The art of cyberwar – Internet of things (IoT)


The art of war (孫子兵法) written by Sun Tzu. The Art of War is an ancient Chinese military treatise dating from the Spring and Autumn period in 5th century BC. The work, which is attributed to the ancient Chinese military strategist Sun Tzu, is composed of 13 chapters. Perhaps the art of cyberwar do not have author. It is created by Artificial Intelligence.

The art of cyberwar first chapter (IoT Operating System)

The foundation of Open Systems Interconnection model strengthen the technology world. A common standard categorized software application, network protocol, network communications and hardware. Perhaps the standard founded in 1983. However it become mature till earlier of 90’s.

Obviously the situation of Internet of things (IoT) have certain similarity comparing with 80’s technology world. Since such period of time the vendor not intend enforce OSI model standard.

The Internet of Things presents a new set of data storage. Meanwhile it create cyber security challenges. First, there is large-file data, such as images and videos captured from smartphones and other devices. The second data type is very small, for example, log-file data generated from sensors. The operation system will be embedded on Flash Drive and SD Ram. Be my guest, let’s take a closer look of popular IoT OS system.

The art of cyberwar 2nd chapter

What are the parameters for selecting a suitable IoT Operating System.

Yes, it is the memory requirement and OS footprint.

The art of cyberwar 3rd chapter

Due to the Design limitation of free disk space and API library. And therefore it limit the types of cyber attack.

The art of cyberwar 4th chapter

IoT Jeopardize the world records (see below):

The art of cyberwar 5th chapter

This chapter looks straight forward. A common standard is waiting for all of you especially software developer and vendor define!

Not a sophisticated technique, but it got his way to compromised ATM windows OS machine


Not a pulp fiction! Kaspersky Lab found that the latest generation of Malware focus in Bank ATM machine attack operate lightweight and simple. But we known that ATM machine was hardening the connectivity. May be you will be interested? In what way let the machine compromised?

Introduction to Bank ATM malware types (malware found since 2015)

i. Rufus – a malicious code used to clean out ATMs running outdated Windows XP software across states.

ii. GreenDispenser – GreenDispenser attempts to query the microsoft windows registry location (see below) to find the peripheral name for the cash dispenser.


The malware will make a call to WFSExecute with the command set to WFS_CMD_CDM_DISPENSE” and a timeout of 12000 to dispense cash (see above picture). GreenDispenser capable to execute the sdelete to remove itself from the ATM.

iii. Ploutus – Ploutus enabled criminals to empty ATMs using either an external keyboard attached to the machine or via SMS message. It could run on ATMs running the Windows 10, Windows 8, Windows 7 and XP operating systems. The attack targer aim to control Diebold ATMs.

iv. SUCEFUL – The (SUCEFUL) malware target design to attacks Diebold and NCR ATMs machines.The malicious code features are capable to do the following:

  1. Reading data from the chip of the card
  2. Control of the malware via ATM PIN pad
  3. Suppressing ATM sensors to avoid detection

v. Skimer – Skimer was distributed extensively between 2010 and 2013. Its appearance resulted in a drastic increase in the number of attacks against ATMs, with up to nine different malware families identified by Kaspersky Lab. The criminal (Skimer) group using social engineering technique implant malware to the ATM system through physical access, or via the bank’s internal network.

Another way to make machine vulnerable especially Windows Operating System


  • Infection technique through phishing, embedded malware in MS-word document ,download malware infection file and visit compromised website.
  • Try to infect server especially WSUS server
  • Compromise ATM machines through software path management and ATM application software update
  • ATM windows operating system compromised
  • As a result, the ATM machine might become crazy!


Protect Yourself:

It is better to use the ATM machine inside of a bank lobby.


Should you have interest to elaborate more, please read below details.

ATM thieves are all in jail. Can you tell me that bank ATM environments are safe now?

Do you think Kaspersky is a Scapegoat?


U.S. Orders Federal Agencies to Remove Kaspersky Software Over Security Concerns!

Discussion topics – Do you think Kaspersky is a Scapegoat?

