Malware Analysis Space

    SSDT Hooking: A Personal Walkthrough of Kernel-Mode Intrigue (Uroboros Echoes)     “To understand the immeasurable, the mind must be extraordinarily quiet, still.” — Jiddu Krishnamurti   By Seeker( 李标明 ) China Independent Malware Analyst & Researcher Download the Full Report (PDF) Prologue: The Temple and the Kernel Recently, I still climbed a mountain and visited the temple again and again, as you know from my last report, the IDT hooking report mentioned. Here I didn’t give up but kept moving to SSDT hooking; everything is very subtle and slow.   After discovering the IDT hooking, I got a bad cold, and I moved more slowly on my own kernel research. I couldn’t even think, and I also did not buy medicine but tried to drink a lot of water. And some stuff about driver knowledge I also need to learn. Sometimes I remembered I strongly felt the energy conversion from one place to another in my body. I felt good when I wok...

  From SSDT to IDT: A Personal Walkthrough of Kernel-Mode Intrigue (Uroboros Echoes)     “To understand the immeasurable, the mind must be extraordinarily quiet, still.” — Jiddu Krishnamurti   By Seeker( 李标明 ) China Independent Malware Analyst & Researcher Download the Full Report (PDF) Prologue: The Temple and the Kernel Recently, I climbed a mountain and visited the temple before sitting down at my machine. The mountain I walked around and stood at a place to watch the trees, flowers, and feel the air flowing, which, by the way, let me get close to nature to clear my mind. And all the things running in my brain to think of the kernel-mode security, I sucked them and shifted from user mode to kernel mode. What is it? How doesn’t it work? What’s the difference between the user mode and kernel mode? And so on, I strongly felt that everything was moving forward slowly and subtly. It seems that something rebuilt my whole mindset, and it too...

  “To understand the immeasurable, the mind must be extraordinarily quiet, still.” — Jiddu Krishnamurti   By Seeker( 李标明 ) China Independent Malware Analyst & Researcher Download the Full Report (PDF) Summary   APT36, also known as The Transparent Tribe, ProjectM, Mythic Leopard, or Earth Karkaddan, is a cyber espionage threat organization associated with Pakistan. The organization has carried out cyber espionage activities against the Indian defense, government, and education sectors.   Recently I have been focused on a many-year Crimson RAT of variants about APT36. It is a very intriguing thing we can observe: the history of evolution about Crimson RAT variants, which goes from the basic functionalities to becoming a professional design, which goes from the simple to the complicated, the below I would like to share with them.     Technique analysis Crimson RAT V1.0.0.0 At version 1.0.0.0, I collected three variants; they were named rl...