machine. The intent implies that the equation group design is very strict and requires a mature mindset and practice. It’s also a serious systematic engineering design.

Honestly, I’m documenting what I see—knowing the unseen is vast.
Analysis WIP: still piecing together the full picture.

Epilogue: What the Firmware Research Taught Me

1. The background of the elite state-level APT implies they have the best resources, like the top software designer, the best developer, and the elite reverse expert, and so on, to face an adversary like that; too much challenge happens naturally in front of us as analysts or researchers.

2. In fact, in my opinion, they are not fighting against commercial products but rather taking paths beyond the market's imagination, thereby delaying the possibility of being discovered. In a word, far ahead.

3. Respect your opponents, maintain curiosity, and continue to explore and practice. In my opinion, profound and systematic theories are equally important, not just emphasizing practical capabilities, especially in the face of the top elite state-level APT, "Only depth reveals intent."

Annotation: In all the sentences I wrote and used the word “you or your or yourself” in, it talked to me or “the malware sample itself, especially in my poem I did”, not the reader. I must clarify my motivation.

“Do or do not, there is no try.”
— Master Yoda

End of Report

──────────────────────

Seeker(李标明) ·@clibm079

China · Independent Malware Analyst & Researcher

Labels: #DesignIntentExposed, #EquationGroup, #Firmware, #kernel #rootkit, #nls_933w, #PathDeception

Saturday, August 30, 2025

Poems of Malware Analysis: Shadows in the Stack Notes from the Binary Jungle

Poems of Malware Analysis

Shadows in the Stack: Notes from the Binary Jungle

“To understand the immeasurable, the mind must be extraordinarily quiet, still.”
— Jiddu Krishnamurti

Seeker(李标明) @clibm079

China (中国)

Independent Malware Analyst & Researcher | Author of The Path of Clarity

From 2025.6 to 2025.8

Download the Full PDF

Prologue

For me, poetry is a quiet dialogue with myself, a way to give voice to emotions I cannot say aloud.

Over a decade ago, I immersed myself in literature and began learning to write poetry. During journeys to serve customers, I found myself capturing what I saw and felt in verse. Those experiences became some of the most vivid memories of my early life as a programmer.

Years later, I entered a new chapter of my life as a cybersecurity researcher in a lab, where I chose the path of malware analysis. A year and a half later, I left the lab, but still on the path. I carried on as an independent malware analyst and researcher, and during those days at home I wrote many poems in Chinese, reflecting on the strange beauty and struggles of malware analysis.

In this collection, I just share a few of my old poems, written in the quiet of night or in the morning while I worked on malware reverse analysis in user mode in 2023, and these poems were written not long after each other. Those were memories stored in the brain, but they have now been translated into English and modified several times since 2025, which may have altered both the memory and the associated feelings slightly. They are traces of real experiences, preserved in verse. Poetry was once one of my deepest joys, and through these lines, I return to that part of myself.

I believe poetry offers another interesting and meaningful way to express and share the feelings and experiences that come with studying and analyzing malware. While poems may not be technical reports, something inside me drives me to write them—and I see this as an important part of my work as well, and it’s another path expanding the research of malware analysis in the cybersecurity field.

Paths and Leaves

Press F7 to step in—then step again.

Deeper and deeper into the code’s hidden logic,

I descended into darkness, lost among shifting shadows.

Again and again I stepped out, restarted—

breakpoints multiplying, yet revealing nothing.

But I did not give up.

At last, I reached nameless subroutines,

where each branching path unlocked ever more doors.

This morning, outside my kitchen window, the earth lay fresh with rain.

Large, mottled yellow leaves were scattered beneath the trees, across the road.

I wish every morning might hold such quiet beauty.

2023.02.09 Chinese draft version,

2025.8.18, 2025.8.25, and 2025.8.28 English version improvements.

Exploring a Complex Ransomware Core

To break through its anti-debugging walls,

I lost count of how many times I failed.

The real entry point remained out of reach.

Again, I advanced one step at a time with F7 in x64dbg,

Moving forward as if on a roundabout path.

To learn the history, the background of the malware:

Gathering samples, running, observing, comparing.