Headlines news told that Eugene Kaspersky trained by former USSR KGB. For some potential reason predicted that his antivirus product design intend to collect the computer privacy thus doing the surveillance activities. From my personal opinion is that defendant Kaspersky might not engaged such treason activities. My stand points are shown below:

Allegation of their design mechanism similar as a Russian proxy

Below details highlights is the investigation team by US government written on incident report.

US investigators believe the contractor's use of the software alerted Russian hackers to the presence of files that may have been taken from the NSA, according to people with knowledge of the investigation. Experts said the software, in searching for malicious code, may have found samples of it in the data the contractor removed from the NSA.

But how the antivirus system made that determination is unclear, such as whether Kaspersky technicians programed the software to look for specific parameters that indicated NSA material. Also unclear is whether Kaspersky employees alerted the Russian government to the finding.

My bold hypothesis to object above speculations

We known the well-known names such as Symantec, McAfee and AVG may contains inherent risks and letting hackers and criminals secretly access your PC. What is the inherent risks will be encountered? Let’s take a quick closer look see whether you can find hints in this regard.

I. Design limitation and defense mechanism

a. Vulnerability (Design limitation)

For instance, Symantec anti-virus products found multiple vulnerabilities by Google researcher. The flaws affected both Mac and Windows PCs, and could be triggered simply by emailing a file to someone or sending them a link to a malicious website. The historical records are displayed below:

May 2016 – Symantec/Norton Antivirus ASPack Remote Heap/Pool memory corruption Vulnerability CVE-2016-2208 (see below url for reference)

Jan 2017 – Google Security Researcher Finds Serious Vulnerability In Kaspersky’s TLS Interception Tool

Hacker wants to intercept traffic, for which the 32bit key is 0xdeadbeef.
Step 1: Hacker sends you the real leaf certificate for, which Kasperksy validates and then generates its own certificate and key for.
Step 2: On the next connection, hacker sends you a colliding valid certificate with key 0xdeadbeef, for any commonName (lets say
Step 3: Now hacker redirects DNS for to, Kaspersky starts using their cached certificate and the attacker has complete control of
Step 4: vulnerability occurred
b. Defense mechanism

Since a kernel hook method so called kernel hook bypassing engine.


  • Attacker can use the system call instruction directly without calling of Windows API
  • Malicious code can be passed to the AntiVirus through the hooks functions for analysis and as soon as it bypass the security checks.

In order to avoid this rootkit or antivirus bypassing incident occurs, anti-virus manufacturer better stand in front of any boot loader processes. And therefore it will using so called in proper hook technique to governance the overall activities. As a result antivirus program including build in IDP, malware detector will be received more privileges. From technical point of view, it is not possible to do it if anti-virus itself not hook to all core kernel process.

This is the major concerns of many informaiton security experts. But be reminded that such design feature not the only one make by Kaspersky. Other anti-virus vendors are using the same design of mechanism.

From general principal of common law system, benefit of the doubt goes to defendant.

II.  The company not loyal to Russia in regards to past cyber detection behaviors

a. Detection of Russia area APT activities

Above APT Trends report Q2 2017 statistic diagram issued by KASPERSKY. We did not seen the company intend to hide cyber security attacks given by Russia area. Meanwhile, the report highlight that the second quarter of 2017 has seen multiple incidents involving Russian-speaking threat actors. Topping the list of ‘attention grabbers’ were the Sofacy and Turla threat actors. Should you have interest, please feel free to review the specify report in below url

b. Russia arrests top cyber security expert amid allegations of treason

There is not require for me to mention of this matter, for more detail please refer below headline news posted by

Russia arrests Kasperky cyber security expert amid allegations of treason


My observation cannot guarantee will be generated false positive (incorrect) on this matter, however above items of evidence looks that the company is a Scapegoat!


I am a Microsoft OS. Just wonder why I was hacked even though I have protective system?


A simple question was asked by kernel? Why I was hacked even though I have comprehensive protective system?


The windows Operating System development team fully understand relies on market anti virus might not protecting their core OS significantly. Since the computer user not only using Microsoft word processing application. They are allow the 3rd party application vendor run on top of their operating system.
They provides security defense mechanism to 3rd party software developers on their OS products since 2002. Such advanced protective mechanism also apply to windows XP SP2 and windows server 2003.

