Reconstructing Gapz: Position-Independent Code Analysis Problem

Presented at REcon 2013, June 23, 2013, 1 p.m. (60 minutes)

This presentation is devoted to analysis one of the stealthiest bootkit seen in the wild – Win32/Gapz. The talk will cover not only remarkable features of the bootkit such as custom kernel-mode network protocol implementation, advanced bootkit technique and payload injection functionality but, also, the way the authors of the presentation approached the problem of analysis Win32/Gapz using the tools by Hex-Rays. The authors will demonstrate the usage of Hex-Rays decompiler SDK for building a plugin that aids with performing reverse engineering of position-independent code in Win32/Gapz.

Presenters:

• Aleksandr Matrosov
  Aleksandr Matrosov has more than ten years of experience with malware analysis, reverse engineering and advanced exploitation techniques. Currently working at ESET as Senior Malware Researcher since joining the company in October 2009 as a malware researcher. He has worked as a security researcher since 2003 for major Russian companies. He is also a Lecturer at the Cryptology and Discrete Mathematics department of the National Research Nuclear University in Moscow, co-author of the research papers “Stuxnet Under the Microscope” and “The Evolution of TDL: Conquering x64”, and is frequently invited to speak at major security conferences (including Ekoparty, Recon and Virus Bulletin). Nowadays he specializes in the comprehensive analysis of complex threats, modern vectors of exploitation and researching of cybercrime activity.
• Eugene Rodionov
  Eugene Rodionov graduated with honors from the Information Security faculty of the Moscow Engineer-Physics Institute (State University) in 2009 and successfully defended Ph.D. thesis in 2012. He has been working in the past five years for several companies, performing software development, IT security audit and malware analysis. He currently works at ESET, one of the leading companies in the antivirus industry, where he performs in-depth analysis of complex threats. His interests include kernel-mode programming, anti-rootkit technologies, reverse engineering and cryptology. He is co-author of the research papers “Stuxnet Under the Microscope” and “TDL3: The Rootkit of All Evil?”. Eugene Rodionov also holds the position of Lecturer at the National Nuclear Research University MEPHI in Russia.

Links:

• https://recon.cx/2013/schedule/events/15.html
• https://infocon.org/cons/REcon/REcon 2013/Aleksandr Matrosov and Eugene Rodionov- Reconstructing Gapz Position-Independent Code Analysis Problem.mp4

Similar Presentations:

• REcon 2023 / Portrait of the artist as a young vx-er: This painting is an MBR bootkit
• REcon 2012 / Bootkit Threats: In-Depth Reverse Engineering & Defense
• Black Hat USA 2015 / Distributing the Reconstruction of High-Level Intermediate Representation for Large Scale Malware Analysis