To explore its complex encryption maze.

To guess, to read pseudocode, to statically analyze, to set flags, to debug.

All the while, pieces of A4 paper covered my desk,

Filled with diagrams of different algorithms:

ECC, Salsa20, AES, RC4, CRC32, SHA-256, and Base64.

Time after time, I checked and confirmed them,

Grasping the hidden mathematics of these emotions.

I continued to explore, challenging my own limits with each step.

Until clarity was achieved.

From morning to night, from night to morning,

The logic of algorithms filled my dreams.

The behavior of keys and the dance of data

Until I mastered them, and began again.

Another day arrived. I sat before the computer,

Restarted, set some API breakpoints, and stepped through once more.

Observing the whispers of registers and memory.

Yes, I was lucky—I unpacked the first layer.

But the obfuscation techniques? I didn't understand them.

Calm down. Breathe. Keep moving forward.

Navigating the stack, moving in and out.

Doing this countless times, I reached the critical part.

And then—lucky again—a massive block of data in memory.

Everything revealed. I was shocked and excited.

I don't remember how many weeks passed,

Nights under a starless sky.

The echo of keystrokes was clearer in the small and silence room.

The music that kept me company through the night.

Some black and white hairs whispered their farewell.

They startled me when I swept the floor.

2023.04.13 Chinese draft version,

2025.8.14 and 2025.8.27 English version improvements.

Tracing the Phantom String

From morning to night, the day slipped away.

Another cycle ended — too fast, with no breakthrough.

In the binary jungle,

All paths fail, leading nowhere.

I struggle to decide which logic branch to take next.

I marked a loop — one detail stood out:

a 48-byte random string, quietly wiped from memory.

Fleeting. Gone.

Back then, I would restore the virtual machine snapshots.

Set a fresh breakpoint.

Step by step, I descended into the stack once more.

Suddenly A hidden DLL surfaced —silent.

But the origin of those 48 bytes?

Still unknown.

I wanted to move fast and inspect them —

so I rushed.

Oh God—an exception triggered, and it exited again.

Now I faced it once more:

a long road stretching ahead.

The breakpoint was more than mere control—

it had turned into a flag of inquiry,

planted in shadowed depths.

2023.02.13 Chinese draft version,

2025.8.24, 2025.8.26, and 2025.8.28 English version improvements.

Left Click, Right Click, Breathe

I’ve learned to “stop” as time moves on.
Now, I pay closer attention—to details,
especially to what I don’t yet know.

I pause. I look up. I learn.

The unknown becomes known,

and the known returns to the unknown.

Between them, life shifts and flows.

To study functionality.
To examine each parameter.
These are the basic kung fu of a programmer—
the quiet discipline behind the code.

Silence surrounds me,
from morning to night.
I try. I seek. I make mistakes. I change.

And beneath it all, the same patterns repeat—
different names, same essence,
like a person wearing many masks.

Step by step,

when understanding runs deep,

I press on.

Yet sometimes, I must retreat.

Forward. Retreat. Repetition is key.

In this rhythm, time becomes meaningful.

I’ve come to see that stopping is not idle.—

It is silence.

it is thinking,

It is preparation.

I move forward, as time passes,

driven by the constant click—

left, right, left, right—

endless clicks,

endless attempts,

each one marking a step along the path to knowing.

2023.02.14 Chinese draft version,

2025.8.20 and 2025.8.29 English version improvements.

One Flag, One Light

Yesterday, the heavy clouds leaned close to the earth.
Today, I restart — not just the machine, but myself —
to be free.

Far beyond, the remote solar system,
tireless photons race across the void.
Falling, like seeds to the soil.
silent, countless, full of promise.

And Earth — generous, patient Earth —
receives them all.
Life stirs. again.

After a long and difficult time —
Face to face with malware, with darkness, with unclear intent.
And in that confrontation,
Finally, I emerged from the lost binary jungle —
from confusion, from obfuscation, from silence.

I try to move forward —
not in a straight line, but in circles,
through repetition, through patience, through return.

I began to set flags on the stack —
They are like candles,
lit one by one,
glowing with a quiet, steady light —

And from my heart,
That light now shines outward.