Introduction – Microsoft Comprehensive protective system for 3rd party application development (cookbook)

Top 3 protection features overview

Stack buffer overrun detection

The Detection  capability was introduced to the C/C++ compiler in Visual Studio .NET.  The /GS switch only inserts checks into function that it “recognizes as subject to buffer overrun problems.

Mitigation scheme – add below instruction in a commonly used header file to increase the number of functions protected by /GS:

#pragma strict_gs_check(on)

Preventing the SEH Overwrites with SEHOP

Structured Exception Handling (SEH) is a Windows mechanism for handling both hardware and software exceptions consistently. In many cases, an attacker will choose to overwrite the exception handler function pointer with an address that contains instructions that are equivalent to a pop reg, pop reg, ret. This allows an attacker to reliably execute arbitrary code by transferring control to the EstablisherFrame that the exception dispatcher passes as the second parameter when calling an exception handler. (see below diagram for reference)

Remark: The SEH overwrite technique uses a software vulnerability to execute arbitrary code by abusing the 32-bit exception dispatching facilities provided by Windows.

Mitigation scheme:

Adding dynamic checks to the exception dispatcher that do not rely on having metadata derived from a binary. This is the approach taken by SEHOP. SEHOP achieves this functionality in two distinct steps.

  1. Insertion of a symbolic exception registration record as the tail record in a thread’s exception handler list.
  2. Ensure that the symbolic record can be reached and that it is valid

Below diagram illustration of this logic:


Address space layout randomization (ASLR)

Address Space Layout Randomisation (ASLR) is a technology used to help prevent shellcode from being successful. It does this by randomly offsetting the location of modules and certain in-memory structures. Data Execution Prevention (DEP) prevents certain memory sectors, e.g. the stack, from being executed. By default, Windows Vista and later will randomize system DLLs and EXEs. In order to prevent an attacker from reliably jumping to, for example, a particular exploited function in memory, ASLR randomly arranges the address space positions of key data areas of a process, including the base of the executable and the positions of the stack, heap and libraries. It provides random stack and heap allocations and page load every time a process starts. Even though system process was hacked. The malware cannot execute shellcode theoretically.

Below articles are my research on ASLR topic on Virtual Machine and other operation system . Should you have interest. Please review below articles for reference.

Mirror Copy – He is great partner of virtual machine but he can kill VM simultaneously – address space layout randomization

The enemy of ASLR (Address space layout randomization) – memory leak

But why was hacked ?

Technical insight –  It looks that using ASLR feature protect windows OS products are perfect. But the cyber security incident happened from past proven that ASLR is hard to avoid side-channel attack. For instance, the vulnerabilities (CVE-2016-7260 and CVE-2016-7259) could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application that could exploit the vulnerabilities and take control of an affected system. The windows OS system including 2008,2008R2, 2012,2012R2 and 2016.

Another example alert by Microsoft that attackers are using a blend of in-memory malware, legitimate pen-testing tools and a compromised updater to attack banks and tech firms. Similar type of attack was happened on 2013 of several South Korean organizations via a malicious version of an installer from storage service SimDisk.

Below details of information can help you to developing more idea in regards of this matter.

The operating system can promote a driver’s StartType to be a boot start driver depending on the BootFlags value specified in the driver’s INF. You can specify one or more (ORed) of the following numeric values in the INF file, expressed as a hexadecimal value:

  • If a driver should be promoted to be a boot start driver on network boot, specify 0x1 (CM_SERVICE_NETWORK_BOOT_LOAD).
  • If a driver should be promoted on booting from a VHD, specify 0x2 (CM_SERVICE_VIRTUAL_DISK_BOOT_LOAD)
  • If a driver should be promoted while booting from a USB disk, specify 0x4 (CM_SERVICE_USB_DISK_BOOT_LOAD).
  • If a driver should be promoted while booting from SD storage, specify 0x8 (CM_SERVICE_SD_DISK_BOOT_LOAD)
  • If a driver should be promoted while booting from a disk on a USB 3.0 controller, specify 0x10 (CM_SERVICE_USB3_DISK_BOOT_LOAD).
  • If a driver should be promoted while booting with measured boot enabled, specify 0x20 (CM_SERVICE_MEASURED_BOOT_LOAD).
  • If a driver should be promoted while booting with verifier boot enabled, specify 0x40 (CM_SERVICE_VERIFIER_BOOT_LOAD).
  • If a driver should be promoted on WinPE boot, specify 0x80 (CM_SERVICE_WINPE_BOOT_LOAD).

