Rootkit analysis – Use case on HideDRV

CERT Sekoia published a document to provide an overview of the kernel mechanisms and a tech guide on how to handle a rootkit analysis. This document intends to share reverse engineering best practices in order to help organization in their daily security job.

This publication is based on a rootkit discovered by ESET and developed by a well-known APT actor identified as Sednit (aka APT28, Fancy Bear, Sofacy, STRONTIUM, Tsar Team…). For your information, the ESET publication can be downloaded there. This group seems to be the author of several major media hacks such as the attack of the German parliament in December 2014 or the compromise of TV5Monde in April 2015.

CERT Sekoia chose this sample because it is available for beginners:

  • no packer;
  • no obfuscation;
  • no advanced or undocumented trick;
  • really small (< 100 functions);
  • all the usual rootkit features (registry keys hiding, files hiding, code injection from the kernel).

The document describes how to deal with rootkit analysis step by step:

  • laboratory setup,
  • Windows kernel architecture and API,
  • Windows protection (Windows 10 64 bits)

The purpose is to provide a tutorial of the “state of the art” of rootkit analysis on modern x64 Windows systems.

You can download our document in the pdf format there.

We love feedbacks, so don’t be afraid to contact us for questions or other purposes!

Paul Rascagneres

Senior threat researcher, malware analyst and IT conf speaker…

Recent Posts



Paul Rascagneres Written by:

Senior threat researcher, malware analyst and IT conf speaker...

Comments are closed.