Malware Analysis Space

  Revisiting SubVirt & Blue Pill: From Attacker Proof-of-Concepts to Defensive Foundations How early VM-based rootkit research shaped the architecture of modern system defense     “To understand the immeasurable, the mind must be extraordinarily quiet, still.” — Jiddu Krishnamurti     Seeker( 李标明 ) · @clibm079     China · Independent Malware Analyst & Researcher  From 2025.10.22 to 2025.10.29 Prologue: Non-VM-Based and VM-Based Rootkits Last time, on 2025.10.14, I published a report about “Regin Static Analysis of Its Lightweight VFS Abstraction Layer” and other rootkit reports the day before, they were old classic or legacy rootkits.   The legacy rootkits were extremely popular; this era is considered to be the golden age of rootkits. For personal record of study, I might define the golden age as something like “Approximately 2005 to 2014 (±1 year).”   So I was very curious about the ...

  Regin: Static Analysis of Its Lightweight VFS Abstraction Layer Polymorphic Kernel Interfaces and I/O Abstraction Layer     “To understand the immeasurable, the mind must be extraordinarily quiet, still.” — Jiddu Krishnamurti     Seeker( 李标明 ) · @clibm079     China · Independent Malware Analyst & Researcher  From 2025.9.24 to 2025.10.14 Prologue: The Temple and the Kernel Recently, I still climbed a mountain and visited the temple again, but only a few times; sometimes, I go hiking in the forests. Here, I keep moving on malware research. I notice that quite sophisticated malware Regin, between 2014 and 2015, Symantec and Kaspersky published their report of analysis.   According to a Symantec report, “Regin is a multi-staged, modular threat, meaning that it has a number of components, each depending on others, to perform attack operations.”   In this report, I would like to do and share li...