Windows registry:  Turn on/off ASLR feature: (see below)

ASLR by setting HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\MoveImages


ASLR does not affect runtime performance. However it might slow down the initial loading of modules. But it is not in full capability to protect your windows OS system.

A reminder . Do not ignore unimportant item.



Not similar October revolution. Who maintain bitcoins fundamental concept?



Bitcoins concept: The system is peer-to-peer, and transactions take place between users directly, without an intermediary.

About status of Bitcoins today

Bitcoins change its original shape by financial investors. Perhaps there is no surprise that currencies are hard to avoid people re-engineering the structure. Sharing the and enjoys the benefits on arbitrage actions. This is the a priority ring in economic finance system. As of today, China is the pioneer to terminate the crypto currencies go to their country economic system. Perhaps China is not the 1st country to terminate the operation of crypto-currency. But their effective action avoid their assets run out of the countries (see below URL for reference). We known that Engima crypto currencies platform announced on September this year (2017). It looks that it interrupted the objective of the original definition. A so called Peer-to-Peer and Trustless Hedge Fund Platform.


For more details of (Enigma (Catalyst)), refer to below url:

Enigma (Catalyst) – Risk investment techniques embedded inherent Risk technology

Article: Cryptocurrency market cap rebounding (see below url for reference)

Market Saturation causes financial sector go to another way to survivals

A former slogan of United Stated of America is that make your dream come true. Even though US government the annual expenditures are in huge volume. I believed that they keen to develop other way to managed their debt. During the Clinton years the Dow raced out ahead of the national debt, but it looks worst during 2017 (see below). Not in conspiracy talk, the possible way is find other channel to get rid of existing situation. Since US government was rejected crypto currencies in their area in past. However if the demand is on the way. It is harmless to defines regulations to governance and custodian. On the other hand it might find another way to remediation the exiting debt. At least crypto exchange need to pay for the taxes. And crypto currencies are able to centralize by American again. It is a win win situation.

Crypto platform and market status nowadays

From technical point of view instead of cyber security. The existing crypto currencies platform sounds like you visiting casino. There are many tables provides gambling entertainment to you but the only objective is the money. This is my objective in regards to the subject matter. Who maintain bitcoins fundamental concept? My last comment is that do you think this is the appropriate timing to make your money go to the market?

Reference:  Hedge funds re-engineering to crypto currency platform. For more details, please refer below:

Enigma (Catalyst) – Risk investment techniques embedded inherent Risk technology




Equifax data breach on 29th Jul 2017 tell the world Apache products more vulnerable than Microsoft Web server products

We believed that Apache web server more secure than Microsoft IIS Web server so far. However the most recent security incidents told the world the products of Apache not secure anymore! For instance, a critical vulnerability on Apache Struts encountered a serious vulnerability on Mar 2017 (CVE-2017-5638). As of today, there are total 4 vulnerabilities (CVE-2017-5638,CVE-2017-7672,CVE-2017-9787,CVE-2017-9791) which jeopardize Enterprise firms. It looks that the slogan “Apache products more secure than Microsoft web products” is not valid anymore! Remark: When I was young, a black pig symbol let the kindergarten student understand their performance. We now know both brand name are receiving black pig stamp chop.

What will be the impact?

For more details, please see below url for references: (APACHE-CORPORATION)

Looks negative Cisco also the victim on this case. For more details, please see below url for reference.

Cisco announced that no workarounds available in the moment. However if your IT campus install Snort IDS. New yara rules will be fight against the attack. It looks that cyber attack is one of the business development channel!

Responsibility and Realistic

About Equifax data breach on 29th Jul 2017, CIO and CSO are retiring. The flaw focusing to the company with poor software patch management. The investigation team highlight two major problems. The company are using open source and without update the patch on Apache struts product immediately. But think it over, the server side contained client credit card information. It looks that no one else is going to discuss the comments on PCI QSA security assessment report. To be honest, if the classification level of data includes in PCI security requirement. A question you might voice out. What is the responsibilities on payment card industry authority of this incident?

