This article is written by K. Kasslin one of the f-secure virus expert. It as been publish in AVAR 2006. This paper analyse how to execute a virus in windows Xp kernel mode. The core of the article details the key techniques to hook a program into the kernel namely:
- The use of a Kernel drivers
- The use of Call Gates
It also present how a virus can use kernel mode support routine to allocate memory, store file on file system, and modify the registry.This presentation is exemplified by two virus case study: HaxDoor and Costrat.
This paper is highly technical and requires a good understanding of windows kernel to understand it. It is well written and the presentation of known and not so known kernel hooking techniques is well down. I also like the two case study. It show how each virus protect them self and hide.
However the reverse of the virus in assembler is very hard to follow. In particular figure 5 is way to small. The other regret is that this paper does not explain how a virus use kernel routine to setup an network connection. I know that it is a hard topic but in this form the paper is not self contained. Having a long version of this work would have been nice or at least a tech report.
In conclusion, this paper give an insight of what upcoming virus will look like and help to understand why it is so hard to detect and remove them. A good paper for any one interested in virus.
0 Responses to “Kernel Malware: the attack from Within article review”