Links

Open source information inspirational to the design of Codeword

In the design and development of the Codeword tool, we leveraged a wealth of information and research already presented to the public in the security research community. This information has been around since 2000 and before. Aside from the links below, much of the evidence-collecting capabilities one needs to build an effective malware/rootkit discovery tool can be found in the famous book Undocumented Windows 2000 Secrets by Sven Schreiber. Note this book is 9 years old. All aspects of Codeword can be tied to one or more of the links listed below. Open knowledge - power to the people!

Primary sources

• PHRACK Magazine
• Rootkit.com
• uninformed.org

Secondary Sources

• Detour detection: link
• Firmware rootkit detection: link
• GDT/LDT and call gate detection: link
• Piles of relevant source code: link
• Cross-view detection (Rutkowska commentary): link
• Detecting a PCI rootkit: link
• Finding NTFS rootkits: link
• Detecting rootkits infecting the registry: link
• Helios Lite Rootkit detector user manual: link
• Rutkowska's system virginity verifier: link
• IRP hooking and device chains: link
• Hidden process detection using PspCidTable: link
• Defeating native API hookers: link
• The dark side of winsock (this inspired several user mode integrity checks I do in codeword): link
• VAD tree walking: link
• Memory spying: link
• Toolhelp32: link
• API hooking: link
• SysInternals source code: link
• A technical primer on rootkits from our anti-virus friends at McAfee [PDF]: link

Free tools and pieces of open source code

• Butler/Silberman's RAIDE: link
• Butler/Spark's ShadowWalker: link
• Butler/Hoglund's VICE: link
• link
• link
• Skape - A catalog of local windows kernel-mode backdoor techniques: link
• Phrack Volume 59: link
• Butler's SYSENTER hooking rootkit: link
• http://research.microsoft.com/pubs/68568/huntusenixnt99.pdf
• http://www.f-secure.com/weblog/archives/kasslin_AVAR2006_KernelMalware_paper.pdf
• http://www.osronline.com/article.cfm?article=97
• http://rootkit.com/newsread.php?newsid=416
• http://www.blackhat.com/presentations/bh-europe-06/bh-eu-06-Rutkowska.pdf
• http://pax.grsecurity.net/
• http://www.phrack.org/issues.html?issue=63&id=8#article
• http://he4dev.e1.bmstu.ru/HookSysCall/
• http://recon.cx/2008/a/pierre-marc_bureau/storm-recon.pdf
• http://www.uninformed.org/?v=3&a=3
• http://www.uninformed.org/?v=6&a=1

Memory Forensics

• The original paper on finding encryption keys in memory, published in 1998. [PDF]: link
• Finding RSA key and SSL cert in process address space[PDF]: link
• Another paper on Apache and keys stored in its process [PDF]: link
• THC keyfinder source code (uses entropy techniques discussed in first paper above): link
• Defenses against this type of attack, from the creators of the first paper listed above [PDF]: link
• PassLoc tool , another variation of the first paper (entropy): link
• link
• Some source code for VAD walking: link
• A somewhat dated (1999) but extremely detailed explanation of Windows virtual memory management, including C source code for memory manipulation operations: link
• Exploring windows 2000 memory by Sven Schreiber; from his book, Undocumented Windows 2000 Secrets; includes source code for memory spying program: link
• PyFlag is a digital investigation case management tool with Network protocol parsing, Log file parsing, disk and file parsing, and memory forensics capabilities: link

Kernel Driver Development

• Microsoft's Getting Started with Kernel driver development: link
• A basic Hello World driver: link
• OSR Online introduction to driver development; OSR is the defacto source for any serious driver developer: link
• How to use DDKBUILD batch script to configure VS C++/VS6.0 to compile drivers using the DDK: link
• Physmem program that reads a registry key for physical memory: link