How serious will democracy be concerned about this matter? see below url for reference:

PCI regulations highlights

20,000 to 1 million: 
Level 3 Secure a regular network scan by an Approved Scanning Vendor Do an annual Self Assessment Questionnaire Complete an Attestation of Compliance 

1 to 6 million: 
Level 2 Secure a regular network scan by an Approved Scanning Vendor Do an annual Self Assessment Questionnaire Complete an Attestation of Compliance 

6 Million plus: 
Level 1 Secure a regular network scan by an Approved Scanning Vendor Have a Qualified Security Assessor do an annual Report on Compliance Complete an Attestation of Compliance

Deloitte hit by cyber-attack.Do you think CVE-2016-7255 is the culprit?

Do you think CVE-2016-7255 is the culprit? Let enterprise audit firm Deloitte hit by cyber-attack causes information leak.The vulnerability which allows hacker do the code injection on both 32- and 64-bit versions of windows server and workstation OS before Nov 2016. If this is the root causes! How does the customer defense until Microsoft issue the patch. Even though security vendor IDS Yara rule not defined such pattern yet. As a result there are more victim afterwards! For more details on Deloitte  cyber security incident, please see below url for reference:


More regulations has been implemented in China. Hey CIO,CTO and CISO any doubt?


The policies enforcement trend in China eager to enhance existing cyber security and governance in China. Perhaps our focus of this discussion pure on IT operation and information security and therefore any other background we are not going to surmise.

Censorship People’s Republic of China on behalf of Legal basis and regulations

As usual, different country maintain their regulations and view point in order to enhance their governance in their country. It looks that there is no way to refuse since you are entitle to enjoys the social benefits of their country includes environment and culture. And therefore a obligation to the individual able to follow the Law and regulations.

An official announcement of new regulations bring misgiving to business industries especially technology units.

Since cryptographic techniques implement to all business industries nowadays especially banking financial, publisher, pharmaceutical and manufacturing. In order to fulfill their company costs saving plan, The IPsec site-to-site VPN tunnel deployment is in high demand. Since it is easy to setup once Firewall and Internet are ready in your company. However this method not compliance to China regulation so far. Perhaps last few years China government not proactive enforce the regulation. And such away lets the world believe that this is the appropriate data communications method for cross border environment solution in China.

Internet Security Law of the People ‘s Republic of China let foreign country IT department in hover !

The new cyber security law has been ennounced on 1st June 2017. The Article 5 looks with powerful privileges which causes solicitor, data privacy expert headache! Let take a closer look of Article 5 (see below)

Article 5 The state shall take measures to monitor, defend against and deal with cybersecurity risks and threats from both inside and outside the territory of the People’s Republic of China, protect critical information infrastructure from attack, intrusion, interference and damage, punish illegal criminal activities on the network in accordance with the law, and maintain cyberspace security and order.

Techincal view point: In the sense that even though your web hosting not located in Greater China area once there is one endpoint located in Greater China the computer owner require to follow the new law.

What’s the status today?

Since popular personal VPN client services provider was all blocked. The government objective is avoid a Chinese language term (翻牆). The English language term that is pass through firewall wall. As of today whatsapp messenger is not able to use in China. The expertise speculated that a major communist party gathering next month and therefore China government now tighten the censorship activities. it looks that the speculation make sense! The next action is to block internet unauthorized VPNs from 2018.

Let’s review the implementation time table


Hints! Provide short cut information to CIO, CTO and CISO

As of today, there are total three communication vendor are authorizes to run the internet private circuit in China (see below). The definition of internet private circuit is MPLS instead of IPSec VPN.

  • China telecom
  • China Unicom
  • China Mobile

For data encryption product, there is no solid guideline since the approved product list looks not shown up yet.


Since China has launched 14-month nationwide campaign against unauthorized internet connection includes VPN services (IPSec site-to-site and VPN client) to bypass the China country firewall (Great Firewall). The “cleanup” activities will be end until March 2018. As such, it is hard to drawn into summary at the moment.