2023.02.15 Chinese draft version,

2025.8.20, 2025.8.26 and 2025.8.30 English version improvements.

The 24-Byte Trace

Continue the Journey Through the Load

One step at a time,

navigating the depths of the stack—moving in, moving out

A 24-byte unknown string lies hidden in memory.

In the stillness of night,

the echo of keystrokes is my only companion.

I pace the room, back and forth.

Outside the window, the sky is empty.

I restore the virtual machine snapshots and

Now, I attempt to seek a new path.

Repetition is the true adversary.

Keep moving forward and branching into a new, uncharted sub-function.

I press forward, stepping deeper into the unknown stack.

Calm and peace, carefully avoiding exceptions.

I set to hide the PEB.

Yes, I’ve found it—the value I first glimpsed days ago.

Damn it. What a cunning design.

2023.02.19 Chinese draft version,

2025.8.13 and 2025.8.27 English version improvements.

Boil Water, Then Begin

I woke earlier today.

Stepped out as usual for bread,

Back to the silent house.

My room remains untouched:

Books on literature, philosophy, and technology are scattered across the sofa.

electronic devices huddled in the corner,

Only the hum of machines —

And now—I must boil water.

Prepare cereal in a cup.

Back again to the same game—

the cat chasing the mouse.

I’m not sure that

when the changing moment will come.

There is no other Buddha.

only the quiet within,

only the stillness of the mind.

So I return:

to observe, to pause, to go deeper.

One step at a time.

Jump. Observe. Step into the loop.

The same commands repeat:

XOR, Add, Shift Left.

The pattern and characteristics are very obvious.

Time does not pass in hours.

but in clicks of the mouse—

each one a breath,

each one a step forward.

2023.02.26 Chinese draft version,

2025.8.23, 2025.8.26 and 2025.8.30 English version improvements.

The Silent Hunt

To analyze you,
I must become an explorer.

Each quiet night,
A special focus.
Logic shifts —
A jump to another branch.
In and out of the stack,
Exiting the loop,
I observe your reactions,
and the memory's whispered output.

Sometimes: frustration.
Sometimes: excitement.
Sometimes: peace.

This is another slow, tough night.
A moment in a small space:
Probing where you came from,
And where you're going.

Step in, or step over.
Mostly: step by step.
All around, silence.

I move the mouse.
Click.
Click again.

An hour passes —
still no hit.

The only certainty:
Endless exploration.

You move, I move.
You stay still, I stay still.
You hide,
but I must discover you.

You're cunning.
But I must expose you.

2023.04.02 Chinese draft version and English version improvements, But I changed the title from “malware analysis” to “the silence hunt” on 2025.8.20.

Epilogue

In the process of writing and revising poems in English, I’ve discovered that using a foreign language can, in turn, deepen my understanding of my native tongue. I’ve found that it allows me to revisit my own language from a fresh perspective. My foundation in my native language is still relatively weak, and naturally, English itself also requires continual refinement, especially when approaching ideas from different angles.

Appreciation of Chinese Classical Poetry

I once asked myself: Is there an ancient Chinese poem that can describe the process of malware analysis? Later, I realized that it perfectly captures the subtle feelings of my work as home in 2023, so I decided to share it with everyone.

寻隐者不遇

贾岛

松下问童子，言师采药去。

只在此山中，云深不知处。

For an Absent Recluse

Jia Dao

I ask your lad beneath a pine.

"My master has gone for herbs fine.

He stays deep in the mountain proud,

I know not where, veiled by the cloud."

——Tr.by 许渊冲

Xu Yuanchong (许渊冲)

Xu Yuanchong (April 18, 1921 - June 17, 2021), born in Nanchang, Jiangxi Province, was a translator and a professor at the School of Journalism and Communication of Peking University.

Jia Dao (贾岛)

Jia Dao was a renowned Chinese poet of the mid-Tang Dynasty (779–843 AD). He is best known for his meticulous and intense focus on wording, spending great effort on refining and choosing the perfect word for his lines. This earned him a reputation as a "bitter-verse poet" or "poet who labors over his lines."