Learn, hack!

Hacking and security documentation: slides, papers, video and audio recordings. All in high-quality, daily updated, avoiding security crap documents. Spreading hacking knowledge, for free, enjoy. Follow on .

Reconstructing Gapz: Position-Independent Code Analysis Problem

reverse engineering
Alexandr Matrosov, Eugene Rodionov
REcon 2013
Indexed on
Oct 16, 2014
File name
File size
3.4 MB

This presentation is devoted to analysis one of the stealthiest bootkit seen in the wild – Win32/Gapz. The talk will cover not only remarkable features of the bootkit such as custom kernel-mode network protocol implementation, advanced bootkit technique and payload injection functionality but, also, the way the authors of the presentation approached the problem of analysis Win32/Gapz using the tools by Hex-Rays. The authors will demonstrate the usage of Hex-Rays decompiler SDK for building a plugin that aids with performing reverse engineering of position-independent code in Win32/Gapz. In the recent time there is a steady increase in the number of malware programs utilizing bootkit technology to load unsigned kernel-mode drivers on Microsoft Windows x64 platform, hide malicious modules outside of OS’s file system and etc. The bootkit technology is being constantly enhanced with the appearance of new bootkit threats and Win32/Gapz, without doubt, is at the top of this race. In this talk we are going to present the result of analysis of Win32/Gapz which is also the most complex bootkit threat known so far. It attracted our attention in December of 2012 due its elaborated dropper and bootkit technique never seen before. Another interesting feature of Win32/Gapz is its kernel-mode module implementation containing a large amount of position-independent code which is quite difficult to analyze using conventional disassemblers and decompiles. In the course of research a plugin for Hex-Rays decompiler was developed to overcome such difficulties. The presentation will be started with an overview of Win32/Gapz and its implementation details. We will highlight the most interesting features of the malware: dropper injection & HIPS bypassing functionality, a brand new bootkit technique, custom kernel-mode implementation of TCP/IP protocol stack using NDIS miniport adapter. Then, we will be concentrated on implementation of the main part of Win32/Gapz – kernel-mode module. It will be shown which difficulties related to position-independent code analysis the authors had to deal with to be able to reconstruct functionality of the malware. In the next part of talk the authors will demonstrate the capabilities of Hex-Rays decompiler SDK for developing plugins. It will be shown how the decompiler’s internal facilities helps to build the Win32/Gapz kernel-mode module CFG (Control Flow Graph) and navigate through it, as a result Hex-Rays plugin will be presented. Finally, the authors will discuss the application of the plugin for decompiling object oriented code.

About us

Secdocs is a project aimed to index high-quality IT security and hacking documents. These are fetched from multiple data sources: events, conferences and generally from interwebs.


Serving 8166 documents and 531.0 GB of hacking knowledge, indexed from 2419 authors from 163 security conferences.


To support this site and keep it alive, you can click on the buttons below. Any help is really appreciated! This service is provided for free, but real money is needed to pay bills.

Flattr this Click here to lend your support to: Keep live SecDocs for an year and make a donation at www.pledgie.com !