China ban VPN connectivity – current status Aug 2017

Greater China – New version of cyber security law with effective 1st June 2017

Assurance level of 3rd party software – Part 1


As we know google did the 3rd party application assurance last few months. Their objective is intend to fight against unknown malicious code embedded in software.

Hidden malicious code history

Metamorphic code (Win32/Simile)  was born on 2002 written in assembly language which target Microsoft software operating system products. As time goes by, the 2nd generation of metamorphic code capable changing what registers to use, changing flow control with jumps, changing machine instructions to equivalent ones or reordering independent instructions.

*Metamorphic code can also mean that a virus is capable of infecting executables from two or more different operating systems (such as Windows and GNU/Linux) or even different computer architectures.

Malware/RootKit infection from software device driver to Smartphone

A revolution of technology world on 2007 driven by Apple iPhone and Android. Thus such a way driven malware and rootkit re-engineering their architecture. As a result, their implant destination not limit on device drive itself. It also includes smartphone 3rd party application.

Part 1 – Microsoft OS products, rooting your software driver technique overview 

An important step lets the hacker do the hook or infiltrate job is to identify the usable memory space.  A parameter so called KeServiceDescriptorTableShadow. Using KeServiceDescriptorTable variable exported by ntoskrnl.exe, we can get the address of KeServiceDescriptorTableShadow variable. KeServiceDescriptorTableShadow is an extension of
KeServiceDescriptorTable variable.

Below syntax get the address of KeServiceDescriptorTableShadow by comparing memories around KeServiceDescriptorTable.

typedef struct _SERVICE_DESCRIPTOR_TABLE { PULONG ServiceTable; // array of entry-points PULONG puCounterTable; // array of counters ULONG uTableSize; // number of table entries PUCHAR pbArgumentTable; // array of byte counts } SERVICE_DESCRIPTOR_TABLE, *PSERVICE_DESCRIPTOR_TABLE;

Below syntax is retrieves its address in different version of Windows.

 ULONG Index;
 UONG MajorVersion, MinorVersion, BuildNumber;
 PsGetVersion(&MajorVersion, &MinorVersion, &BuildNumber, &CSDVersion);
 if(MajorVersion == 5 && MinorVersion == 1) // Windows XP
 SDTShadow = (PUCHAR)((ULONG)&KeServiceDescriptorTable - 0x40);
 else // Windows 2000, or Windows Vista
 SDTShadow = (PUCHAR)((ULONG)&KeServiceDescriptorTable + 0x40);
 for(Index = 0; Index < 0x1000; Index ++, SDTShadow ++)
 KeServiceDescriptorTableShadow = (PSERVICE_DESCRIPTOR_TABLE)SDTShadow;
 if(KeServiceDescriptorTableShadow == &KeServiceDescriptorTable)
 if(memcmp(KeServiceDescriptorTableShadow, &KeServiceDescriptorTable, 0x10) == 0 
 && ((UCHAR)KeServiceDescriptorTableShadow->ServiceTable & 3) == 0)
 return NULL;
 return NULL;

Below details on the picture left hand side show you the step how to relies on driver hook into the kernel process. In end-user point of view, there is a simple way to identify the current driver load into your PC or server. You just execute a command fltmc in your MS-DOS prompt. There is not require any assembly language knowledge. It is a simple and direct path to let you know how many 3rd party driver load into the windows kernel. For more details, please refer to right hand side in below picture.


Hacker is difficult to find available address space due to ASLR technique. (see below URL for reference)

The enemy of ASLR (Address space layout randomization) – memory leak

Even though ASLR has design limitation might have possibility let hacker implant malware. However a better idea is that take easy way instead of difficult way. A way confirm that it is possible. From technical point of view, ASLR avoid hacker know the actual memory address.  How about run the malicious code driver and ASLR mechanism at the same time (simultaneously).That is pre-install a 3rd party driver with malicious code embedded then load the software driver during operating system startup. The way similar antivirus product using API hooking allows the antivirus to see exactly what function is called.

- Loading drivers
- Starting new processes
- Process executable image
System DLL: ntdll.dll (2 different binaries for WoW64 processes)
- Runtime loaded PE images – import table, LoadLibrary, LoadLibraryEx[1], NtMapViewOfSection

Antivirus software may use SSDT hooking (System Service Dispatch Table hooking) on 32-bit operation.  On a 64-bit system, a KM (kernel module) driver can only be loaded if it has a digital signature. And therefore hacker could be focus on 32 bit OS instead of 64 bit.

How to run 32-bit applications on x64?

In order to maintain complete code separation, running 32-bit code on a 64-bit operating system design with a destinate folder named \Windows\SysWOW64 that is used to store the 32-bit DLLs to meet the design objective. Meanwhile the x64 version of Windows uses the \windows\system32 folder for 64-bit DLLs. Below diagram shown that the WOW64 emulator responsible for file system redirection for several key components of the Windows operating system.

To identify 32 bit and 64 bit environment changes depending on the registry key. For instance, the ‘rundll32’ is point to the specify registry (HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\CurrentVersion\Run).

Therefore it will execute the following command.


This is the 32-bit version program thus everything will be remapped accordingly (see below diagram for reference)

Above details shown the registry and file redirection mechanism to execute 32 bit application on 64 bit of operating system. It looks fine that application not possible to work with incorrect bits environment since it governance by registry. However a fundamental design architecture looks provide benefits to the hacker (see below diagram for reference):

Above diagram indicated that software device driver module allow 32-bit software driver go thought module (WOW64) communicate with 64-bit Kernel function. So it has possibility go through the software driver then compromise the system. From security point of view, the server or workstation Antivirus processes will keep track all DLL activities on directory (c:\windows\SysWoW64). So what is the malware next action?

Malware next action

A lot of security experts feedback comments on Microsoft OS products. They highlight that a flaw appears on kernel side. Microsoft official announcement was told that it is not a security issue.  The fact is that  malware can use API system call (PsSetLoadImageNotifyRoutine) to trick the OS into giving malware scanners other files. This would allow malicious software smuggling then by evade antivirus monitoring. A hacking technique so called Register load image callback (see below)


How to prevent PsSetLoadImageNotifyRoutine

Microsoft have solution available against register load image callback flaw. Developer can define a minifilter (FltGetFileNameInformationUnsafe) to confirm the routine returns name information for an open file or directory. And therefore it is the way to avoid the fundamental design limitation of API system Call mechanism (PsSetLoadImageNotifyRoutine).

But what is the causes for system developers not intend to use this preventive mechanism.

FltGetFileNameInformationUnsafe allocates it’s own memory for the structure. As a result it will encountered blue screen and system crash once 3rd party software driver not follow the SDLC (software development life cycle).

Alternative type of attack  (This time does not intend to discuss in detail)

A rootkit will create a hidden partition, at the end of the drive, 1 – 10 MB in size and set itself as the boot partition. Hence, the rootkit is already running before Windows loads. This hidden partition will not show up on Windows Disk Management in most cases.

Rootkit categories:

Operation feature

Persistent rootkit is one that is activated every time the system starts up.

Non-persistent rootkit is not capable of automatically running again after the system has been restarted.

Operation mode

User mode: this kind of rootkit hooks system calls and filters the information returned by the APIs (Application Programming Interface)

Kernel mode : these rootkits modify the kernel data structures, as well as they hook the kernel’s own APIs. It compromise the antivirus program at the same time. This is the most reliable and robust way of intercepting the system.


Even though your IT infrastructure install full scope of detective and preventive control facilities. The 3rd software driver will broken your security facilities. Perhaps you have SIEM and central log event management product however such malicious activities is hard to detect since it is running in Kernel (Ring 0).  So a standard policy on software usage is critical goal on today cyber technology world. Believe it or not, a 3rd party software driver embedded malicious code can break your great wall.








Military or Business Industry, Windows OS peripheral control bring to attention.



Since the version of Windows XP, the Windows operating system feature embedded functionality of industrial applications.  However the motivation of factor on re-engineering of system depends on customer demand.

Case study details:

The US Navy is paying Microsoft $9.1 million for continued Windows XP support – Jun 23, 2015 

Information Background – According to SPAWAR official announcement on Jun 2015. The renewal process will buy the Navy time to migrate from its existing reliance on the expiring product versions to newer product versions approved for use in Ashore and Afloat networks, and will provide hotfixes to minimize risks while ensuring support and sustainability of deployed capabilities.

* The Space and Naval Warfare Systems Command (SPAWAR), based in San Diego, is an Echelon II organization within the United States Navy and is the Navy’s technical authority and acquisition command for C4ISR (Command, Control, Communications, Computers, Intelligence, Surveillance and Reconnaissance), business information technology and space systems.

Doubt – known design limitations

a. Windows OS system – The re-engineering schedule instead of Windows XP operating system.

  1. US Navy is paying Microsoft $9.1 million for continued Windows XP support – Jun 23, 2015. As of today, we believed that the operating system update has been done. However a valid design weakness on Windows operation system found on 2014 till today. It found by security expert that a kernel flaw appears to all version on Microsoft operating system platform since end of 2014 (see below picture diagram for references). From my personal point of view. I agree with Microsoft official comment on their announcement, this is not a security issue (device driver inject rootkit). My stand point is that the Windows operating system fundamental design objective does not catering for mission critical industries especially Nuclear power facility and military industry.  However the modern technology industries deploying in formal fashion of manner. Yes, I agree that the manufacture industry and business automation not shown the side effect of design limitation. But on mission critical industries, the design capability limitation similar a technology kill chain! Information security is a continuous program. Microsoft operation system  don’t have exception. A group of security expert re-open this flaw recently (Inside NT’s Asynchronous Procedure Call).  Asynchronous Procedure Calls (APCs) are a fundamental building block in NT’s asynchronous processing architecture. This architecture still valid till today.

The security expert highlight the flaw in regards to the following items. 

If you are not interested in technical descriptions detail, you can skip and jump to below item 2.

As a device driver writer, you can rely on APCs to execute a routine in a particular thread context without that thread’s intervention or consent whenever no guarantee of its address space’s availability can be made.  Since APC mechanism not on Ring 3 and therefore the fundamental of design not enforce protect this mechanism. As a result, a weakness was found in this place. The PsSetLoadImageNotifyRoutine function registers a notification function that is called when the image is loaded or the image is mapped to memory. The operating system calls the registered callback function after displaying the image executed in the user space or in the kernel space (just what we need, because the drivers are just loaded into the kernel), before the execution of the image. The main weakness of software driver integration with operating system is given by PsSetLoadImageNotifyRoutine.

* The PsSetLoadImageNotifyRoutine routine registers a driver-supplied callback that is subsequently notified whenever an image is loaded (or mapped into memory).

As we know, antivirus software using kernel driver to inject code into all all running processes. The antivirus software register for image creation notification and then queue some APCs that will execute in user mode and do the injection. Since the security level of protection of device driver on Windows OS all depends on 3rd party developer design.  A lot of security experts feedback comments on Microsoft OS products. They highlight that a flaw appears on kernel side. Microsoft official announcement was told that it is not a security issue.  The fact is that  malware can use API system call (PsSetLoadImageNotifyRoutine) to trick the OS into giving malware scanners other files. This would allow malicious software smuggling then by evade antivirus monitoring.

Device driver rootkit code (sample)

mov eax, [ebp+ImageInfo]
push dword ptr [eax+4]


Do you think the developer alert this issue on their design phase? From logical point of view, this unknown threat not announce to the world. Most of the protection mechanisms are implement falls under File, Registry, Process, DLL Load. Microsoft don’t allow anyone to hook the SSDT. For my comments, the system development cycle is division of job and therefore this protection mechanism will be fall into cyber security team job scope. As are result, the protection mechanism will be relies on antivirus and malware detection software. But the specific threat might evade malware scanner custodian.

It looks that remediation step on critical industries especially Nuclear Power facilities and Military Dept might do a audit.  As soon as possible to develop the protection mechanism through SSDT hooking.

2. Satellite communication systems design limitation

Since this topic has been discuss previous.  For more details of related article. Please see below url for reference.

Perhaps military battleship can destroy everything, but it could not win in the digital war!



As of today (12th Sep 2017), my comments in regards to mission critical industries remain unchanged.  That is please re-confirm existing operating system peripherals issue before next action.